Spywarefri Forum | Ingen netadgang + trojanere

1 af 4

Ingen netadgang + trojanere

[ Ignorer ] trh
15.04.2007 23:10:40 Antal indlæg: 38	[:(!] Træls: et tilfældigt surf, og ‘vupti’ melder AVG om forskellige trojans. Jeg har scannet for virus, brugt antispyware, men der er stadig problemer: jeg har ikke kunnet komme på nettet efter angrebet, og alt andet der relaterer sig til netadgang er chekket (kabel, switch, etc.). Alle andre af husets maskiner har fuld adgang. Jeg lægger indholdet af en hijack-log ind og håber på hjælp. Xoftspy SE siger at der stadig er en trojaner der ikke kan fjernes, relateret til ntos.exe….. Log: Logfile of HijackThis v1.99.1 Scan saved at 20:00:07, on 15-04-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\umonit.exe C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\RCrawler\RCrawler.exe D:\Print\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Programmer\iTunes\iTunesHelper.exe C:\WINDOWS\system32\spupdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\spnpinst.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Messenger\msmsgs.exe C:\WINDOWS\system32\Sysocmgr.exe C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe C:\Programmer\iPod\bin\iPodService.exe C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wscntfy.exe C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Documents and Settings\Torsten Ruben Hansen\Skrivebord\Spywarefri\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY O4 - HKLM\..\Run: [HP Software Update] D:\Print\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] “C:\Programmer\QuickTime\qttask.exe” -atboottime O4 - HKLM\..\Run: [iTunesHelper] “C:\Programmer\iTunes\iTunesHelper.exe” O4 - HKLM\..\Run: [CloneCDTray] “D:\Games\CloneCD\CloneCDTray.exe” /s O4 - HKLM\..\Run: [PFG Agent] C:\Programmer\PFG\PFG.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU\..\Run: [DAEMON Tools] “C:\Programmer\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotKey.lnk = C:\Programmer\TEXTware\HotKey\TWALINK.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Print\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider ‘rsvp32_2.dll’ missing O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ninepigen.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145127231683 O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp07.photoprintit.de/microsite/4066/defaults/activex/IPSUploader.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - C:\Programmer\SafePublish\sp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\svchk.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe Jeg håber stadig på hjælp inden jeg beslutter mig for reformattering og -installering…:( på forhånd tak for brugbar hjælp.
[ Ignorer ] [ # 1 ] trh
15.04.2007 23:12:40 Antal indlæg: 38	ps: en af trojanerne hedder Iteka, angiveligt ligger den stadig iflg. Xoftspy; AVG antispyware og virusscanner finder den ikke…
[ Ignorer ] [ # 2 ] Fromsej TeamSpywarefri
15.04.2007 23:22:50 Administrator Team Spywarefri Antal indlæg: 55510	Hent Crapcleaner her: http://www.filehippo.com/download_ccleaner/ ———————————————————- Hent og installer denne scanner: http://www.superantispyware.com/downloads/SUPERAntiSpyware1241.exe Start SuperAntiSpyware, klik på Preferences, skift til fanebladet Repairs, klik på Repair broken network connection(Winsock LSP chain), klik så på Perform Repair, genstart, når den beder om det. Start SuperAntiSpyware igen, klik på Check for updates, når det er opdateret, luk programmet, du skal ikke scanne endnu. ———————————————————- Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, genstart i fejlsikret (tryk på <F8> under opstarten), slet filer og mapper listet nedenunder, kør SaS. F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\svchk.dll ———————————————————- Sletning af \mapper\ og filer: Åbn Stifinder, klik på Funktioner=>Mappeindstillinger=>Vis. Fjern flueben ved “Skjul beskyttede operativsystemfiler”. Fjern flueben ved “Skjul filtypenavne for kendte filtyper”. Sæt prik i “Vis skjulte filer og mapper”. —————————- Mapper: Ingen —————————- Filer: C:\WINDOWS\system32\umonit.exe C:\WINDOWS\system32\ntos.exe C:\WINDOWS\system32\svchk.dll ———————————————————- Start SuperAntiSpyware, klik på Scan your Computer, sæt flueben i de drev der skal scannes. (Fixed disk betyder harddisk) Flyt prikken til Perform complete scan og klik på Næste, så kører scanningen. Når den er færdig kommer der et vindue med en opsummering, klik på OK, klik så på næste og så på Udfør. Der kommer et vindue med Quarantine and removal Complete, klik på OK, klik på Udfør. Luk programmet, genstart normalt.. ———————————————————- Installer Crapcleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar. Start programmet, fjern fluebenet i cookies. Klik på kør Cleaner og lad den fjerne hvad den finder. Klik så på Problemer ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer. Klik på OK, klik på Luk når den er færdig. ———————————————————- Start SuperAntiSpyware igen, klik på Preferences, skift til fanebladet Statistics/Logs, i vinduet dobbeltklikker du på SUPERAntiSpyware Scan Log, den åbner i notesblok, kopier resultatet herind. Vi skal også se en frisk hijackthislog. Signatur qui potest, obligatur Nierne bomaye - You’ll never walk alone Kaffen er drukket Kassen er lukket Støtten gør mere nytte Hos de små og forknytte Børns vilkår Hospitalsklovne
[ Ignorer ] [ # 3 ] trh
15.04.2007 23:32:47 Antal indlæg: 38	Tak for hjælpen From: jeg går igang med det imorgen, og sender bagefter en frisk hijacklog…cool & respekt for dit hurtige svar!
[ Ignorer ] [ # 4 ] Resist TeamSpywarefri
16.04.2007 00:05:06 Redaktør Team Spywarefri Antal indlæg: 11794	Du er velkommen tilbage Signatur Med venlig hilsen Resist TeamSpywarefri Member of: Alliance of Security Analysis Professionals
[ Ignorer ] [ # 5 ] trh
17.04.2007 16:15:05 Antal indlæg: 38	Her så mine 2 logs. Det hører med til ‘historien’, at min pc genstartede, da den var igang med at køre CC’s ‘blå terning-ikon’. Jeg valgte at køre CC + ‘blå terning’ & udbedring - denne gang skete det uden problemer. Først SaS: SUPERAntiSpyware Scan Log Generated 04/17/2007 at 01:43 PM Application Version : 3.5.1016 Core Rules Database Version : 3165 Trace Rules Database Version: 1176 Scan type : Complete Scan Total Scan Time : 00:51:29 Memory items scanned : 183 Memory threats detected : 0 Registry items scanned : 7309 Registry threats detected : 27 File items scanned : 41500 File threats detected : 4 Unclassified.Oreans32 HKLM\System\ControlSet001\Services\oreans32 C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS HKLM\System\ControlSet002\Services\oreans32 HKLM\System\CurrentControlSet\Services\oreans32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance Adware.Casino Games (Golden Palace Casino) C:\PROGRAMMER\CASINOONNET\CASINO.EXE Trojan.Downloader-Gen C:\WINDOWS\SYSTEM32\NTOS.EXE Unclassified.Unknown Origin E:\SUPPORT\NERO\NERO-6.6.0.12\NERO.V6.6.0.8.KEYMAKER\KEYGEN.EXE [8D] ..og Hijackslog: Logfile of HijackThis v1.99.1 Scan saved at 14:07:30, on 17-04-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\spupdsvc.exe C:\WINDOWS\System32\svchost.exe C:\Programmer\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\spnpinst.exe C:\WINDOWS\system32\Sysocmgr.exe C:\WINDOWS\system32\wscntfy.exe C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\RCrawler\RCrawler.exe D:\Print\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Programmer\QuickTime\qttask.exe C:\Programmer\iTunes\iTunesHelper.exe D:\Games\CloneCD\CloneCDTray.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Messenger\msmsgs.exe C:\Programmer\iPod\bin\iPodService.exe C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe C:\Programmer\DAEMON Tools\daemon.exe C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programmer\TEXTware\HotKey\TWALINK.EXE D:\Print\Digital Imaging\bin\hpqtra08.exe C:\Documents and Settings\Torsten Ruben Hansen\Skrivebord\Spywarefri\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY O4 - HKLM\..\Run: [HP Software Update] D:\Print\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] “C:\Programmer\QuickTime\qttask.exe” -atboottime O4 - HKLM\..\Run: [iTunesHelper] “C:\Programmer\iTunes\iTunesHelper.exe” O4 - HKLM\..\Run: [CloneCDTray] “D:\Games\CloneCD\CloneCDTray.exe” /s O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU\..