Tjena. Här är min logg från WordPFind... Diehard, de tog inte alls lång tid :)
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
aspack 2002-03-24 12:54:00 46080 C:\WINDOWS\COPYFSTQ.EXE
UPX! 2004-08-22 17:04:56 69120 C:\WINDOWS\daemon.dll
aspack 2005-08-27 18:54:12 9694 C:\WINDOWS\irunin.dat
aspack 2004-04-18 08:57:44 16384 C:\WINDOWS\KS.EXE
Checking %System% folder...
PEC2 2001-09-28 16:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 2002-09-09 16:08:00 638976 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2001-09-28 16:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
FSG! 2005-09-16 11:42:38 705 C:\WINDOWS\SYSTEM32\woinst32.exe
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2005-09-28 00:07:32 S 2048 C:\WINDOWS\bootstat.dat
2005-09-01 18:09:56 H 0 C:\WINDOWS\LastGood\INF\oem36.inf
2005-09-01 18:09:56 H 0 C:\WINDOWS\LastGood\INF\oem36.PNF
2005-09-01 16:49:20 H 0 C:\WINDOWS\LastGood\INF\oem37.inf
2005-09-01 16:49:20 H 0 C:\WINDOWS\LastGood\INF\oem37.PNF
2005-09-01 16:49:28 H 0 C:\WINDOWS\LastGood\INF\wmv9vcm.inf
2005-09-01 16:49:28 H 0 C:\WINDOWS\LastGood\INF\wmv9vcm.PNF
2005-09-16 11:58:36 H 890 C:\WINDOWS\system32\vsconfig.xml
2005-09-16 11:56:20 H 4212 C:\WINDOWS\system32\zllictbl.dat
2005-09-28 00:08:24 H 1024 C:\WINDOWS\system32\config\default.LOG
2005-09-28 00:07:34 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2005-09-28 00:08:24 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
2005-09-28 00:24:20 H 1024 C:\WINDOWS\system32\config\software.LOG
2005-09-28 00:08:48 H 1024 C:\WINDOWS\system32\config\system.LOG
2005-08-31 00:17:02 HS 2712 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
2005-09-13 14:37:26 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a90d5ede-14fd-4aa6-9889-202ce103f7a7
2005-09-13 14:37:26 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2005-09-28 00:07:36 H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 2001-09-28 16:00:00 67072 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 2002-09-09 16:08:52 580096 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2002-09-09 16:08:52 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2001-09-28 16:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 2004-01-14 18:57:18 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 2002-09-09 16:08:52 292864 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2002-09-09 16:08:52 123392 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2002-09-09 16:08:52 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2004-02-22 23:44:42 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 2001-09-28 16:00:00 188416 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2001-09-28 16:00:00 561152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Kristal Studio 2001-01-24 04:05:32 121856 C:\WINDOWS\SYSTEM32\Mp3cnfg.cpl
Microsoft Corporation 2001-09-28 16:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2001-09-28 16:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 2001-09-28 16:00:00 37376 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 2001-09-28 16:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2001-09-28 16:00:00 110080 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2002-09-09 16:08:52 268800 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2001-09-28 16:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2001-09-28 16:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 2005-05-26 04:16:34 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 2001-09-28 16:00:00 67072 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 2002-09-09 16:08:52 580096 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 2002-09-09 16:08:52 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 2001-09-28 16:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 2002-09-09 16:08:52 292864 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 2002-09-09 16:08:52 123392 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 2002-09-09 16:08:52 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 2001-09-28 16:00:00 188416 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2001-09-28 16:00:00 561152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 2001-09-28 16:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2001-09-28 16:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 2001-09-28 16:00:00 37376 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 2001-09-28 16:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 2001-09-28 16:00:00 110080 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 2002-09-09 16:08:52 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 2002-09-09 16:08:52 268800 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 2001-09-28 16:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 2001-09-28 16:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
2004-06-18 13:11:56 HS 84 C:\Documents and Settings\All Users\Start-meny\Program\Autostart\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
