Forum » Datorakuten/Mjukvara » IT-säkerhet » Konstigt Internet + Exe = Trojan?

Visa det senaste inlägget

Konstigt Internet + Exe = Trojan? / av Ping

  • 26 svar
Konstigt Internet + Exe = Trojan?
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #1
2008-04-16 kl 17:57

Tjenare!

Efter att ha laddat ner Diablo II och kört en "crack" .exe så blev datorn lite konstig. Jag kan t.ex. inte söka på google (hemsidan kommer upp, men så fort jag söker så hänger internet sig).

Jag har precis använt CC Cleaner + Spybot och rensat datorn lite, så här kommer en HIjackthis log ifall någon skulle kunna vara jätte bussig och ta en titt.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:57:59, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN2.tmp
C:\WINDOWS\system32\wuauclt.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Razer\Copperhead\razerhid.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Razer\Copperhead\razerofa.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\Integrator.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
D:\SPYWARE PROGRAM\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intra/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [razer] C:\Program\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Alarm Clock] C:\Program\PC Alarm Clock\pcalarmclock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM2b83eb8d] Rundll32.exe "C:\WINDOWS\system32\iwtpbtpb.dll",s
O4 - HKLM\..\Run: [28b0d811] rundll32.exe "C:\WINDOWS\system32\dsdemflg.dll",b
O4 - HKCU\..\Run: [Rainlendar2] C:\Program\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FlashMute] C:\Program\FlashMute\FlashMute.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zoom.lnk = C:\Program\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/M
snPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/o
scan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9a9307a0-7da4-4daf-b042-5009f29e09e1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/a
sinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerSta
tsPAClient.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by122fd.bay122.hotmail.msn.com/activex/HMA
tchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.
cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O24 - Desktop Component 0: (no name) - http://images.google.se/images?q=tbn:oagWYvcym63Y
VM:www.lecornichon.qc.ca/galeries_1/polqueb/00004
4-charest_playgirl.jpg
O24 - Desktop Component 1: (no name) - http://images.google.se/images?q=tbn:BJSvMuTc_Fmw
IM:www.discountpress.com/images/catalog/playgirl.
jpg
O24 - Desktop Component 2: (no name) - http://images.google.se/images?q=tbn:w_k-zpHLJ5dI
aM:www.usahunk.com/playgirl5.jpg
O24 - Desktop Component 3: (no name) - http://images.google.se/images?q=tbn:mSsmRRmn0sZ3
DM:jason30034.tripod.com/sitebuildercontent/siteb
uilderpictures/.pond/playgirl.jpg.w300h400.jpg
O24 - Desktop Component 4: (no name) - http://images.channeladvisor.com/Sell/SSProfiles/
10005504/Images/collage%20playgirl%20final.jpg
O24 - Desktop Component 6: MeatSpin.com - You spin me right round baby, Right round! - http://www.meatspin.com/

--
End of file - 6840 bytes
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #2
2008-04-16 kl 21:31

hämta detta program, spara det på skrivbordet.
http://www.atribune.org/ccount/click.php?id=4
starta programmet >klicka på scan for vundo >klicka på fix vundo.
välj ta bort filerna, vid fråga.
starta om, ev kan det bli aktuellt med flera omstarter.
posta loggen som finns här C:\vundofix.txt

http://www.malwarebytes.org/mbam/program/mbam-set
up.exe
installera programmet och klicka på scanna när du ser den knappen.
klicka på visa resultat >ta bort markerade, nu visas en logg som du postar

en längre variant på engleska:
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

byt namn på den här filen till This.exe, gör en ny scan och posta en ny HJT logg
D:\SPYWARE PROGRAM\HiJackThis.exe
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #3
2008-04-17 kl 21:10

Ok här är först och främst Vundofix Loggen:


Scan started at 18:34:53 2008-04-17

Listing files found while scanning....

C:\WINDOWS\system32\opnlkKbA.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\opnlkKbA.dll
C:\WINDOWS\system32\opnlkKbA.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\opnlkKbA.dll
C:\WINDOWS\system32\opnlkKbA.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Malwarebytes loggen:

Malwarebytes' Anti-Malware 1.11
Database version: 642

Scan type: Quick Scan
Objects scanned: 33869
Time elapsed: 40 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 20
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 397
Files Infected: 3096

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\aomjpjca.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\geBTnkiF.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\opnlkKbA.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\hkpwovvq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Explorer\Browser Helper Objects\{53762d60-d433-4817-992d-7b9656b1b090} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{53762d60-d433-4817-992d-
7b9656b1b090} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{eec73ea5-1367-49d1-93f4-
ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Explorer\Browser Helper Objects\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f6f5baf-3e88-4b0e-9a5b-
ad6cf5c62ac6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Explorer\Browser Helper Objects\{1f6f5baf-3e88-4b0e-9a5b-ad6cf5c62ac6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run\28b0d811 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Explorer\ShellExecuteHooks\{eec73ea5-
1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run\BM2b83eb8d (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run\BM2b83eb8d (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebtnkif -> Quarantined and deleted successfully.

Folders Infected:

C:\Program\Helper (Adware.BHO) -> Not selected for removal.

Files Infected:
C:\WINDOWS\system32\aomjpjca.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\acjpjmoa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBTnkiF.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\FiknTBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FiknTBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnlkKbA.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dhgygvem.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hkpwovvq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\zeqbqwp.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Lokala inställningar\Temp\Temporary Internet Files\Content.IE5\23CRY7WX\glas[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Philip\Lokala inställningar\Temp\Temporary Internet Files\Content.IE5\2XGFEZUT\kriv[1] (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\iwtpbtpb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WLCtrl32.dl_ (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ClickToFindandFixErrors_Intl.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

(Obs! Det fanns väldigt många Poker grejer som räknades som virus så jag tog bort dessa från loggen)


Här är senaste HiJackthis loggen:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:05:01, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN3.tmp
C:\WINDOWS\system32\wuauclt.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Razer\Copperhead\razerhid.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\Integrator.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey
.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\SPYWARE PROGRAM\This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intra/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53762d60-d433-4817-992d-7b9656b1b090} - C:\WINDOWS\system32\geBTnkiF.dll
O2 - BHO: (no name) - {565a28e2-c379-423e-a159-3ecf6835d4f7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: (no name) - {de7364a6-55fd-44ed-83d8-3c669f6099e8} - C:\WINDOWS\system32\byXQJBRh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [razer] C:\Program\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Alarm Clock] C:\Program\PC Alarm Clock\pcalarmclock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM2b83eb8d] Rundll32.exe "C:\WINDOWS\system32\iwtpbtpb.dll",s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Rainlendar2] C:\Program\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FlashMute] C:\Program\FlashMute\FlashMute.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zoom.lnk = C:\Program\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/M
snPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/o
scan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9a9307a0-7da4-4daf-b042-5009f29e09e1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/a
sinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerSta
tsPAClient.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by122fd.bay122.hotmail.msn.com/activex/HMA
tchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.
cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O24 - Desktop Component 0: (no name) - http://images.google.se/images?q=tbn:oagWYvcym63Y
VM:www.lecornichon.qc.ca/galeries_1/polqueb/00004
4-charest_playgirl.jpg
O24 - Desktop Component 1: (no name) - http://images.google.se/images?q=tbn:BJSvMuTc_Fmw
IM:www.discountpress.com/images/catalog/playgirl.
jpg
O24 - Desktop Component 2: (no name) - http://images.google.se/images?q=tbn:w_k-zpHLJ5dI
aM:www.usahunk.com/playgirl5.jpg
O24 - Desktop Component 3: (no name) - http://images.google.se/images?q=tbn:mSsmRRmn0sZ3
DM:jason30034.tripod.com/sitebuildercontent/siteb
uilderpictures/.pond/playgirl.jpg.w300h400.jpg
O24 - Desktop Component 4: (no name) - http://images.channeladvisor.com/Sell/SSProfiles/
10005504/Images/collage%20playgirl%20final.jpg
O24 - Desktop Component 6: MeatSpin.com - You spin me right round baby, Right round! - http://www.meatspin.com/

--
End of file - 7721 bytes
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #4
2008-04-18 kl 07:32

stoppa den här processen
C:\WINDOWS\TEMP\BN3.tmp
försök sen att tömma så mycket filer som det går i den här mappen
C:\WINDOWS\TEMP\

starta vundofix, högerklicka i fönstret och lägg till den här filen och klicka på ok
C:\WINDOWS\system32\geBTnkiF.dll
klicka på remove vundo
posta den loggen

uppdatera malwarebytes och scanna igen, posta den loggen
C:\Program\Helper = ska tas bort
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #5
2008-04-19 kl 17:27

BN3.tmp filen kommer tillbaka i processer och även under temp mappen efter varje omstart (dock ändrar den siffra).

Jag har fortfarande problem med internet, det funkar i kanske 2-3 timmar sen går det inte att gå in på någon hemsida utan att behöva starta om datorn.

geBTnkiF.dll filen finns inte, så jag kunde inte göra vundofix steget.

här är malwarebytes loggen, tog bort allt med PKR casino.