\Run: [DAEMON Tools] “C:\Programmer\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotKey.lnk = C:\Programmer\TEXTware\HotKey\TWALINK.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Print\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider ‘rsvp32_2.dll’ missing O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ninepigen.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145127231683 O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp07.photoprintit.de/microsite/4066/defaults/activex/IPSUploader.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - C:\Programmer\SafePublish\sp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe ..jeg ser frem til at høre mere….[:D]
[ Ignorer ] [ # 6 ] Andersenph TeamSpywarefri
17.04.2007 17:59:30 Redaktør Supporter Emeritus Antal indlæg: 4797	Hej Download LSPfix her: http://www.cexx.org/lspfix.htm Gem det i en mappe på skrivebordet. Start programmet og sæt flueben i I know what I’m doing boxen. Flyt alle ‘rsvp32_2.dll’ (og ikke noget andet), over I ”Remove” delen. Click på Finish knappen og genstart maskinen. Fix disse med Hijackthis: O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k O10 - Broken Internet access because of LSP provider ‘rsvp32_2.dll’ missing (hvis den stadig er der). Genstart og send ny log ind til kontrol. For resten bør du afinstallere Nero og købe en legal version. Du har jo fået snavs ind på maskinen ved at bruge ”ulovlige” metoder……..
[ Ignorer ] [ # 7 ] trh
17.04.2007 22:14:06 Antal indlæg: 38	..‘you guys are marvellous’.....det ser ud som om at min pc er oppe igang: netadgangen er re-etableret, min datter kan skrive sin 3.G-stil færdig, og jeg føler mig endnu en gang som ‘en god far der kan mere end han troede’. Tak for hjælpen! For fuldstændighedens skyld: lsp-fix klarede det angiveligt, de to filer der skulle fixes via Hijack var der ikke efter lspfix var kørt igennem. (Ved et uheld kom jeg til at starte et andet no-ware “fixwareout”, måske var det brugbart…. Her er “ho!jackloggen”: Logfile of HijackThis v1.99.1 Scan saved at 20:00:36, on 17-04-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spupdsvc.exe C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\Programmer\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\spnpinst.exe C:\WINDOWS\system32\Sysocmgr.exe C:\WINDOWS\system32\devldr32.exe C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\RCrawler\RCrawler.exe D:\Print\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Programmer\QuickTime\qttask.exe C:\Programmer\iTunes\iTunesHelper.exe D:\Games\CloneCD\CloneCDTray.exe C:\Programmer\iPod\bin\iPodService.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avginet.exe C:\Programmer\Messenger\msmsgs.exe C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe C:\Programmer\DAEMON Tools\daemon.exe C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programmer\TEXTware\HotKey\TWALINK.EXE D:\Print\Digital Imaging\bin\hpqtra08.exe C:\Documents and Settings\Torsten Ruben Hansen\Skrivebord\Spywarefri\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY O4 - HKLM\..\Run: [HP Software Update] D:\Print\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] “C:\Programmer\QuickTime\qttask.exe” -atboottime O4 - HKLM\..\Run: [iTunesHelper] “C:\Programmer\iTunes\iTunesHelper.exe” O4 - HKLM\..\Run: [CloneCDTray] “D:\Games\CloneCD\CloneCDTray.exe” /s O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU\..\Run: [DAEMON Tools] “C:\Programmer\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotKey.lnk = C:\Programmer\TEXTware\HotKey\TWALINK.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Print\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ninepigen.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145127231683 O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp07.photoprintit.de/microsite/4066/defaults/activex/IPSUploader.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - C:\Programmer\SafePublish\sp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [:p]..jeg sætter en donering ind på jeres konto, tak for en yderst brugbar og effektiv hjælp! Første gang jeg er på jeres forum - vil fremover blive anbefalet.