2004-06-18 14:57:22 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
2004-06-18 13:11:56 HS 84 C:\Documents and Settings\Admin\Start-meny\Program\Autostart\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
2004-06-18 14:57:22 HS 62 C:\Documents and Settings\Admin\Application Data\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Evidence Eliminator
Default =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
PIN-kod för Start-menyn = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Evidence Eliminator
Default =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Dagens tips = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java-konsol : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Referensinformation :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ 4.1 : C:\Program\ICQLite\ICQLite.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adress : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adress : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{86227D9C-0EFE-4F8A-AA55-30386A3F5686} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Länkar : %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIPTA C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
SunJavaUpdateSched C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
LVCOMS C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
DAEMON Tools-1033 "C:\Program\D-Tools\daemon.exe" -lang 1033
iTunesHelper "C:\Program\iTunes\iTunesHelper.exe"
SSC_UserPrompt C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
Evidence Eliminator C:\Program\Evidence Eliminator\ee.exe /m
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\intell32.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item intell32
hkey HKLM
command C:\WINDOWS\System32\intell32.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item intell32
hkey HKLM
command C:\WINDOWS\System32\intell32.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Optimizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSGuard
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSGuard
hkey HKLM
command C:\Program\PSGuard\PSGuard.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSGuard
hkey HKLM
command C:\Program\PSGuard\PSGuard.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program\QuickTime\qttask.exe" -atboottime
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Resume copy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item copyfstq
hkey HKLM
command copyfstq.exe /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item copyfstq
hkey HKLM
command copyfstq.exe /startup
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sdkxl.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sdkxl
hkey HKLM
command C:\WINDOWS\system32\sdkxl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sdkxl
hkey HKLM
command C:\WINDOWS\system32\sdkxl.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Synchronization Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mobsync
hkey HKLM
command %SystemRoot%\system32\mobsync.exe /logon
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mobsync
hkey HKLM
command %SystemRoot%\system32\mobsync.exe /logon
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Upload heck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item First Grey Draw
hkey HKLM
command C:\Program\ENCREF~1\First Grey Draw.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item First Grey Draw
hkey HKLM
command C:\Program\ENCREF~1\First Grey Draw.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\wintn32.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wintn32
hkey HKLM
command C:\WINDOWS\wintn32.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wintn32
hkey HKLM
command C:\WINDOWS\wintn32.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\Program\DELADE~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
NoDriveAutoRun ÿÿÿ�
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hej Henrik :)
Den sista HJT-loggen du postade på ITforum var gjord i felsäkert, eller hur? Kan du posta en ny HJT logg i alla fall, den skulle behövas också.
Kan du också titta i kontrollpanelen och Lägg till/Ta bort program och titta om du hittar "PSGuard", avinstallera.
Kör också Ewido en gång till och posta den loggen, jag tror att den hittar lite mer.
I WinPFind loggen finns en del otrevligheter som också behöver tas bort, men jag ska undersöka först hur vi ska göra med regnycklarna som tillhör.
Hälsningar Die Hard :)
Jag behöver väl inte vara i felsäkert läge när jag scannar med ewido, samt ställa in så alla dolda filer syns osv. ?
mvh
Henrik :)
Tjena Henke
Tror jag kan svara för DieHard
Ewido skall helst köras i felsäkert läge för att det är enklare att få bort filer som annars kan användas av Windows
Och när du postar din Hijackthis logga så gör det från "normal" läget så alla program som startas kommer med
Lycka till
Mannen
Okej, men jag behöver väl inte ta visa alla dolda filer osv, i mapp-alternativ innan jag börjar scanna?