Malwarebytes' Anti-Malware 1.11
Database version: 652

Scan type: Full Scan (C:\|)
Objects scanned: 98451
Time elapsed: 1 hour(s), 21 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 396
Files Infected: 3082

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:

Files Infected:
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\6IUXQ7A8\sdferw[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\WLCtrl32.dl_ (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Delete on reboot.
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #6
2008-04-19 kl 19:16

posta en ny HJT logg

http://www.suspectfile.com/systemscan/
spara filen på skrivbordet och öppna den. sätt en bock i rutan >proceed >klicka på unselect all >bocka för recent files och välj 30 >klicka på scan now. posta den loggen här
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #7
2008-04-20 kl 12:22

HJT Loggen:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:20:10, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN2.tmp
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Razer\Copperhead\razerhid.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\PC Alarm Clock\pcalarmclock.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Rainlendar2\Rainlendar2.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\Program\Razer\Copperhead\razerofa.exe
C:\Program\FlashMute\FlashMute.exe
C:\WINDOWS\Integrator.exe
C:\Program\DC++\DCPlusPlus.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
D:\SPYWARE PROGRAM\This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intra/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {565a28e2-c379-423e-a159-3ecf6835d4f7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: (no name) - {de7364a6-55fd-44ed-83d8-3c669f6099e8} - C:\WINDOWS\system32\byXQJBRh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [razer] C:\Program\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Alarm Clock] C:\Program\PC Alarm Clock\pcalarmclock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Rainlendar2] C:\Program\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FlashMute] C:\Program\FlashMute\FlashMute.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zoom.lnk = C:\Program\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/M
snPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/o
scan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9a9307a0-7da4-4daf-b042-5009f29e09e1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/a
sinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerSta
tsPAClient.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by122fd.bay122.hotmail.msn.com/activex/HMA
tchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.
cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O24 - Desktop Component 0: (no name) - http://images.google.se/images?q=tbn:oagWYvcym63Y
VM:www.lecornichon.qc.ca/galeries_1/polqueb/00004
4-charest_playgirl.jpg
O24 - Desktop Component 1: (no name) - http://images.google.se/images?q=tbn:BJSvMuTc_Fmw
IM:www.discountpress.com/images/catalog/playgirl.
jpg
O24 - Desktop Component 2: (no name) - http://images.google.se/images?q=tbn:w_k-zpHLJ5dI
aM:www.usahunk.com/playgirl5.jpg
O24 - Desktop Component 3: (no name) - http://images.google.se/images?q=tbn:mSsmRRmn0sZ3
DM:jason30034.tripod.com/sitebuildercontent/siteb
uilderpictures/.pond/playgirl.jpg.w300h400.jpg
O24 - Desktop Component 4: (no name) - http://images.channeladvisor.com/Sell/SSProfiles/
10005504/Images/collage%20playgirl%20final.jpg
O24 - Desktop Component 6: MeatSpin.com - You spin me right round baby, Right round! - http://www.meatspin.com/

--
End of file - 7773 bytes


Här är Suspect File Loggen:

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Philip\Skrivbord\sys99900.exe
Running in: User mode
Date: 2008-04-20
Time: 12:21:56

Output limited to:
-Recent files

===================== RECENT FILES =====================

Showing files newer than 30 days

----- recent files in C:\
17-04-2008 18:47:03 (DIR) 0 byte 3 days old -- VundoFix Backups
18-04-2008 23:36:59 984 byte 2 days old -- VundoFix.txt
19-04-2008 09:49:46 (DIR) 0 byte 1 days old -- WINDOWS
19-04-2008 11:54:51 (DIR) 0 byte 1 days old -- Program
20-04-2008 12:04:08 805306368 byte 0 days old -- pagefile.sys
20-04-2008 12:04:09 (DIR)535285760 byte 0 days old -- hiberfil.sys
07-04-2008 10:16:41 (DIR) 0 byte 13 days old -- Soldat
07-04-2008 10:25:28 0 byte 13 days old -- logwmemory.bin

----- recent files in C:\WINDOWS\
13-04-2008 09:03:19 (DIR) 0 byte 7 days old -- WinSxS
13-04-2008 09:08:08 (DIR) 0 byte 7 days old -- assembly
13-04-2008 09:08:09 (DIR) 0 byte 7 days old -- Microsoft.NET
14-04-2008 15:34:40 256 byte 6 days old -- system.ini
14-04-2008 23:18:44 73216 byte 6 days old -- ST6UNST.EXE
14-04-2008 23:18:48 1623 byte 6 days old -- ST6UNST.000
14-04-2008 23:18:48 286720 byte 6 days old -- Setup1.exe
15-04-2008 18:46:22 (DIR) 0 byte 5 days old -- Installer
15-04-2008 21:03:23 691545 byte 5 days old -- unins000.exe
15-04-2008 21:07:49 2546 byte 5 days old -- unins000.dat
15-04-2008 21:09:13 (DIR) 0 byte 5 days old -- inf
15-04-2008 22:23:09 (DIR) 0 byte 5 days old -- AppPatch
15-04-2008 22:25:43 (DIR) 0 byte 5 days old -- Downloaded Program Files
15-04-2008 22:34:10 (DIR) 0 byte 5 days old -- SoftwareDistribution
16-04-2008 01:05:13 (DIR) 0 byte 4 days old -- Prefetch
16-04-2008 05:49:18 14728 byte 4 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
16-04-2008 17:50:15 (DIR) 0 byte 4 days old -- Minidump
16-04-2008 17:50:17 (DIR) 0 byte 4 days old -- Debug
17-04-2008 11:13:10 613 byte 3 days old -- wininit.ini
17-04-2008 18:51:14 22 byte 3 days old -- pskt.ini
17-04-2008 21:10:19 101178 byte 3 days old -- BM2b83eb8d.xml
17-04-2008 21:11:15 23835 byte 3 days old -- BM2b83eb8d.txt
18-04-2008 23:46:41 3624 byte 2 days old -- setupapi.log
19-04-2008 09:49:46 1409 byte 1 days old -- QTFont.for
20-04-2008 12:04:17 2048 byte 0 days old -- bootstat.dat
20-04-2008 12:04:34 50 byte 0 days old -- wiaservc.log
20-04-2008 12:04:35 157 byte 0 days old -- wiadebug.log
20-04-2008 12:05:02 0 byte 0 days old -- 0.log
20-04-2008 12:05:07 (DIR) 0 byte 0 days old -- temp
20-04-2008 12:05:30 54 byte 0 days old -- zoom.dat
20-04-2008 12:05:34 54156 byte 0 days old -- QTFont.qfn
20-04-2008 12:06:17 (DIR) 0 byte 0 days old -- system32
20-04-2008 12:06:18 1101614 byte 0 days old -- WindowsUpdate.log
07-04-2008 10:16:41 (DIR) 0 byte 13 days old -- Fonts
09-04-2008 03:14:40 11932 byte 11 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
10-04-2008 09:01:00 (DIR) 0 byte 10 days old -- $NtUninstallKB945553$
10-04-2008 09:01:09 (DIR) 0 byte 10 days old -- $NtUninstallKB944338$
10-04-2008 09:02:31 (DIR) 0 byte 10 days old -- $NtUninstallKB948590$
10-04-2008 09:02:37 (DIR) 0 byte 10 days old -- $NtUninstallKB941693$
10-04-2008 09:02:49 (DIR) 0 byte 10 days old -- $NtUninstallKB947864$
10-04-2008 09:02:58 (DIR) 0 byte 10 days old -- $hf_mig$
10-04-2008 09:02:58 (DIR) 0 byte 10 days old -- $NtUninstallKB948881$

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
13-04-2008 09:03:32 400240 byte 7 days old -- perfh009.dat
13-04-2008 09:03:32 403158 byte 7 days old -- perfh01D.dat
13-04-2008 09:03:32 906592 byte 7 days old -- PerfStringBackup.INI
13-04-2008 09:03:32 61494 byte 7 days old -- perfc009.dat
13-04-2008 09:03:32 72804 byte 7 days old -- perfc01D.dat
14-04-2008 15:35:34 118784 byte 6 days old -- icq5s.dll
14-04-2008 15:47:53 12067 byte 6 days old -- SIntf16.dll
14-04-2008 15:47:54 17212 byte 6 days old -- SIntf32.dll
14-04-2008 15:47:54 21840 byte 6 days old -- SIntfNT.dll
15-04-2008 20:56:57 708543 byte 5 days old -- rhmgblex.ini
15-04-2008 21:08:34 1406 byte 5 days old -- Help.ico
15-04-2008 21:08:34 30590 byte 5 days old -- pavas.ico
15-04-2008 21:08:34 2550 byte 5 days old -- Uninstall.ico
15-04-2008 22:25:22 775882 byte 5 days old -- wgqdjdok.ini
15-04-2008 22:34:16 (DIR) 0 byte 5 days old -- ActiveScan
15-04-2008 22:34:41 (DIR) 0 byte 5 days old -- config
15-04-2008 22:36:30 (DIR) 0 byte 5 days old -- drivers
15-04-2008 22:38:26 (DIR) 0 byte 5 days old -- wbem
15-04-2008 23:48:28 184619 byte 5 days old -- aHkUBcdd.ini2
15-04-2008 23:50:06 184619 byte 5 days old -- aHkUBcdd.ini
15-04-2008 23:50:06 143 byte 5 days old -- mcrh.tmp
16-04-2008 05:42:19 294 byte 4 days old -- rfkvpcxb.ini
16-04-2008 05:49:10 185543 byte 4 days old -- hRBJQXyb.ini2
16-04-2008 05:49:26 185543 byte 4 days old -- hRBJQXyb.ini
17-04-2008 11:09:50 207369 byte 3 days old -- ddNqBcfe.ini2
17-04-2008 11:10:44 294 byte 3 days old -- glfmedsd.ini
17-04-2008 11:12:48 0 byte 3 days old -- ddNqBcfe.ini
17-04-2008 18:55:48 0 byte 3 days old -- clkcnt.txt
20-04-2008 00:45:34 (DIR) 0 byte 0 days old -- CatRoot2
20-04-2008 12:04:13 12288 byte 0 days old -- WLCtrl32.dll
20-04-2008 12:05:05 12288 byte 0 days old -- WLCtrl32.dl_
20-04-2008 12:05:09 13738 byte 0 days old -- wpa.dbl
09-04-2008 10:50:53 (DIR) 0 byte 11 days old -- CatRoot
10-04-2008 09:02:53 (DIR) 0 byte 10 days old -- dllcache
10-04-2008 09:09:33 124520 byte 10 days old -- FNTCACHE.DAT