[ Ignorer ] [ # 8 ] Fromsej TeamSpywarefri
17.04.2007 22:55:16 Administrator Team Spywarefri Antal indlæg: 55510	Det lyder godt at det virker nu, og vi siger på forhånd tak for støtten til forum. Der er lige et lille Aber dabei, der ligger en trojaner der skal fjernes, det burde dette klare. —Hent Avenger her: http://swandog46.geekstogo.com/avenger.zip —Pak Avenger-programmet ud og dobbeltklik på avenger.exe —Sæt en prik i “Input Script Manually” og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere HELE indholdet markeret med fed skrift ind: Files to delete: C:\WINDOWS\system32\ntos.exe —Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen. —Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar. —Kør Hijackthis, vælg “Do a system scan only”, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked. F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind sammen med loggen fra Avenger. Signatur qui potest, obligatur Nierne bomaye - You’ll never walk alone Kaffen er drukket Kassen er lukket Støtten gør mere nytte Hos de små og forknytte Børns vilkår Hospitalsklovne
[ Ignorer ] [ # 9 ] trh
17.04.2007 23:24:56 Antal indlæg: 38	..jeg glemte at lukke vinduer og bad om både scan + log (glædes-iver…), men det ser ud som at F2-linien ikke længere dukker op… Her er så den allerseneste log fra Hijack + Avenger: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\axbmqvhd ***************** Script file located at: \??\C:\WINDOWS\bjerbnww.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: File C:\WINDOWS\system32\ntos.exe not found! Deletion of file C:\WINDOWS\system32\ntos.exe failed! Could not process line: C:\WINDOWS\system32\ntos.exe Status: 0xc0000034 Completed script processing. ***************** Finished! Terminate. ....og:... Logfile of HijackThis v1.99.1 Scan saved at 21:10:23, on 17-04-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spupdsvc.exe C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\Programmer\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\spnpinst.exe C:\WINDOWS\system32\Sysocmgr.exe C:\WINDOWS\system32\devldr32.exe C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe C:\Programmer\Internet Explorer\iexplore.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\RCrawler\RCrawler.exe D:\Print\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Programmer\QuickTime\qttask.exe C:\Programmer\iTunes\iTunesHelper.exe D:\Games\CloneCD\CloneCDTray.exe C:\Programmer\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Messenger\msmsgs.exe C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe C:\Programmer\DAEMON Tools\daemon.exe C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programmer\TEXTware\HotKey\TWALINK.EXE D:\Print\Digital Imaging\bin\hpqtra08.exe C:\Programmer\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe E:\Support\Spywarefri\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY O4 - HKLM\..\Run: [HP Software Update] D:\Print\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] “C:\Programmer\QuickTime\qttask.exe” -atboottime O4 - HKLM\..\Run: [iTunesHelper] “C:\Programmer\iTunes\iTunesHelper.exe” O4 - HKLM\..\Run: [CloneCDTray] “D:\Games\CloneCD\CloneCDTray.exe” /s O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU\..\Run: [DAEMON Tools] “C:\Programmer\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotKey.lnk = C:\Programmer\TEXTware\HotKey\TWALINK.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Print\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ninepigen.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145127231683 O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp07.photoprintit.de/microsite/4066/defaults/activex/IPSUploader.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - C:\Programmer\SafePublish\sp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