mvh
Nej, Ewido hittar dom ändå men du måste ta fram dom förr eller senare så varför inte nu? :wink:
Här kommer ewido loggen:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 22:25:31, 2005-09-28
+ Report-Checksum: ACFAE8C7
+ Scan result:
C:\Documents and Settings\Admin\Cookies\admin@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Admin\Lokala inställningar\Temporary Internet Files\Content.IE5\4BDRHJG0\MSNBlockDetect[1].exe -> Backdoor.Optix.Pro.f : Cleaned with backup
C:\Documents and Settings\Admin\Skrivbord\MSNBlockDetect.exe -> Backdoor.Optix.Pro.f : Cleaned with backup
C:\WINDOWS\system32\coded1.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\csaql.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\csmvw.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\csvme.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\cswws.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\dmalw.exe -> Trojan.Small.fb : Cleaned with backup
C:\WINDOWS\system32\hwiper.exe -> Trojan.Qhost.dv : Cleaned with backup
::Report End
Här är Hijackthis loggen:
Logfile of HijackThis v1.99.1
Scan saved at 22:39:13, on 2005-09-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Evidence Eliminator\ee.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program\Evidence Eliminator\ee.exe /m
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfcmw.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Henrik :)
I WinPFind loggen hittar jag flera filer som är konstigt att dom inte syns i HJT loggen .
Nu provar vi så här, få se om vi inte kan ta alltihop i ett svep.
Först, klicka (Windowstangent+R) och skriv regedit>ok för att öppna registereditorn.
Sedan navigera till :
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Shared Tools
MSConfig
state
Öppna "State"
I högra fältet kommer det att se ut så här:
system.ini 0
win.ini 0
bootini 0
services 0
startup 2
Dubbelklicka på "startup". I fältet "Data" ändra värdet från "2" till "0" , klicka "ok" och stäng.
Starta sedan KillBox, som du laddade ner häromdan.
Bocka för "Delete on reboot" och klistra in dessa, en i taget och klicka på krysset. Svara nej när den frågar om du vill starta om nu, tills du klistrat in sista filen, då startar du om. Startar inte systemet om av sig själv, gör det manuellt.
C:\WINDOWS\System32\intell32.exe
C:\Program\PSGuard\PSGuard.exe
C:\WINDOWS\system32\sdkxl.exe
C:\Program\ENCREF~1\First Grey Draw.exe
C:\WINDOWS\wintn32.exe
C:\WINDOWS\system32\mfcmw.exe
C:\WINDOWS\svcproc.exe
Gör en ny skanning med HJT och posta loggen
Hälsningar
Die Hard :)
När jag klickat på starta om i killbox, så kommer det upp en ruta där det står följande:
"PendingFileRenameOperations Registry Data has been Removed by External Process!"
Så jag rebootade manuellt.
mvh
Här är den nya HJT-loggen:
Logfile of HijackThis v1.99.1
Scan saved at 23:15:08, on 2005-09-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Evidence Eliminator\ee.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program\Evidence Eliminator\ee.exe /m
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfcmw.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Henrik :)
Det är en besvärlig och envis infektion du har. En av filerna verkar skydda de andra från radering.
Prova detta en gång, så får vi se om det går:
Lägg in dessa sökvägar i KillBox och "Delete on reboot"
C:\WINDOWS\System32\intell32.exe
C:\Program\PSGuard\PSGuard.exe
C:\WINDOWS\system32\sdkxl.exe
C:\Program\ENCREF~1\First Grey Draw.exe
C:\WINDOWS\wintn32.exe
Starta om efter den sista, "wintn32.exe".
Jag vill också att du gör detta:
Ladda ner CWShredder härifrån:
http://cwshredder.net/bin/CWShredder.exe
eller här:
http://www.majorgeeks.com/download3019.html
Det är ett specialverktyg för att ta bort CoolWebSearch och dess olika varianter
1. Ladda ner CWShredder
2. Klicka på "Check for updates"-knappen och installera uppdateringar om det finns
3. Klicka på "Fix"-knappen för att starta . Den kommer att radera alla filer den hittar.
(Klicka inte på "Scan"-knappen, då händer ingenting)
Mer info om verktyget finns på engelska på Intermutes hemsida:
http://www.intermute.com/products/cwshredder.html
Die Hard :)
Die Hard :)
CoolWebSearch fanns inte i systemet enligt CWShredder.
mvh
Henrik :)
Hur gick det med dom andra filerna , fick du bort dom med KillBox.