----- recent files in C:\WINDOWS\system32\drivers\
15-04-2008 21:43:17 (DIR) 0 byte 5 days old -- etc
20-04-2008 12:05:05 27008 byte 0 days old -- Dqb12.sys

----- recent files in C:\WINDOWS\temp\
15-04-2008 10:02:04 (DIR) 0 byte 5 days old -- Temporary Internet Files
15-04-2008 10:02:04 (DIR) 0 byte 5 days old -- Tidigare
15-04-2008 10:02:04 (DIR) 0 byte 5 days old -- Cookies
20-04-2008 06:00:23 46592 byte 0 days old -- BN5.tmp
20-04-2008 12:05:03 255 byte 0 days old -- WGAErrLog.txt
20-04-2008 12:05:05 46592 byte 0 days old -- BN2.tmp
20-04-2008 12:05:12 409 byte 0 days old -- WGANotify.settings

----- recent files in C:\Program\
01-04-2008 12:30:20 (DIR) 0 byte 19 days old -- PartyGaming
03-04-2008 16:50:15 (DIR) 0 byte 17 days old -- Holdem Indicator
23-03-2008 01:11:14 (DIR) 0 byte 28 days old -- DotA Gaming Network
14-04-2008 23:18:11 (DIR) 0 byte 6 days old -- WinRAR
15-04-2008 22:09:12 (DIR) 0 byte 5 days old -- FlashMute
15-04-2008 22:09:18 (DIR) 0 byte 5 days old -- Google
15-04-2008 22:09:52 (DIR) 0 byte 5 days old -- Internet Explorer
15-04-2008 22:10:28 (DIR) 0 byte 5 days old -- iTunes
15-04-2008 22:16:53 (DIR) 0 byte 5 days old -- Spybot - Search & Destroy
16-04-2008 17:13:40 (DIR) 0 byte 4 days old -- Trend Micro
16-04-2008 17:14:21 (DIR) 0 byte 4 days old -- CCleaner
17-04-2008 18:53:00 (DIR) 0 byte 3 days old -- Malwarebytes' Anti-Malware
19-04-2008 17:02:12 (DIR) 0 byte 1 days old -- Warcraft III
20-04-2008 12:06:34 (DIR) 0 byte 0 days old -- Mozilla Firefox
20-04-2008 12:06:38 (DIR) 0 byte 0 days old -- DC++

----- recent files in C:\Program\Delade filer\

----- recent files in C:\Documents and Settings\Philip\Application Data\
22-03-2008 22:33:23 (DIR) 0 byte 29 days old -- skypePM
22-03-2008 23:23:26 (DIR) 0 byte 29 days old -- Skype
31-03-2008 14:19:54 (DIR) 0 byte 20 days old -- uTorrent
17-04-2008 18:53:03 (DIR) 0 byte 3 days old -- Malwarebytes
07-04-2008 10:16:25 (DIR) 0 byte 13 days old -- Soldat
07-04-2008 17:49:07 (DIR) 0 byte 13 days old -- U3

----- recent files in C:\DOCUME~1\Philip\LOKALA~1\Temp\
13-04-2008 18:56:48 (DIR) 0 byte 7 days old -- plugtmp-13
16-04-2008 01:04:07 16384 byte 4 days old -- ~DF2E63.tmp
16-04-2008 05:35:06 16384 byte 4 days old -- ~DF921F.tmp
16-04-2008 05:45:54 0 byte 4 days old -- 13DCBB6.dmp
16-04-2008 16:25:57 16384 byte 4 days old -- ~DF8649.tmp
16-04-2008 17:50:14 (DIR) 0 byte 4 days old -- games
16-04-2008 20:49:09 78 byte 4 days old -- dw.log
16-04-2008 23:23:38 16384 byte 4 days old -- ~DF429C.tmp
17-04-2008 07:43:44 (DIR) 0 byte 3 days old -- Google Toolbar
17-04-2008 18:34:43 32768 byte 3 days old -- ~DF8E22.tmp
17-04-2008 18:47:03 32768 byte 3 days old -- ~DF6408.tmp
17-04-2008 18:51:20 16384 byte 3 days old -- ~DF3229.tmp
17-04-2008 18:54:30 (DIR) 0 byte 3 days old -- Cookies
17-04-2008 20:15:13 311296 byte 3 days old -- ~DFBDC3.tmp
17-04-2008 21:10:18 22192 byte 3 days old -- b728x90.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b120x600.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b120x90.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b120x240.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b250x250.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b240x400.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b300x250.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b300x100.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b160x600.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b125x125.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b234x60.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b180x150.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b468x60.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b336x280.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b720x300.tmp
17-04-2008 21:14:35 16384 byte 3 days old -- ~DF4608.tmp
18-04-2008 17:06:04 16384 byte 2 days old -- ~DF5DF8.tmp
18-04-2008 23:56:50 16384 byte 2 days old -- ~DF7685.tmp
19-04-2008 09:49:45 16384 byte 1 days old -- ~DF7479.tmp
19-04-2008 17:15:50 16384 byte 1 days old -- ~DF91E8.tmp
20-04-2008 00:39:28 16384 byte 0 days old -- ~DF73E3.tmp
20-04-2008 00:44:46 16384 byte 0 days old -- ~DF6CB5.tmp
20-04-2008 00:45:11 16384 byte 0 days old -- ~DFCC9B.tmp
20-04-2008 12:05:34 16384 byte 0 days old -- ~DF8492.tmp
20-04-2008 12:06:48 688128 byte 0 days old -- ~DFA73E.tmp
20-04-2008 12:06:48 512 byte 0 days old -- ~DFA77D.tmp
20-04-2008 12:07:06 688128 byte 0 days old -- ~DFD390.tmp
20-04-2008 12:07:07 512 byte 0 days old -- ~DFD7D3.tmp
20-04-2008 12:16:12 (DIR) 0 byte 0 days old -- MessengerCache
20-04-2008 12:18:29 16384 byte 0 days old -- ~DF429.tmp
20-04-2008 12:20:52 55 byte 0 days old -- systemscan.ini
20-04-2008 12:20:53 (DIR) 0 byte 0 days old -- nseB.tmp
20-04-2008 12:20:53 16384 byte 0 days old -- ~DF4CA2.tmp
10-04-2008 17:56:39 (DIR) 0 byte 10 days old -- plugtmp-12
12-04-2008 15:13:13 (DIR) 0 byte 8 days old -- language

==========================================
Scan completed in 0,1 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~
~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #8
2008-04-20 kl 15:15

starta om i felsäkert läge och tom den här mappen så gått det går
C:\DOCUME~1\Philip\LOKALA~1\Temp\

ta bort dessa filer
C:\WINDOWS\temp\
BN5.tmp
BN2.tmp

C:\WINDOWS\system32\drivers\
Dqb12.sys

C:\WINDOWS\system32\
WLCtrl32.dll
WLCtrl32.dl_
aHkUBcdd.ini2
aHkUBcdd.ini
mcrh.tmp
rfkvpcxb.ini
hRBJQXyb.ini2
hRBJQXyb.ini
ddNqBcfe.ini2
glfmedsd.ini
ddNqBcfe.ini
wgqdjdok.ini
rhmgblex.ini

tmp, sys och dll filerna är viktigast att få bort,
får du inte bort dessa så posta en ny suspect file logg.
töm ej papperskorgen när du tagit bort filerna, jag är inte helt säker om sys filen är malware
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #9
2008-04-20 kl 21:54

Tja!

Jag fick inte bort en enda fil förutom .tmp filerna. (Antingen fanns dom inte eller så va den skrivskyddad/användes av ett program).

Notera att jag startade om i felsäkert läge utan nätverksanslutningar (vet inte om det gör någon betydelse).