[ Ignorer ] [ # 10 ] Fromsej TeamSpywarefri
17.04.2007 23:35:50 Administrator Team Spywarefri Antal indlæg: 55510	Det var #”“%/(/&¤%%# den vil ikke dø. Hent Combofix, og gem den på dit skrivebord: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe —Kør så combofix.exe, og følg anvisningerne. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse. Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt Indholdet af denne fil må du gerne lægge herind. Signatur qui potest, obligatur Nierne bomaye - You’ll never walk alone Kaffen er drukket Kassen er lukket Støtten gør mere nytte Hos de små og forknytte Børns vilkår Hospitalsklovne
[ Ignorer ] [ # 11 ] trh
18.04.2007 00:10:15 Antal indlæg: 38	[8)]..håber at det er ok nu..(troede lige at alt var såre godt..) “Torsten Ruben Hansen” - 07-04-17 21:53:28 Service Pack 2 ComboFix 07-04-17.V - Running from: C:\Documents and Settings\Torsten Ruben Hansen\Skrivebord\ ((((((((((((((((((((((((((((((( Files Created from 2007-03-17 to 2007-04-17 )))))))))))))))))))))))))))))))))) 2007-04-17 21:08 <DIR> d————C:\avenger 2007-04-17 12:35 <DIR> d————C:\Programmer\SUPERAntiSpyware 2007-04-17 12:35 <DIR> d————C:\DOCUME~1\TORSTE~1\APPLIC~1\SUPERAntiSpyware.com 2007-04-17 12:35 <DIR> d————C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com 2007-04-15 13:54 3,968—a———C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-04-15 13:53 <DIR> d————C:\Programmer\CCleaner 2007-04-15 13:45 <DIR> d————C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-04-14 15:05 97,040—a———C:\WINDOWS\system32\zup.exe.exe 2007-04-14 15:05 91,920—a———C:\WINDOWS\system32\3ti.exe.exe 2007-04-14 15:05 8,704—a———C:\WINDOWS\system32\sporder.dll 2007-04-14 15:05 40,720—a———C:\WINDOWS\system32\pdp.exe.exe 2007-04-14 15:05 12,543 -r-h——- C:\WINDOWS\system32\systo.exe 2007-04-14 15:05 <DIR> d—hs——C:\WINDOWS\system32\wsnpoem 2007-04-06 00:43 <DIR> d————C:\DOCUME~1\TORSTE~1\APPLIC~1\Pegasys Inc 2007-04-02 13:35 <DIR> d————C:\Programmer\SafePublish 2007-04-02 13:03 <DIR> d————C:\Programmer\PFG (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-17 21:50————d————C:\DOCUME~1\TORSTE~1\APPLIC~1\utorrent 2007-04-17 12:35————d————C:\Programmer\F‘lles filer\wise installation wizard 2007-04-14 14:44————d————C:\Programmer\java 2007-04-06 20:13————d—h——- C:\Programmer\installshield installation information 2007-03-25 11:47 73498—a———C:\WINDOWS\system32\perfc006.dat 2007-03-25 11:47 415978—a———C:\WINDOWS\system32\perfh006.dat 2007-03-16 21:22————d————C:\Programmer\xoftspyse 2007-03-10 12:09 73216—a———C:\WINDOWS\st6unst.exe 2007-03-10 12:09 253952————- C:\WINDOWS\setup1.exe 2007-02-28 00:05————d————C:\DOCUME~1\TORSTE~1\APPLIC~1\skype 2007-02-25 22:02————d————C:\Programmer\bap-software 2007-02-24 19:06————d————C:\Programmer\vstplugins 2007-02-24 19:02————d————C:\Programmer\poizone 2007-02-24 19:02————d————C:\Programmer\image-line 2007-02-24 15:58————d————C:\Programmer\ea games 2007-02-23 18:27 764—a———C:\WINDOWS\ereg.dat 2007-02-18 14:24————d————C:\Programmer\xilisoft 2007-02-18 11:33————d————C:\Programmer\polderbits 2007-01-29 13:58 48390—a———C:\DOCUME~1\TORSTE~1\APPLIC~1\speech.wav 2007-01-27 01:09 59098—a———C:\WINDOWS\war3unin.dat 2007-01-20 13:44 12320826————- C:\AVG7QT.DAT (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F} C:\Programmer\Spybot - Search & Destroy\SDHelper.