Kolla direkt under C:\, där finns en mapp som heter "!Submit". Titta i den vad som finns.
Die Hard :)
Det finns ingenting i den katalogen..
MVH Henrik
Nu har jag definitivt sett förändringar.
Kan inte ändra mitt skrivbordsunderlägg. Nu så har jag enbakgrund där det står "Your system is infected"
Jag har tagit bort alla filer med hjälp av hijackthis. Men hur får jag bort bakgrunden så jag kan ändra till vilken bakgrund jag vill? Det står väl i någon tag i registret va?
MVH
Henrik
Hej Henrik :)
Sorry för att jag inte svarat tidigare. Jag har haft lite annat att göra, ibland gör sig "det riktiga livet" sig påmint.
Gör så här, så ska vi se om vi inte tar ett steg framåt:
Gå hit och ladda ner SmitRem (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1)
Spara den på skrivbordet. Dubbelklicka för att packa upp innehållet till en egen mapp du väljer.
Starta om datorn till felsäkert läge öppna SmitRem-mappen och dubbelklicka på RunThis.bat
för att starta verktyget. Följ anvisningarna på menyn och låt diskrensningen fullföljas.
När du startat om kan du ställa om din bakgrundsbild.
OBS: I XP kanske utseendet nu visas i klassikt läge, det ställer du om vid "Tema" fliken under "Egenskaper" genom att klicka (Windowsknapp+R) och skriva desk.cpl>OK.
Posta sedan en ny HJT-log
Hälsningar
Die Hard :)
Logfile of HijackThis v1.99.1
Scan saved at 13:03:01, on 2005-10-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Evidence Eliminator\ee.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade
filer\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang
1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program\Evidence Eliminator\ee.exe
/m
O8 - Extra context menu item: E&xportera till Microsoft Excel -
res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Referensinformation -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite -
{B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä�#·ºÄÖ`I) - Unknown
owner - C:\WINDOWS\system32\mfcmw.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation
- C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. -
C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp
Software GmbH - C:\Program\TuneUp Utilities 2004\WinStylerThemeSvc.exe
mvh Henrik
Henrik :)
Sådärja :thumbup:
Nu fick vi bort servicen vi jagat !
Frågan är hur ditt system verkar nu?
Har du XP-temat och verkar det stabilt utan pop-ups eller annat ovälkommet beteende?
EDIT: Kan du köra det här lilla verktyget: http://www.fbeej.ctrlaltdel.dk/Programmer/fl.zip
Posta loggen. Det kollar katalogen i din "Application Data" mapp.
Die Hard :)
Det verkar precis som vanligt. Ja, jag har xp temat, Men nu så går den inte in på massa olika sidor automatiskt.
Jag har själv rensat lite i Application data-mapparna :) Så det ska nog se bra ut nu.. Här kommer iaf loggen:
Volymen i enhet C har ingen etikett.
Volymens serienummer ,,r 80A7-A1E1
Inneh†ll i katalogen C:\Documents and Settings\Admin\Application Data
2004-06-22 17:53 <KAT> Adobe
2005-06-09 20:21 <KAT> Ahead
2005-08-16 18:48 <KAT> Apple Computer
2004-06-22 17:56 <KAT> Creative
2005-09-18 17:49 <KAT> F-Secure
2004-06-18 13:27 <KAT> Help
2005-07-08 19:18 <KAT> ICQLite
2005-10-05 03:43 <KAT> Identities
2004-06-22 17:53 <KAT> InterTrust
2005-09-15 22:21 <KAT> Macromedia
2004-06-18 23:50 <KAT> Sun
2004-06-19 00:04 <KAT> TuneUp Software
0 fil(er) 0 byte
12 katalog(er) 4ÿ651ÿ741ÿ184 byte ledigt
Volymen i enhet C har ingen etikett.