Här är suspect file loggen:

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Philip\Skrivbord\sys99900.exe
Running in: User mode
Date: 2008-04-20
Time: 21:52:51

Output limited to:
-Recent files

===================== RECENT FILES =====================

Showing files newer than 30 days

----- recent files in C:\
17-04-2008 18:47:03 (DIR) 0 byte 3 days old -- VundoFix Backups
18-04-2008 23:36:59 984 byte 2 days old -- VundoFix.txt
19-04-2008 11:54:51 (DIR) 0 byte 1 days old -- Program
20-04-2008 21:37:53 (DIR) 0 byte 0 days old -- WINDOWS
20-04-2008 21:49:01 805306368 byte 0 days old -- pagefile.sys
20-04-2008 21:49:02 (DIR)535285760 byte 0 days old -- hiberfil.sys
07-04-2008 10:16:41 (DIR) 0 byte 13 days old -- Soldat
07-04-2008 10:25:28 0 byte 13 days old -- logwmemory.bin

----- recent files in C:\WINDOWS\
13-04-2008 09:03:19 (DIR) 0 byte 7 days old -- WinSxS
13-04-2008 09:08:08 (DIR) 0 byte 7 days old -- assembly
13-04-2008 09:08:09 (DIR) 0 byte 7 days old -- Microsoft.NET
14-04-2008 15:34:40 256 byte 6 days old -- system.ini
14-04-2008 23:18:44 73216 byte 6 days old -- ST6UNST.EXE
14-04-2008 23:18:48 286720 byte 6 days old -- Setup1.exe
14-04-2008 23:18:48 1623 byte 6 days old -- ST6UNST.000
15-04-2008 18:46:22 (DIR) 0 byte 5 days old -- Installer
15-04-2008 21:03:23 691545 byte 5 days old -- unins000.exe
15-04-2008 21:07:49 2546 byte 5 days old -- unins000.dat
15-04-2008 21:09:13 (DIR) 0 byte 5 days old -- inf
15-04-2008 22:23:09 (DIR) 0 byte 5 days old -- AppPatch
15-04-2008 22:25:43 (DIR) 0 byte 5 days old -- Downloaded Program Files
15-04-2008 22:34:10 (DIR) 0 byte 5 days old -- SoftwareDistribution
16-04-2008 01:05:13 (DIR) 0 byte 4 days old -- Prefetch
16-04-2008 05:49:18 14728 byte 4 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
16-04-2008 17:50:15 (DIR) 0 byte 4 days old -- Minidump
16-04-2008 17:50:17 (DIR) 0 byte 4 days old -- Debug
17-04-2008 11:13:10 613 byte 3 days old -- wininit.ini
17-04-2008 18:51:14 22 byte 3 days old -- pskt.ini
17-04-2008 21:10:19 101178 byte 3 days old -- BM2b83eb8d.xml
17-04-2008 21:11:15 23835 byte 3 days old -- BM2b83eb8d.txt
19-04-2008 09:49:46 1409 byte 1 days old -- QTFont.for
20-04-2008 21:31:34 5300 byte 0 days old -- setupapi.log
20-04-2008 21:36:52 9808 byte 0 days old -- EventSystem.log
20-04-2008 21:48:33 143664 byte 0 days old -- ntbtlog.txt
20-04-2008 21:49:09 2048 byte 0 days old -- bootstat.dat
20-04-2008 21:49:25 159 byte 0 days old -- wiadebug.log
20-04-2008 21:49:26 50 byte 0 days old -- wiaservc.log
20-04-2008 21:49:27 1152469 byte 0 days old -- WindowsUpdate.log
20-04-2008 21:49:33 0 byte 0 days old -- 0.log
20-04-2008 21:49:57 54 byte 0 days old -- zoom.dat
20-04-2008 21:50:01 (DIR) 0 byte 0 days old -- system32
20-04-2008 21:50:01 54156 byte 0 days old -- QTFont.qfn
20-04-2008 21:50:03 (DIR) 0 byte 0 days old -- temp
07-04-2008 10:16:41 (DIR) 0 byte 13 days old -- Fonts
09-04-2008 03:14:40 11932 byte 11 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
10-04-2008 09:01:00 (DIR) 0 byte 10 days old -- $NtUninstallKB945553$
10-04-2008 09:01:09 (DIR) 0 byte 10 days old -- $NtUninstallKB944338$
10-04-2008 09:02:31 (DIR) 0 byte 10 days old -- $NtUninstallKB948590$
10-04-2008 09:02:37 (DIR) 0 byte 10 days old -- $NtUninstallKB941693$
10-04-2008 09:02:49 (DIR) 0 byte 10 days old -- $NtUninstallKB947864$
10-04-2008 09:02:58 (DIR) 0 byte 10 days old -- $hf_mig$
10-04-2008 09:02:58 (DIR) 0 byte 10 days old -- $NtUninstallKB948881$

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
13-04-2008 09:03:32 72804 byte 7 days old -- perfc01D.dat
13-04-2008 09:03:32 61494 byte 7 days old -- perfc009.dat
13-04-2008 09:03:32 400240 byte 7 days old -- perfh009.dat
13-04-2008 09:03:32 906592 byte 7 days old -- PerfStringBackup.INI
13-04-2008 09:03:32 403158 byte 7 days old -- perfh01D.dat
14-04-2008 15:35:34 118784 byte 6 days old -- icq5s.dll
14-04-2008 15:47:53 12067 byte 6 days old -- SIntf16.dll
14-04-2008 15:47:54 21840 byte 6 days old -- SIntfNT.dll
14-04-2008 15:47:54 17212 byte 6 days old -- SIntf32.dll
15-04-2008 20:56:57 708543 byte 5 days old -- rhmgblex.ini
15-04-2008 21:08:34 1406 byte 5 days old -- Help.ico
15-04-2008 21:08:34 2550 byte 5 days old -- Uninstall.ico
15-04-2008 21:08:34 30590 byte 5 days old -- pavas.ico
15-04-2008 22:25:22 775882 byte 5 days old -- wgqdjdok.ini
15-04-2008 22:34:16 (DIR) 0 byte 5 days old -- ActiveScan
15-04-2008 22:34:41 (DIR) 0 byte 5 days old -- config
15-04-2008 22:36:30 (DIR) 0 byte 5 days old -- drivers
15-04-2008 22:38:26 (DIR) 0 byte 5 days old -- wbem
15-04-2008 23:48:28 184619 byte 5 days old -- aHkUBcdd.ini2
15-04-2008 23:50:06 184619 byte 5 days old -- aHkUBcdd.ini
16-04-2008 05:42:19 294 byte 4 days old -- rfkvpcxb.ini
16-04-2008 05:49:10 185543 byte 4 days old -- hRBJQXyb.ini2
16-04-2008 05:49:26 185543 byte 4 days old -- hRBJQXyb.ini
17-04-2008 11:09:50 207369 byte 3 days old -- ddNqBcfe.ini2
17-04-2008 11:10:44 294 byte 3 days old -- glfmedsd.ini
17-04-2008 11:12:48 0 byte 3 days old -- ddNqBcfe.ini
17-04-2008 18:55:48 0 byte 3 days old -- clkcnt.txt
20-04-2008 21:31:26 (DIR) 0 byte 0 days old -- CatRoot2
20-04-2008 21:49:06 10752 byte 0 days old -- WLCtrl32.dll
20-04-2008 21:49:40 13738 byte 0 days old -- wpa.dbl
20-04-2008 21:50:01 12288 byte 0 days old -- WLCtrl32.dl_
09-04-2008 10:50:53 (DIR) 0 byte 11 days old -- CatRoot
10-04-2008 09:02:53 (DIR) 0 byte 10 days old -- dllcache
10-04-2008 09:09:33 124520 byte 10 days old -- FNTCACHE.DAT

----- recent files in C:\WINDOWS\system32\drivers\
15-04-2008 21:43:17 (DIR) 0 byte 5 days old -- etc
20-04-2008 21:50:01 27008 byte 0 days old -- Dqb12.sys

----- recent files in C:\WINDOWS\temp\
15-04-2008 10:02:04 (DIR) 0 byte 5 days old -- Temporary Internet Files
15-04-2008 10:02:04 (DIR) 0 byte 5 days old -- Tidigare
20-04-2008 21:39:59 (DIR) 0 byte 0 days old -- Cookies
20-04-2008 21:49:35 255 byte 0 days old -- WGAErrLog.txt
20-04-2008 21:49:42 409 byte 0 days old -- WGANotify.settings
20-04-2008 21:50:01 46592 byte 0 days old -- BN4.tmp

----- recent files in C:\Program\
01-04-2008 12:30:20 (DIR) 0 byte 19 days old -- PartyGaming
03-04-2008 16:50:15 (DIR) 0 byte 17 days old -- Holdem Indicator
23-03-2008 01:11:14 (DIR) 0 byte 28 days old -- DotA Gaming Network
14-04-2008 23:18:11 (DIR) 0 byte 6 days old -- WinRAR
15-04-2008 22:09:12 (DIR) 0 byte 5 days old -- FlashMute
15-04-2008 22:09:18 (DIR) 0 byte 5 days old -- Google
15-04-2008 22:09:52 (DIR) 0 byte 5 days old -- Internet Explorer
15-04-2008 22:10:28 (DIR) 0 byte 5 days old -- iTunes
15-04-2008 22:16:53 (DIR) 0 byte 5 days old -- Spybot - Search & Destroy
16-04-2008 17:13:40 (DIR) 0 byte 4 days old -- Trend Micro
16-04-2008 17:14:21 (DIR) 0 byte 4 days old -- CCleaner
17-04-2008 18:53:00 (DIR) 0 byte 3 days old -- Malwarebytes' Anti-Malware
19-04-2008 17:02:12 (DIR) 0 byte 1 days old -- Warcraft III
20-04-2008 21:28:55 (DIR) 0 byte 0 days old -- DC++
20-04-2008 21:50:49 (DIR) 0 byte 0 days old -- Mozilla Firefox