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SunJavaUpdateSched”=”\“C:\\Programmer\\Java\\jre1.6.0_01\\bin\\jusched.exe\”“ “SoundMan”=“SOUNDMAN.EXE” “Registry Crawler”=“C:\\PROGRA~1\\RCrawler\\RCrawler.exe -TRAYONLY” “HP Software Update”=“D:\\Print\\HP Software Update\\HPWuSchd2.exe” “NeroFilterCheck”=“C:\\Programmer\\Fælles filer\\Ahead\\Lib\\NeroCheck.exe” “NvCplDaemon”=“RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit” “AVG7_CC”=“C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP” “QuickTime Task”=”\“C:\\Programmer\\QuickTime\\qttask.exe\” -atboottime” “iTunesHelper”=”\“C:\\Programmer\\iTunes\\iTunesHelper.exe\”“ “CloneCDTray”=”\“D:\\Games\\CloneCD\\CloneCDTray.exe\” /s” “!AVG Anti-Spyware”=”\“C:\\Programmer\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\” /minimized” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\\WINDOWS\\system32\\ctfmon.exe” “MSMSGS”=”\“C:\\Programmer\\Messenger\\msmsgs.exe\” /background” “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=”\“C:\\Programmer\\Fælles filer\\Ahead\\Lib\\NMBgMonitor.exe\”“ “DAEMON Tools”=”\“C:\\Programmer\\DAEMON Tools\\daemon.exe\” -lang 1033” “SUPERAntiSpyware”=“C:\\Programmer\\SUPERAntiSpyware\\SUPERAntiSpyware.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=”“ HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81b34caa-aebd-11db-84a1-00508de3c6a2}] Shell\AutoRun\command U:\setup.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81b8475c-a93c-11db-8481-00508de3c6a2}] Shell\AutoRun\command X:\sppsetup.exe ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070417-211120-187 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, backup-20070417-123926-428 O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe backup-20070417-123926-731 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, backup-20070417-123926-648 O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\XoftSpySE.job ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... HKLM\SYSTEM\CurrentControlSet\Services\winmgmt5700-1a9d scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\windev-5700-1a9d.sys 139264 bytes C:\WINDOWS\system32\windev-peers.ini 12288 bytes scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 2 ****************************************************************** Completion time: 07-04-17 21:55:00 C:\ComboFix-quarantined-files.txt ... 07-04-17 21:55 [:X]
[ Ignorer ] [ # 12 ] Ejvindh
18.04.2007 01:19:34 Redaktør Supporter Emeritus Antal indlæg: 6161	Der er rootkits på din computer. Jeg overfører derfor tråden til Rootkit-kategorien. Der gælder nogle særlige forhold for supporten i denne kategori, som du kan læse om her: http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29320 Hvis du vælger at fortsætte rensningen, skal jeg lige bede om et par logs mere, inden vi går i gang med at luge ud: —Hent denne fil, og gem den på skrivebordet: http://www.uploads.ejvindh.net/rootchk.exe Dobbeltklik på rootchk. Efter kort tid dukker en logfil op, som du gerne må lægge herind. —Download Gmer-rootkit scanner, og pak den ud til skrivebordet: http://www.young-andersen.dk/gamer/gamer.zip Start med at omdøbe programmet gmer.exe (fx til abc.exe). Kør programmet, klik på fanebladet “Rootkit”, og klik på “Scan”. Imens der scannes, bør du afbryde netforbindelsen, lukke alle åbne programmer, og undlade at bruge computeren til andre ting. Du bør heller ikke klikke på andre ting i Gmer-scanneren. Når scanningen er færdig, skal du klikke på “Copy”. Så dukker et vindue op, som fortæller at resultatet af rootkit-scanningen er blevet lagt ind i udklipsholderen. Du kan herefter gå ind i denne tråd, og kopiere indholdet herind, ved at stille dig i indtastningsfeltet, og trykke ctrl-v. I nogle tilfælde er logfilen så lang, at den ikke kan være i en enkelt post. Så må du lægge den af flere omgange.