Volymens serienummer ,,r 80A7-A1E1
Inneh†ll i katalogen C:\Documents and Settings\All Users\Application Data
2005-08-16 18:47 <KAT> Apple Computer
2004-07-12 21:12 <KAT> MSN6
2005-08-16 19:00 <KAT> QuickTime
2005-06-15 22:52 <KAT> Sony Ericsson
2005-07-02 20:06 <KAT> Support.com
2005-09-15 20:35 <KAT> Symantec
2004-06-19 00:03 <KAT> TuneUp Software
0 fil(er) 0 byte
7 katalog(er) 4ÿ651ÿ741ÿ184 byte ledigt
Volymen i enhet C har ingen etikett.
Volymens serienummer ,,r 80A7-A1E1
Inneh†ll i katalogen C:\Documents and Settings\Default User\Application Data
2004-06-18 14:57 <KAT> .
2004-06-18 14:57 <KAT> ..
2004-06-18 14:57 62 desktop.ini
1 fil(er) 62 byte
2 katalog(er) 4ÿ651ÿ741ÿ184 byte ledigt
Volymen i enhet C har ingen etikett.
Volymens serienummer ,,r 80A7-A1E1
Inneh†ll i katalogen C:\Documents and Settings\LocalService\Application Data
Volymen i enhet C har ingen etikett.
Volymens serienummer ,,r 80A7-A1E1
Inneh†ll i katalogen C:\Documents and Settings\NetworkService\Application Data
[TRACE] Enumerating jobs and queues
[TRACE] Activating job '1-Click Maintenance.job'
[TRACE] Printing all job properties
ApplicationName: 'C:\Program\TuneUp Utilities 2004\SystemOptimizer.exe'
Parameters: '/schedulestart'
WorkingDirectory: ''
Comment: 'Starts 1-Click Maintenance at scheduled times'
Creator: 'Admin'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/30/2005 17:15:00
NextRun: 10/07/2005 17:15:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 08/07/2001
EndDate: 08/07/2005
StartTime: 17:15
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties
ApplicationName: 'C:\Program\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Admin'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/16/2005 4:56:00
NextRun: 00/00/0000 0:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_DISABLED
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 1
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 09/16/2005
EndDate: 00/00/0000
StartTime: 08:57
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
En fråga till.. Om jag nu installerar t.ex. F-secure anti-virus. Kan detta virus/trojan installeras på min dator då, även om jag har anti-virus skydd? eller måste jag köra en mjukvaru brandvägg ex. zonealarm, för att det ej skall kunna installeras i mitt system då jag besöker någon websida som sprider det.
mvh
Henrik
Hej Henrik :)
Du har redan en version av Symantec (Norton). Om du installerar ett annat antivirus, se till att avinstallera detta ordentligt först.
Sedan skyddar inte ett antivirusprogram särskilt bra mot spionprogram. Att installera ZoneAlarm är en bra ide
Här finns det att ladda ner:
http://www.download.com/3000-2092-10039884.html
För att installera och konfigurera, gå hit för info med bilder:
http://www.markusjansson.net/eza.html
Behåll också Ewido. Efter att test-perioden är slut kommer programmet att fungera lika bra. Vad som kommer att fattas är "Real time monitorn" samt de automatiska uppdateringarna. Men du hämtar uppdateringar manuellt från huvudmenyn ,lika bra.
Skanna sedan ofta efter att du slutat surfa.
Jag tror du fick länken hit, till Ewido-guiden:
http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf
Surfa säkert
Hälsar
Die Hard :)
Tack för all hjälp!
Återkommer vid nya virus/trojan infektioner. 8)
mvh
Henrik
Du är välkommen närsomhelst (inte för snart bara) :P :P
Die Hard :)