----- recent files in C:\Program\Delade filer\

----- recent files in C:\Documents and Settings\Philip\Application Data\
22-03-2008 22:33:23 (DIR) 0 byte 29 days old -- skypePM
22-03-2008 23:23:26 (DIR) 0 byte 29 days old -- Skype
31-03-2008 14:19:54 (DIR) 0 byte 20 days old -- uTorrent
17-04-2008 18:53:03 (DIR) 0 byte 3 days old -- Malwarebytes
07-04-2008 10:16:25 (DIR) 0 byte 13 days old -- Soldat
07-04-2008 17:49:07 (DIR) 0 byte 13 days old -- U3

----- recent files in C:\DOCUME~1\Philip\LOKALA~1\Temp\
13-04-2008 18:56:48 (DIR) 0 byte 7 days old -- plugtmp-13
16-04-2008 01:04:07 16384 byte 4 days old -- ~DF2E63.tmp
16-04-2008 05:35:06 16384 byte 4 days old -- ~DF921F.tmp
16-04-2008 05:45:54 0 byte 4 days old -- 13DCBB6.dmp
16-04-2008 16:25:57 16384 byte 4 days old -- ~DF8649.tmp
16-04-2008 17:50:14 (DIR) 0 byte 4 days old -- games
16-04-2008 20:49:09 78 byte 4 days old -- dw.log
16-04-2008 23:23:38 16384 byte 4 days old -- ~DF429C.tmp
17-04-2008 07:43:44 (DIR) 0 byte 3 days old -- Google Toolbar
17-04-2008 18:34:43 32768 byte 3 days old -- ~DF8E22.tmp
17-04-2008 18:47:03 32768 byte 3 days old -- ~DF6408.tmp
17-04-2008 18:51:20 16384 byte 3 days old -- ~DF3229.tmp
17-04-2008 18:54:30 (DIR) 0 byte 3 days old -- Cookies
17-04-2008 20:15:13 311296 byte 3 days old -- ~DFBDC3.tmp
17-04-2008 21:10:18 22192 byte 3 days old -- b728x90.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b120x240.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b120x600.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b120x90.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b300x100.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b300x250.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b336x280.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b234x60.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b240x400.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b250x250.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b125x125.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b468x60.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b720x300.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b180x150.tmp
17-04-2008 21:10:19 22192 byte 3 days old -- b160x600.tmp
17-04-2008 21:14:35 16384 byte 3 days old -- ~DF4608.tmp
18-04-2008 17:06:04 16384 byte 2 days old -- ~DF5DF8.tmp
18-04-2008 23:56:50 16384 byte 2 days old -- ~DF7685.tmp
19-04-2008 09:49:45 16384 byte 1 days old -- ~DF7479.tmp
19-04-2008 17:15:50 16384 byte 1 days old -- ~DF91E8.tmp
20-04-2008 00:39:28 16384 byte 0 days old -- ~DF73E3.tmp
20-04-2008 00:44:46 16384 byte 0 days old -- ~DF6CB5.tmp
20-04-2008 00:45:11 16384 byte 0 days old -- ~DFCC9B.tmp
20-04-2008 12:05:34 16384 byte 0 days old -- ~DF8492.tmp
20-04-2008 16:22:50 16384 byte 0 days old -- ~DF6272.tmp
20-04-2008 21:13:08 16384 byte 0 days old -- ~DF3883.tmp
20-04-2008 21:23:22 (DIR) 0 byte 0 days old -- MessengerCache
20-04-2008 21:33:18 16384 byte 0 days old -- ~DF725E.tmp
20-04-2008 21:49:59 16384 byte 0 days old -- ~DF7022.tmp
20-04-2008 21:50:45 512 byte 0 days old -- ~DF8F2A.tmp
20-04-2008 21:50:45 688128 byte 0 days old -- ~DF8D00.tmp
20-04-2008 21:51:11 688128 byte 0 days old -- ~DFFC8C.tmp
20-04-2008 21:51:11 512 byte 0 days old -- ~DFFCC4.tmp
20-04-2008 21:51:50 16384 byte 0 days old -- ~DF3EB7.tmp
20-04-2008 21:52:29 (DIR) 0 byte 0 days old -- nsoB.tmp
20-04-2008 21:52:29 55 byte 0 days old -- systemscan.ini
20-04-2008 21:52:29 16384 byte 0 days old -- ~DF25ED.tmp
10-04-2008 17:56:39 (DIR) 0 byte 10 days old -- plugtmp-12
12-04-2008 15:13:13 (DIR) 0 byte 8 days old -- language

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~
~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #10
2008-04-20 kl 22:51

hämta det här programmet, bocka för dom tre första rutorna samt prefetch. klicka på emty selected
http://www.scanwith.com/ATF_Cleaner_download.htm

hämta den här filen
http://www.mediafire.com/?gcmg6igo9iz

spara avenger.exe på skrivbordet >starta programmet >bocka för input script manually >klicka på förstoringsglaset >kopiera in detta i fönstret:

Files to delete:
C:\WINDOWS\system32\aHkUBcdd.ini2
C:\WINDOWS\system32\aHkUBcdd.ini
C:\WINDOWS\system32\rfkvpcxb.ini
C:\WINDOWS\system32\hRBJQXyb.ini2
C:\WINDOWS\system32\hRBJQXyb.ini
C:\WINDOWS\system32\ddNqBcfe.ini2
C:\WINDOWS\system32\glfmedsd.ini
C:\WINDOWS\system32\ddNqBcfe.ini
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\drivers\Dqb12.sys
C:\WINDOWS\temp\BN4.tmp

klicka på done >klicka på gröna lampan >svara ja.
när datorn är färdig så ska en logg visas. (visas ingen logg så finns den här C:\avenger.txt)

posta även en ny systemscan logg
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #11
2008-04-20 kl 23:06

Avenger.exe loggen:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Servic
es\xnackuln

*******************

Script file located at: \??\C:\Documents and Settings\hsfjrryq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\aHkUBcdd.ini2 deleted successfully.
File C:\WINDOWS\system32\aHkUBcdd.ini deleted successfully.
File C:\WINDOWS\system32\rfkvpcxb.ini deleted successfully.
File C:\WINDOWS\system32\hRBJQXyb.ini2 deleted successfully.
File C:\WINDOWS\system32\hRBJQXyb.ini deleted successfully.
File C:\WINDOWS\system32\ddNqBcfe.ini2 deleted successfully.
File C:\WINDOWS\system32\glfmedsd.ini deleted successfully.
File C:\WINDOWS\system32\ddNqBcfe.ini deleted successfully.
File C:\WINDOWS\system32\WLCtrl32.dll deleted successfully.
File C:\WINDOWS\system32\WLCtrl32.dl_ deleted successfully.


Could not open file C:\WINDOWS\system32\drivers\Dqb12.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\Dqb12.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\Dqb12.sys
Status: 0xc0000022

File C:\WINDOWS\temp\BN4.tmp deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Här är systemscan loggen:


SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Philip\Skrivbord\sys99900.exe
Running in: User mode
Date: 2008-04-20
Time: 23:04:07

Output limited to:
-Recent files

===================== RECENT FILES =====================

Showing files newer than 30 days

----- recent files in C:\
17-04-2008 18:47:03 (DIR) 0 byte 3 days old -- VundoFix Backups
18-04-2008 23:36:59 984 byte 2 days old -- VundoFix.txt
19-04-2008 11:54:51 (DIR) 0 byte 1 days old -- Program
20-04-2008 21:37:53 (DIR) 0 byte 0 days old -- WINDOWS
20-04-2008 22:54:14 2772 byte 0 days old -- avenger.txt
20-04-2008 22:54:14 (DIR) 0 byte 0 days old -- Documents and Settings
20-04-2008 22:54:20 805306368 byte 0 days old -- pagefile.sys
20-04-2008 22:54:22 (DIR)535285760 byte 0 days old -- hiberfil.sys
20-04-2008 22:56:07 (DIR) 0 byte 0 days old -- avenger
07-04-2008 10:16:41 (DIR) 0 byte 13 days old -- Soldat
07-04-2008 10:25:28 0 byte 13 days old -- logwmemory.bin