[ Ignorer ] [ # 13 ] trh
18.04.2007 01:47:09 Antal indlæg: 38	Hej igen Første del af rootkitlog: GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2007-04-17 23:42:49 Windows 5.1.2600 Service Pack 2 ——System - GMER 1.0.12—— SSDT sptd.sys ZwCreateKey <—ROOTKIT !!! SSDT \??\C:\WINDOWS\system32\windev-5700-1a9d.sys ZwEnumerateKey <—ROOTKIT !!! SSDT \??\C:\WINDOWS\system32\windev-5700-1a9d.sys ZwEnumerateValueKey <—ROOTKIT !!! SSDT sptd.sys ZwOpenKey <—ROOTKIT !!! SSDT \??\C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess <—ROOTKIT !!! SSDT \??\C:\WINDOWS\system32\windev-5700-1a9d.sys ZwQueryDirectoryFile <—ROOTKIT !!! SSDT sptd.sys ZwQueryKey <—ROOTKIT !!! SSDT sptd.sys ZwQueryValueKey <—ROOTKIT !!! SSDT sptd.sys ZwSetValueKey <—ROOTKIT !!! SSDT \??\C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess <—ROOTKIT !!! ——Kernel code sections - GMER 1.0.12—— ? C:\WINDOWS\system32\drivers\sptd.sys Processen kan ikke få adgang til filen, da den bruges af en anden proces. .text USBPORT.SYS!DllUnload B9A2B62C 5 Bytes JMP 895D11C8 ? C:\WINDOWS\System32\Drivers\vaxscsi.sys Processen kan ikke få adgang til filen, da den bruges af en anden proces. ? System32\Drivers\aamuaw3r.SYS Den angivne sti blev ikke fundet. [:X]
[ Ignorer ] [ # 14 ] trh
18.04.2007 01:50:30 Antal indlæg: 38	[V]...næste sektion: ——Kernel code sections - GMER 1.0.12—— ? C:\WINDOWS\system32\drivers\sptd.sys Processen kan ikke få adgang til filen, da den bruges af en anden proces. .text USBPORT.SYS!DllUnload B9A2B62C 5 Bytes JMP 895D11C8 ? C:\WINDOWS\System32\Drivers\vaxscsi.sys Processen kan ikke få adgang til filen, da den bruges af en anden proces. ? System32\Drivers\aamuaw3r.SYS Den angivne sti blev ikke fundet. ——Devices - GMER 1.0.12—— [Fjernet dele af Gmer-loggen som ikke er relevante (for at forumsoftwaren ikke skal gå død på tråden) - ejvindh teamsupporter]
[ Ignorer ] [ # 15 ] trh
18.04.2007 01:51:44 Antal indlæg: 38	[V]..en sektion mere: ——Services - GMER 1.0.12—— Service C:\WINDOWS\system32\windev-5700-1a9d.sys (* hidden * ) [AUTO] windev-5700-1a9d <—ROOTKIT !!! ——Registry - GMER 1.0.12—— Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x8E 0xAD 0x8E 0xA8 ... Reg \Registry\MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version@Version 0x8E 0xAD 0x8E 0xA8 ... Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000\Control@ActiveService windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-5700-1A9D@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@Start 2 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d\Enum@0 Root\LEGACY_WINDEV-5700-1A9D\0000 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-5700-1A9D Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-5700-1A9D@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-5700-1A9D@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@Start 2 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000\Control@ActiveService windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@Service windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D\0000@DeviceDesc windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-5700-1A9D@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@Start 2 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d\Enum@0 Root\LEGACY_WINDEV-5700-1A9D\0000 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@ImagePath \??\C:\WINDOWS\system32\windev-5700-1a9d.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-5700-1a9d@DisplayName windev-5700-1a9d Reg \Registry\USER\S-1-5-21-746137067-562591055-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{47D70C47-2CB0-71E7-42A0-8D0FC47EBCEE}@jaohokndcfjmdnpacpff 0x6B 0x61 0x66 0x64 ... Reg \Registry\USER\S-1-5-21-746137067-562591055-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{47D70C47-2CB0-71E7-42A0-8D0FC47EBCEE}@iaahinnihmgchbokfd 0x6B 0x61 0x66 0x64 ... ——Files - GMER 1.0.12—— [:X]..slut sektion….

1 af 4

Næste

Sidst »