WordPFind logg

Henrik · September 27, 2005, 10:25:53 PM

Tjena. Här är min logg från WordPFind... Diehard, de tog inte alls lång tid :)

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 2002-03-24 12:54:00 46080 C:\WINDOWS\COPYFSTQ.EXE
UPX! 2004-08-22 17:04:56 69120 C:\WINDOWS\daemon.dll
aspack 2005-08-27 18:54:12 9694 C:\WINDOWS\irunin.dat
aspack 2004-04-18 08:57:44 16384 C:\WINDOWS\KS.EXE

Checking %System% folder...
PEC2 2001-09-28 16:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 2002-09-09 16:08:00 638976 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2001-09-28 16:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
FSG! 2005-09-16 11:42:38 705 C:\WINDOWS\SYSTEM32\woinst32.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2005-09-28 00:07:32 S 2048 C:\WINDOWS\bootstat.dat
2005-09-01 18:09:56 H 0 C:\WINDOWS\LastGood\INF\oem36.inf
2005-09-01 18:09:56 H 0 C:\WINDOWS\LastGood\INF\oem36.PNF
2005-09-01 16:49:20 H 0 C:\WINDOWS\LastGood\INF\oem37.inf
2005-09-01 16:49:20 H 0 C:\WINDOWS\LastGood\INF\oem37.PNF
2005-09-01 16:49:28 H 0 C:\WINDOWS\LastGood\INF\wmv9vcm.inf
2005-09-01 16:49:28 H 0 C:\WINDOWS\LastGood\INF\wmv9vcm.PNF
2005-09-16 11:58:36 H 890 C:\WINDOWS\system32\vsconfig.xml
2005-09-16 11:56:20 H 4212 C:\WINDOWS\system32\zllictbl.dat
2005-09-28 00:08:24 H 1024 C:\WINDOWS\system32\config\default.LOG
2005-09-28 00:07:34 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2005-09-28 00:08:24 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
2005-09-28 00:24:20 H 1024 C:\WINDOWS\system32\config\software.LOG
2005-09-28 00:08:48 H 1024 C:\WINDOWS\system32\config\system.LOG
2005-08-31 00:17:02 HS 2712 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
2005-09-13 14:37:26 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a90d5ede-14fd-4aa6-9889-202ce103f7a7
2005-09-13 14:37:26 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2005-09-28 00:07:36 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 2001-09-28 16:00:00 67072 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 2002-09-09 16:08:52 580096 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2002-09-09 16:08:52 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2001-09-28 16:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 2004-01-14 18:57:18 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 2002-09-09 16:08:52 292864 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2002-09-09 16:08:52 123392 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2002-09-09 16:08:52 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2004-02-22 23:44:42 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 2001-09-28 16:00:00 188416 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2001-09-28 16:00:00 561152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Kristal Studio 2001-01-24 04:05:32 121856 C:\WINDOWS\SYSTEM32\Mp3cnfg.cpl
Microsoft Corporation 2001-09-28 16:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2001-09-28 16:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 2001-09-28 16:00:00 37376 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 2001-09-28 16:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2001-09-28 16:00:00 110080 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2002-09-09 16:08:52 268800 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2001-09-28 16:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2001-09-28 16:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 2005-05-26 04:16:34 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 2001-09-28 16:00:00 67072 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 2002-09-09 16:08:52 580096 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 2002-09-09 16:08:52 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 2001-09-28 16:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 2002-09-09 16:08:52 292864 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 2002-09-09 16:08:52 123392 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 2002-09-09 16:08:52 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 2001-09-28 16:00:00 188416 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2001-09-28 16:00:00 561152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 2001-09-28 16:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2001-09-28 16:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 2001-09-28 16:00:00 37376 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 2001-09-28 16:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 2001-09-28 16:00:00 110080 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 2002-09-09 16:08:52 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 2002-09-09 16:08:52 268800 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 2001-09-28 16:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 2001-09-28 16:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2004-06-18 13:11:56 HS 84 C:\Documents and Settings\All Users\Start-meny\Program\Autostart\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2004-06-18 14:57:22 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2004-06-18 13:11:56 HS 84 C:\Documents and Settings\Admin\Start-meny\Program\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2004-06-18 14:57:22 HS 62 C:\Documents and Settings\Admin\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Evidence Eliminator
   Default    =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
   {73B24247-042E-4EF5-ADC2-42F62E6FD654}    = C:\Program\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   PIN-kod för Start-menyn    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Evidence Eliminator
   Default    =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
   {73B24247-042E-4EF5-ADC2-42F62E6FD654}    = C:\Program\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Dagens tips = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java-konsol   : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
   ButtonText    = Referensinformation   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
   ButtonText    = ICQ 4.1   : C:\Program\ICQLite\ICQLite.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adress   : %SystemRoot%\System32\browseui.dll
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =    :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adress   : %SystemRoot%\System32\browseui.dll
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =    :
   {86227D9C-0EFE-4F8A-AA55-30386A3F5686} =    :
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Länkar   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   ATIPTA   C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
   SunJavaUpdateSched   C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
   LVCOMS   C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
   NeroFilterCheck   C:\WINDOWS\system32\NeroCheck.exe
   DAEMON Tools-1033   "C:\Program\D-Tools\daemon.exe" -lang 1033
   iTunesHelper   "C:\Program\iTunes\iTunesHelper.exe"
   SSC_UserPrompt   C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
   Evidence Eliminator   C:\Program\Evidence Eliminator\ee.exe /m