----- recent files in C:\WINDOWS\
13-04-2008 09:03:19 (DIR) 0 byte 7 days old -- WinSxS
13-04-2008 09:08:08 (DIR) 0 byte 7 days old -- assembly
13-04-2008 09:08:09 (DIR) 0 byte 7 days old -- Microsoft.NET
14-04-2008 15:34:40 256 byte 6 days old -- system.ini
14-04-2008 23:18:44 73216 byte 6 days old -- ST6UNST.EXE
14-04-2008 23:18:48 286720 byte 6 days old -- Setup1.exe
14-04-2008 23:18:48 1623 byte 6 days old -- ST6UNST.000
15-04-2008 18:46:22 (DIR) 0 byte 5 days old -- Installer
15-04-2008 21:03:23 691545 byte 5 days old -- unins000.exe
15-04-2008 21:07:49 2546 byte 5 days old -- unins000.dat
15-04-2008 21:09:13 (DIR) 0 byte 5 days old -- inf
15-04-2008 22:23:09 (DIR) 0 byte 5 days old -- AppPatch
15-04-2008 22:25:43 (DIR) 0 byte 5 days old -- Downloaded Program Files
15-04-2008 22:34:10 (DIR) 0 byte 5 days old -- SoftwareDistribution
16-04-2008 17:50:15 (DIR) 0 byte 4 days old -- Minidump
16-04-2008 17:50:17 (DIR) 0 byte 4 days old -- Debug
17-04-2008 11:13:10 613 byte 3 days old -- wininit.ini
17-04-2008 18:51:14 22 byte 3 days old -- pskt.ini
17-04-2008 21:10:19 101178 byte 3 days old -- BM2b83eb8d.xml
17-04-2008 21:11:15 23835 byte 3 days old -- BM2b83eb8d.txt
19-04-2008 09:49:46 1409 byte 1 days old -- QTFont.for
20-04-2008 21:31:34 5300 byte 0 days old -- setupapi.log
20-04-2008 21:36:52 9808 byte 0 days old -- EventSystem.log
20-04-2008 21:48:33 143664 byte 0 days old -- ntbtlog.txt
20-04-2008 22:54:28 2048 byte 0 days old -- bootstat.dat
20-04-2008 22:54:44 159 byte 0 days old -- wiadebug.log
20-04-2008 22:54:45 50 byte 0 days old -- wiaservc.log
20-04-2008 22:54:46 1160484 byte 0 days old -- WindowsUpdate.log
20-04-2008 22:55:30 0 byte 0 days old -- 0.log
20-04-2008 22:56:15 54 byte 0 days old -- zoom.dat
20-04-2008 22:56:18 54156 byte 0 days old -- QTFont.qfn
20-04-2008 23:00:49 (DIR) 0 byte 0 days old -- temp
20-04-2008 23:00:49 (DIR) 0 byte 0 days old -- Prefetch
20-04-2008 23:03:19 6194 byte 0 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
20-04-2008 23:03:20 (DIR) 0 byte 0 days old -- system32
07-04-2008 10:16:41 (DIR) 0 byte 13 days old -- Fonts
09-04-2008 03:14:40 11932 byte 11 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
10-04-2008 09:01:00 (DIR) 0 byte 10 days old -- $NtUninstallKB945553$
10-04-2008 09:01:09 (DIR) 0 byte 10 days old -- $NtUninstallKB944338$
10-04-2008 09:02:31 (DIR) 0 byte 10 days old -- $NtUninstallKB948590$
10-04-2008 09:02:37 (DIR) 0 byte 10 days old -- $NtUninstallKB941693$
10-04-2008 09:02:49 (DIR) 0 byte 10 days old -- $NtUninstallKB947864$
10-04-2008 09:02:58 (DIR) 0 byte 10 days old -- $hf_mig$
10-04-2008 09:02:58 (DIR) 0 byte 10 days old -- $NtUninstallKB948881$

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
13-04-2008 09:03:32 72804 byte 7 days old -- perfc01D.dat
13-04-2008 09:03:32 61494 byte 7 days old -- perfc009.dat
13-04-2008 09:03:32 400240 byte 7 days old -- perfh009.dat
13-04-2008 09:03:32 906592 byte 7 days old -- PerfStringBackup.INI
13-04-2008 09:03:32 403158 byte 7 days old -- perfh01D.dat
14-04-2008 15:35:34 118784 byte 6 days old -- icq5s.dll
14-04-2008 15:47:53 12067 byte 6 days old -- SIntf16.dll
14-04-2008 15:47:54 17212 byte 6 days old -- SIntf32.dll
14-04-2008 15:47:54 21840 byte 6 days old -- SIntfNT.dll
15-04-2008 20:56:57 708543 byte 5 days old -- rhmgblex.ini
15-04-2008 21:08:34 30590 byte 5 days old -- pavas.ico
15-04-2008 21:08:34 2550 byte 5 days old -- Uninstall.ico
15-04-2008 21:08:34 1406 byte 5 days old -- Help.ico
15-04-2008 22:25:22 775882 byte 5 days old -- wgqdjdok.ini
15-04-2008 22:34:16 (DIR) 0 byte 5 days old -- ActiveScan
15-04-2008 22:34:41 (DIR) 0 byte 5 days old -- config
15-04-2008 22:38:26 (DIR) 0 byte 5 days old -- wbem
17-04-2008 18:55:48 0 byte 3 days old -- clkcnt.txt
20-04-2008 21:31:26 (DIR) 0 byte 0 days old -- CatRoot2
20-04-2008 22:54:25 12288 byte 0 days old -- WLCtrl32.dll
20-04-2008 22:55:50 13738 byte 0 days old -- wpa.dbl
20-04-2008 22:56:00 12288 byte 0 days old -- WLCtrl32.dl_
20-04-2008 22:56:12 (DIR) 0 byte 0 days old -- drivers
09-04-2008 10:50:53 (DIR) 0 byte 11 days old -- CatRoot
10-04-2008 09:02:53 (DIR) 0 byte 10 days old -- dllcache
10-04-2008 09:09:33 124520 byte 10 days old -- FNTCACHE.DAT

----- recent files in C:\WINDOWS\system32\drivers\
15-04-2008 21:43:17 (DIR) 0 byte 5 days old -- etc
20-04-2008 22:56:00 27008 byte 0 days old -- Dqb12.sys

----- recent files in C:\WINDOWS\temp\
20-04-2008 22:55:59 46592 byte 0 days old -- BN2.tmp

----- recent files in C:\Program\
01-04-2008 12:30:20 (DIR) 0 byte 19 days old -- PartyGaming
03-04-2008 16:50:15 (DIR) 0 byte 17 days old -- Holdem Indicator
23-03-2008 01:11:14 (DIR) 0 byte 28 days old -- DotA Gaming Network
14-04-2008 23:18:11 (DIR) 0 byte 6 days old -- WinRAR
15-04-2008 22:09:12 (DIR) 0 byte 5 days old -- FlashMute
15-04-2008 22:09:18 (DIR) 0 byte 5 days old -- Google
15-04-2008 22:09:52 (DIR) 0 byte 5 days old -- Internet Explorer
15-04-2008 22:10:28 (DIR) 0 byte 5 days old -- iTunes
15-04-2008 22:16:53 (DIR) 0 byte 5 days old -- Spybot - Search & Destroy
16-04-2008 17:13:40 (DIR) 0 byte 4 days old -- Trend Micro
16-04-2008 17:14:21 (DIR) 0 byte 4 days old -- CCleaner
17-04-2008 18:53:00 (DIR) 0 byte 3 days old -- Malwarebytes' Anti-Malware
19-04-2008 17:02:12 (DIR) 0 byte 1 days old -- Warcraft III
20-04-2008 22:57:25 (DIR) 0 byte 0 days old -- DC++
20-04-2008 22:58:15 (DIR) 0 byte 0 days old -- Mozilla Firefox

----- recent files in C:\Program\Delade filer\

----- recent files in C:\Documents and Settings\Philip\Application Data\
22-03-2008 22:33:23 (DIR) 0 byte 29 days old -- skypePM
22-03-2008 23:23:26 (DIR) 0 byte 29 days old -- Skype
31-03-2008 14:19:54 (DIR) 0 byte 20 days old -- uTorrent
17-04-2008 18:53:03 (DIR) 0 byte 3 days old -- Malwarebytes
07-04-2008 10:16:25 (DIR) 0 byte 13 days old -- Soldat
07-04-2008 17:49:07 (DIR) 0 byte 13 days old -- U3

----- recent files in C:\DOCUME~1\Philip\LOKALA~1\Temp\
16-04-2008 01:04:07 16384 byte 4 days old -- ~DF2E63.tmp
16-04-2008 05:35:06 16384 byte 4 days old -- ~DF921F.tmp
16-04-2008 16:25:57 16384 byte 4 days old -- ~DF8649.tmp
16-04-2008 23:23:38 16384 byte 4 days old -- ~DF429C.tmp
17-04-2008 18:34:43 32768 byte 3 days old -- ~DF8E22.tmp
17-04-2008 18:47:03 32768 byte 3 days old -- ~DF6408.tmp
17-04-2008 18:51:20 16384 byte 3 days old -- ~DF3229.tmp
17-04-2008 20:15:13 311296 byte 3 days old -- ~DFBDC3.tmp
17-04-2008 21:14:35 16384 byte 3 days old -- ~DF4608.tmp
18-04-2008 17:06:04 16384 byte 2 days old -- ~DF5DF8.tmp
18-04-2008 23:56:50 16384 byte 2 days old -- ~DF7685.tmp
19-04-2008 09:49:45 16384 byte 1 days old -- ~DF7479.tmp
19-04-2008 17:15:50 16384 byte 1 days old -- ~DF91E8.tmp
20-04-2008 00:39:28 16384 byte 0 days old -- ~DF73E3.tmp
20-04-2008 00:44:46 16384 byte 0 days old -- ~DF6CB5.tmp
20-04-2008 00:45:11 16384 byte 0 days old -- ~DFCC9B.tmp
20-04-2008 12:05:34 16384 byte 0 days old -- ~DF8492.tmp
20-04-2008 16:22:50 16384 byte 0 days old -- ~DF6272.tmp
20-04-2008 21:13:08 16384 byte 0 days old -- ~DF3883.tmp
20-04-2008 21:33:18 16384 byte 0 days old -- ~DF725E.tmp
20-04-2008 21:49:59 16384 byte 0 days old -- ~DF7022.tmp
20-04-2008 21:51:50 16384 byte 0 days old -- ~DF3EB7.tmp
20-04-2008 22:56:19 16384 byte 0 days old -- ~DFA63E.tmp
20-04-2008 22:58:03 688128 byte 0 days old -- ~DFEDB4.tmp
20-04-2008 22:58:03 512 byte 0 days old -- ~DFEDC3.tmp
20-04-2008 22:58:42 688128 byte 0 days old -- ~DF21B4.tmp
20-04-2008 22:58:43 512 byte 0 days old -- ~DF2324.tmp
20-04-2008 22:59:20 16384 byte 0 days old -- ~DFA317.tmp
20-04-2008 23:01:05 0 byte 0 days old -- JET5101.tmp
20-04-2008 23:02:45 2611 byte 0 days old -- E220AutoRunLog.tmp
20-04-2008 23:03:52 16384 byte 0 days old -- ~DF3596.tmp
20-04-2008 23:03:52 55 byte 0 days old -- systemscan.ini
20-04-2008 23:03:52 (DIR) 0 byte 0 days old -- nsqA.tmp

==========================================
Scan completed in 0,1 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~
~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work


En sak till jag vill säga, vet inte om det hjälper men...

I aktivitetshanteraren under processer finns det en process som heter BN2.tmp.

den har varit på under alla gånger, ska jag stänga av den och göra om allt? saken är den att den byter siffra hela tiden.

Saken är den att problemet nu är att Internet funkar efter varje omstart, det är bara det att efter c:a 3 timmar så funkar inte den längre.
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #12
2008-04-20 kl 23:55

troligen är det sys filen som gör att vissa filer återkommer.
öppna antimalwarebytes och fliken tools/verktyg, där klickar du på kör verktyg/run tool och du letar upp C:\WINDOWS\system32\drivers\Dqb12.sys och välj öppna. jag antar att programmet vill starta om datorn och efter omstarten kollar du efter filen.
finns den kvar kör avenger med detta skript:

Files to replace with dummy:

C:\WINDOWS\system32\drivers\Dqb12.sys

posta en ny system scan så får vi se hur det ser ut

lägger bredbandet av även om du använder datorn och är det exakt efter 3 timmar?
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #13
2008-04-21 kl 01:15

antimalwarebytes togs inte bort filen först efter en omstart, så jag struntade i att göra en dummy file. Dock kommer BN5.tmp upp i processer igen...

Saken är den att mellan 3-6 timmar nu har jag märkt att internet bara "slutar". (Jag kan vara inloggad på msn, men kan inte skriva till folk. Eller att jag kan vara inne på DC men inte ladda ner saker).

Jag sitter på trådlöst nätverk (Skolans) och den kan läggas av under användning. Ena sekunden kollade jag på livescore.com och sen slutade hemsidan uppdateras...

Här är system scan loggen:

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Philip\Skrivbord\sys99900.exe
Running in: User mode
Date: 2008-04-21
Time: 01:13:33

Output limited to:
-Recent files

===================== RECENT FILES =====================

Showing files newer than 30 days

----- recent files in C:\
17-04-2008 18:47:03 (DIR) 0 byte 4 days old -- VundoFix Backups
18-04-2008 23:36:59 984 byte 3 days old -- VundoFix.txt
19-04-2008 11:54:51 (DIR) 0 byte 2 days old -- Program
20-04-2008 21:37:53 (DIR) 0 byte 1 days old -- WINDOWS
20-04-2008 22:54:14 2772 byte 1 days old -- avenger.txt
20-04-2008 22:54:14 (DIR) 0 byte 1 days old -- Documents and Settings
20-04-2008 22:56:07 (DIR) 0 byte 1 days old -- avenger
21-04-2008 01:03:59 805306368 byte 0 days old -- pagefile.sys
21-04-2008 01:04:01 (DIR)535285760 byte 0 days old -- hiberfil.sys
07-04-2008 10:16:41 (DIR) 0 byte 14 days old -- Soldat
07-04-2008 10:25:28 0 byte 14 days old -- logwmemory.bin

----- recent files in C:\WINDOWS\
13-04-2008 09:03:19 (DIR) 0 byte 8 days old -- WinSxS
13-04-2008 09:08:08 (DIR) 0 byte 8 days old -- assembly
13-04-2008 09:08:09 (DIR) 0 byte 8 days old -- Microsoft.NET
14-04-2008 15:34:40 256 byte 7 days old -- system.ini
14-04-2008 23:18:44 73216 byte 7 days old -- ST6UNST.EXE
14-04-2008 23:18:48 1623 byte 7 days old -- ST6UNST.000
14-04-2008 23:18:48 286720 byte 7 days old -- Setup1.exe
15-04-2008 18:46:22 (DIR) 0 byte 6 days old -- Installer
15-04-2008 21:03:23 691545 byte 6 days old -- unins000.exe
15-04-2008 21:07:49 2546 byte 6 days old -- unins000.dat
15-04-2008 21:09:13 (DIR) 0 byte 6 days old -- inf
15-04-2008 22:23:09 (DIR) 0 byte 6 days old -- AppPatch
15-04-2008 22:25:43 (DIR) 0 byte 6 days old -- Downloaded Program Files
15-04-2008 22:34:10 (DIR) 0 byte 6 days old -- SoftwareDistribution
16-04-2008 17:50:15 (DIR) 0 byte 5 days old -- Minidump
16-04-2008 17:50:17 (DIR) 0 byte 5 days old -- Debug
17-04-2008 11:13:10 613 byte 4 days old -- wininit.ini
17-04-2008 18:51:14 22 byte 4 days old -- pskt.ini
17-04-2008 21:10:19 101178 byte 4 days old -- BM2b83eb8d.xml
17-04-2008 21:11:15 23835 byte 4 days old -- BM2b83eb8d.txt
19-04-2008 09:49:46 1409 byte 2 days old -- QTFont.for
20-04-2008 21:31:34 5300 byte 1 days old -- setupapi.log
20-04-2008 21:36:52 9808 byte 1 days old -- EventSystem.log
20-04-2008 21:48:33 143664 byte 1 days old -- ntbtlog.txt
20-04-2008 23:00:49 (DIR) 0 byte 1 days old -- Prefetch
21-04-2008 01:04:08 2048 byte 0 days old -- bootstat.dat
21-04-2008 01:04:24 50 byte 0 days old -- wiaservc.log
21-04-2008 01:04:24 157 byte 0 days old -- wiadebug.log
21-04-2008 01:04:25 1169595 byte 0 days old -- WindowsUpdate.log
21-04-2008 01:04:30 0 byte 0 days old -- 0.log
21-04-2008 01:05:44 54 byte 0 days old -- zoom.dat
21-04-2008 01:05:56 54156 byte 0 days old -- QTFont.qfn
21-04-2008 01:07:10 (DIR) 0 byte 0 days old -- temp
21-04-2008 01:12:16 (DIR) 0 byte 0 days old -- system32
21-04-2008 01:13:14 6776 byte 0 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
07-04-2008 10:16:41 (DIR) 0 byte 14 days old -- Fonts
09-04-2008 03:14:40 11932 byte 12 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
10-04-2008 09:01:00 (DIR) 0 byte 11 days old -- $NtUninstallKB945553$
10-04-2008 09:01:09 (DIR) 0 byte 11 days old -- $NtUninstallKB944338$
10-04-2008 09:02:31 (DIR) 0 byte 11 days old -- $NtUninstallKB948590$
10-04-2008 09:02:37 (DIR) 0 byte 11 days old -- $NtUninstallKB941693$
10-04-2008 09:02:49 (DIR) 0 byte 11 days old -- $NtUninstallKB947864$
10-04-2008 09:02:58 (DIR) 0 byte 11 days old -- $hf_mig$
10-04-2008 09:02:58 (DIR) 0 byte 11 days old -- $NtUninstallKB948881$