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\intell32.exe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   intell32
   hkey   HKLM
   command   C:\WINDOWS\System32\intell32.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   intell32
   hkey   HKLM
   command   C:\WINDOWS\System32\intell32.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Optimizer
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   optimize
   hkey   HKLM
   command   "C:\Program Files\Internet Optimizer\optimize.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   optimize
   hkey   HKLM
   command   "C:\Program Files\Internet Optimizer\optimize.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSGuard
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PSGuard
   hkey   HKLM
   command   C:\Program\PSGuard\PSGuard.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PSGuard
   hkey   HKLM
   command   C:\Program\PSGuard\PSGuard.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program\QuickTime\qttask.exe" -atboottime
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program\QuickTime\qttask.exe" -atboottime
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Resume copy
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   copyfstq
   hkey   HKLM
   command   copyfstq.exe /startup
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   copyfstq
   hkey   HKLM
   command   copyfstq.exe /startup
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sdkxl.exe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   sdkxl
   hkey   HKLM
   command   C:\WINDOWS\system32\sdkxl.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   sdkxl
   hkey   HKLM
   command   C:\WINDOWS\system32\sdkxl.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Synchronization Manager
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   mobsync
   hkey   HKLM
   command   %SystemRoot%\system32\mobsync.exe /logon
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   mobsync
   hkey   HKLM
   command   %SystemRoot%\system32\mobsync.exe /logon
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Upload heck
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   First Grey Draw
   hkey   HKLM
   command   C:\Program\ENCREF~1\First Grey Draw.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   First Grey Draw
   hkey   HKLM
   command   C:\Program\ENCREF~1\First Grey Draw.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\wintn32.exe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   wintn32
   hkey   HKLM
   command   C:\WINDOWS\wintn32.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   wintn32
   hkey   HKLM
   command   C:\WINDOWS\wintn32.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\Program\DELADE~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun
   NoDriveAutoRun   ÿÿÿ
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder     {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn     {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck     {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray    {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Die Hard · September 28, 2005, 05:10:37 PM

Hej Henrik :)

Den sista HJT-loggen du postade på ITforum var gjord i felsäkert, eller hur? Kan du posta en ny HJT logg i alla fall, den skulle behövas också.
Kan du också titta i kontrollpanelen och Lägg till/Ta bort program och titta om du hittar "PSGuard", avinstallera.

Kör också Ewido en gång till och posta den loggen, jag tror att den hittar lite mer.
I WinPFind loggen finns en del otrevligheter som också behöver tas bort, men jag ska undersöka först hur vi ska göra med regnycklarna som tillhör.

Hälsningar Die Hard :)

Henrik · September 28, 2005, 06:56:09 PM

Jag behöver väl inte vara i felsäkert läge när jag scannar med ewido, samt ställa in så alla dolda filer syns osv. ?

mvh

Henrik :)

Mannen · September 28, 2005, 07:19:57 PM

Tjena Henke

Tror jag kan svara för DieHard

Ewido skall helst köras i felsäkert läge för att det är enklare att få bort filer som annars kan användas av Windows
Och när du postar din Hijackthis logga så gör det från "normal" läget så alla program som startas kommer med

Lycka till
Mannen

Henrik · September 28, 2005, 07:35:26 PM

Okej, men jag behöver väl inte ta visa alla dolda filer osv, i mapp-alternativ innan jag börjar scanna?

mvh

Mannen · September 28, 2005, 07:39:39 PM

Nej, Ewido hittar dom ändå men du måste ta fram dom förr eller senare så varför inte nu? :wink:

Henrik · September 28, 2005, 08:35:25 PM

Här kommer ewido loggen:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         22:25:31, 2005-09-28
+ Report-Checksum:      ACFAE8C7

+ Scan result:

   C:\Documents and Settings\Admin\Cookies\admin@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   C:\Documents and Settings\Admin\Cookies\admin@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temp\Cookies\admin@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\Documents and Settings\Admin\Lokala inställningar\Temporary Internet Files\Content.IE5\4BDRHJG0\MSNBlockDetect[1].exe -> Backdoor.Optix.Pro.f : Cleaned with backup
   C:\Documents and Settings\Admin\Skrivbord\MSNBlockDetect.exe -> Backdoor.Optix.Pro.f : Cleaned with backup
   C:\WINDOWS\system32\coded1.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
   C:\WINDOWS\system32\csaql.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
   C:\WINDOWS\system32\csmvw.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
   C:\WINDOWS\system32\csvme.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
   C:\WINDOWS\system32\cswws.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
   C:\WINDOWS\system32\dmalw.exe -> Trojan.Small.fb : Cleaned with backup
   C:\WINDOWS\system32\hwiper.exe -> Trojan.Qhost.dv : Cleaned with backup

::Report End

Henrik · September 28, 2005, 08:35:56 PM

Här är Hijackthis loggen:

Logfile of HijackThis v1.99.1
Scan saved at 22:39:13, on 2005-09-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Evidence Eliminator\ee.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program\Evidence Eliminator\ee.exe /m
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://c:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfcmw.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Die Hard · September 29, 2005, 08:36:04 PM

Henrik :)

I WinPFind loggen hittar jag flera filer som är konstigt att dom inte syns i HJT loggen .

Nu provar vi så här, få se om vi inte kan ta alltihop i ett svep.

Först, klicka (Windowstangent+R) och skriv regedit>ok för att öppna registereditorn.

Sedan navigera till :
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Shared Tools
MSConfig
state

Öppna "State"
I högra fältet kommer det att se ut så här:
system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   2
Dubbelklicka på "startup". I fältet "Data" ändra värdet från "2" till "0" , klicka "ok" och stäng.

Starta sedan KillBox, som du laddade ner häromdan.
Bocka för "Delete on reboot" och klistra in dessa, en i taget och klicka på krysset. Svara nej när den frågar om du vill starta om nu, tills du klistrat in sista filen, då startar du om. Startar inte systemet om av sig själv, gör det manuellt.
C:\WINDOWS\System32\intell32.exe
C:\Program\PSGuard\PSGuard.exe
C:\WINDOWS\system32\sdkxl.exe
C:\Program\ENCREF~1\First Grey Draw.exe
C:\WINDOWS\wintn32.exe
C:\WINDOWS\system32\mfcmw.exe
C:\WINDOWS\svcproc.exe

Gör en ny skanning med HJT och posta loggen

Hälsningar

Die Hard :)

Henrik · September 29, 2005, 09:02:27 PM

När jag klickat på starta om i killbox, så kommer det upp en ruta där det står följande:
"PendingFileRenameOperations Registry Data has been Removed by External Process!"

Så jag rebootade manuellt.

mvh

Henrik · September 29, 2005, 09:10:37 PM

Här är den nya HJT-loggen:

Logfile of HijackThis v1.99.1
Scan saved at 23:15:08, on 2005-09-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Evidence Eliminator\ee.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program\Evidence Eliminator\ee.exe /m
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://c:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfcmw.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Die Hard · September 30, 2005, 05:00:09 AM

Henrik :)

Det är en besvärlig och envis infektion du har. En av filerna verkar skydda de andra från radering.

Prova detta en gång, så får vi se om det går:

Lägg in dessa sökvägar i KillBox och "Delete on reboot"
C:\WINDOWS\System32\intell32.exe
C:\Program\PSGuard\PSGuard.exe
C:\WINDOWS\system32\sdkxl.exe
C:\Program\ENCREF~1\First Grey Draw.exe
C:\WINDOWS\wintn32.exe

Starta om efter den sista, "wintn32.exe".

Jag vill också att du gör detta:

Ladda ner CWShredder härifrån:
http://cwshredder.net/bin/CWShredder.exe

eller här:
http://www.majorgeeks.com/download3019.html

Det är ett specialverktyg för att ta bort CoolWebSearch och dess olika varianter

1. Ladda ner CWShredder
2. Klicka på "Check for updates"-knappen och installera uppdateringar om det finns
3. Klicka på "Fix"-knappen för att starta . Den kommer att radera alla filer den hittar.
(Klicka inte på "Scan"-knappen, då händer ingenting)

Mer info om verktyget finns på engelska på Intermutes hemsida:
http://www.intermute.com/products/cwshredder.html

Die Hard :)

Die Hard :)

Henrik · September 30, 2005, 06:14:57 AM

CoolWebSearch fanns inte i systemet enligt CWShredder.

mvh

Die Hard · September 30, 2005, 09:09:07 PM

Henrik :)

Hur gick det med dom andra filerna , fick du bort dom med KillBox.

Kolla direkt under C:\, där finns en mapp som heter "!Submit". Titta i den vad som finns.

Die Hard :)

Henrik · October 01, 2005, 08:41:31 PM

Det finns ingenting i den katalogen..

MVH Henrik