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
13-04-2008 09:03:32 72804 byte 8 days old -- perfc01D.dat
13-04-2008 09:03:32 61494 byte 8 days old -- perfc009.dat
13-04-2008 09:03:32 400240 byte 8 days old -- perfh009.dat
13-04-2008 09:03:32 906592 byte 8 days old -- PerfStringBackup.INI
13-04-2008 09:03:32 403158 byte 8 days old -- perfh01D.dat
14-04-2008 15:35:34 118784 byte 7 days old -- icq5s.dll
14-04-2008 15:47:53 12067 byte 7 days old -- SIntf16.dll
14-04-2008 15:47:54 17212 byte 7 days old -- SIntf32.dll
14-04-2008 15:47:54 21840 byte 7 days old -- SIntfNT.dll
15-04-2008 20:56:57 708543 byte 6 days old -- rhmgblex.ini
15-04-2008 21:08:34 30590 byte 6 days old -- pavas.ico
15-04-2008 21:08:34 2550 byte 6 days old -- Uninstall.ico
15-04-2008 21:08:34 1406 byte 6 days old -- Help.ico
15-04-2008 22:25:22 775882 byte 6 days old -- wgqdjdok.ini
15-04-2008 22:34:16 (DIR) 0 byte 6 days old -- ActiveScan
15-04-2008 22:34:41 (DIR) 0 byte 6 days old -- config
15-04-2008 22:38:26 (DIR) 0 byte 6 days old -- wbem
17-04-2008 18:55:48 0 byte 4 days old -- clkcnt.txt
20-04-2008 21:31:26 (DIR) 0 byte 1 days old -- CatRoot2
20-04-2008 22:56:00 12288 byte 1 days old -- WLCtrl32.dll
21-04-2008 01:06:00 13738 byte 0 days old -- wpa.dbl
21-04-2008 01:07:07 12288 byte 0 days old -- WLCtrl32.dl_
21-04-2008 01:07:07 (DIR) 0 byte 0 days old -- drivers
09-04-2008 10:50:53 (DIR) 0 byte 12 days old -- CatRoot
10-04-2008 09:02:53 (DIR) 0 byte 11 days old -- dllcache
10-04-2008 09:09:33 124520 byte 11 days old -- FNTCACHE.DAT

----- recent files in C:\WINDOWS\system32\drivers\
15-04-2008 21:43:17 (DIR) 0 byte 6 days old -- etc
21-04-2008 01:07:07 27008 byte 0 days old -- Epq73.sys

----- recent files in C:\WINDOWS\temp\
21-04-2008 01:04:31 255 byte 0 days old -- WGAErrLog.txt
21-04-2008 01:06:10 409 byte 0 days old -- WGANotify.settings
21-04-2008 01:07:07 46592 byte 0 days old -- BN5.tmp

----- recent files in C:\Program\
01-04-2008 12:30:20 (DIR) 0 byte 20 days old -- PartyGaming
03-04-2008 16:50:15 (DIR) 0 byte 18 days old -- Holdem Indicator
23-03-2008 01:11:14 (DIR) 0 byte 29 days old -- DotA Gaming Network
14-04-2008 23:18:11 (DIR) 0 byte 7 days old -- WinRAR
15-04-2008 22:09:12 (DIR) 0 byte 6 days old -- FlashMute
15-04-2008 22:09:18 (DIR) 0 byte 6 days old -- Google
15-04-2008 22:09:52 (DIR) 0 byte 6 days old -- Internet Explorer
15-04-2008 22:10:28 (DIR) 0 byte 6 days old -- iTunes
15-04-2008 22:16:53 (DIR) 0 byte 6 days old -- Spybot - Search & Destroy
16-04-2008 17:13:40 (DIR) 0 byte 5 days old -- Trend Micro
16-04-2008 17:14:21 (DIR) 0 byte 5 days old -- CCleaner
17-04-2008 18:53:00 (DIR) 0 byte 4 days old -- Malwarebytes' Anti-Malware
19-04-2008 17:02:12 (DIR) 0 byte 2 days old -- Warcraft III
21-04-2008 01:07:21 (DIR) 0 byte 0 days old -- Mozilla Firefox
21-04-2008 01:07:49 (DIR) 0 byte 0 days old -- DC++

----- recent files in C:\Program\Delade filer\

----- recent files in C:\Documents and Settings\Philip\Application Data\
31-03-2008 14:19:54 (DIR) 0 byte 21 days old -- uTorrent
17-04-2008 18:53:03 (DIR) 0 byte 4 days old -- Malwarebytes
07-04-2008 10:16:25 (DIR) 0 byte 14 days old -- Soldat
07-04-2008 17:49:07 (DIR) 0 byte 14 days old -- U3

----- recent files in C:\DOCUME~1\Philip\LOKALA~1\Temp\
16-04-2008 01:04:07 16384 byte 5 days old -- ~DF2E63.tmp
16-04-2008 05:35:06 16384 byte 5 days old -- ~DF921F.tmp
16-04-2008 16:25:57 16384 byte 5 days old -- ~DF8649.tmp
16-04-2008 23:23:38 16384 byte 5 days old -- ~DF429C.tmp
17-04-2008 18:34:43 32768 byte 4 days old -- ~DF8E22.tmp
17-04-2008 18:47:03 32768 byte 4 days old -- ~DF6408.tmp
17-04-2008 18:51:20 16384 byte 4 days old -- ~DF3229.tmp
17-04-2008 20:15:13 311296 byte 4 days old -- ~DFBDC3.tmp
17-04-2008 21:14:35 16384 byte 4 days old -- ~DF4608.tmp
18-04-2008 17:06:04 16384 byte 3 days old -- ~DF5DF8.tmp
18-04-2008 23:56:50 16384 byte 3 days old -- ~DF7685.tmp
19-04-2008 09:49:45 16384 byte 2 days old -- ~DF7479.tmp
19-04-2008 17:15:50 16384 byte 2 days old -- ~DF91E8.tmp
20-04-2008 00:39:28 16384 byte 1 days old -- ~DF73E3.tmp
20-04-2008 00:44:46 16384 byte 1 days old -- ~DF6CB5.tmp
20-04-2008 00:45:11 16384 byte 1 days old -- ~DFCC9B.tmp
20-04-2008 12:05:34 16384 byte 1 days old -- ~DF8492.tmp
20-04-2008 16:22:50 16384 byte 1 days old -- ~DF6272.tmp
20-04-2008 21:13:08 16384 byte 1 days old -- ~DF3883.tmp
20-04-2008 21:33:18 16384 byte 1 days old -- ~DF725E.tmp
20-04-2008 21:49:59 16384 byte 1 days old -- ~DF7022.tmp
20-04-2008 21:51:50 16384 byte 1 days old -- ~DF3EB7.tmp
20-04-2008 22:56:19 16384 byte 1 days old -- ~DFA63E.tmp
20-04-2008 22:59:20 16384 byte 1 days old -- ~DFA317.tmp
20-04-2008 23:02:45 2611 byte 1 days old -- E220AutoRunLog.tmp
21-04-2008 01:01:22 311296 byte 0 days old -- ~DF6C99.tmp
21-04-2008 01:05:49 16384 byte 0 days old -- ~DF9588.tmp
21-04-2008 01:06:32 0 byte 0 days old -- JET7A18.tmp
21-04-2008 01:08:06 16384 byte 0 days old -- ~DF2D05.tmp
21-04-2008 01:13:22 (DIR) 0 byte 0 days old -- nsz7.tmp
21-04-2008 01:13:22 16384 byte 0 days old -- ~DFFFA8.tmp
21-04-2008 01:13:22 55 byte 0 days old -- systemscan.ini
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Tidigare
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Cookies
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Temporary Internet Files

==========================================
Scan completed in 0,1 minutes
End of report



Förmodligen finns det någon fil som återskapar BN1-5 filerna... Finns det något sätt att lokalisera den utifall det inte skulle vara Dqb12.sys filen?

Jag kan starta om datorn igen och kolla ifall filen kommer upp.
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #14
2008-04-21 kl 01:17

Den här filen verkar skum: kolla tiden den återskapades.

21-04-2008 01:07:07 27008 byte 0 days old -- Epq73.sys

Precis efter jag tog bort Dqb12.sys filen... kan det finnas en annan fil som skapar dessa filer?
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #15
2008-04-21 kl 01:26

Här är andra systemscan loggen efter omstart:

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Philip\Skrivbord\sys99900.exe
Running in: User mode
Date: 2008-04-21
Time: 01:22:48

Output limited to:
-Recent files

===================== RECENT FILES =====================

Showing files newer than 30 days

----- recent files in C:\
17-04-2008 18:47:03 (DIR) 0 byte 4 days old -- VundoFix Backups
18-04-2008 23:36:59 984 byte 3 days old -- VundoFix.txt
19-04-2008 11:54:51 (DIR) 0 byte 2 days old -- Program
20-04-2008 21:37:53 (DIR) 0 byte 1 days old -- WINDOWS
20-04-2008 22:54:14 2772 byte 1 days old -- avenger.txt
20-04-2008 22:54:14 (DIR) 0 byte 1 days old -- Documents and Settings
20-04-2008 22:56:07 (DIR) 0 byte 1 days old -- avenger
21-04-2008 01:19:17 805306368 byte 0 days old -- pagefile.sys
21-04-2008 01:19:18 (DIR)535285760 byte 0 days old -- hiberfil.sys
07-04-2008 10:16:41 (DIR) 0 byte 14 days old -- Soldat
07-04-2008 10:25:28 0 byte 14 days old -- logwmemory.bin

----- recent files in C:\WINDOWS\
13-04-2008 09:03:19 (DIR) 0 byte 8 days old -- WinSxS
13-04-2008 09:08:08 (DIR) 0 byte 8 days old -- assembly
13-04-2008 09:08:09 (DIR) 0 byte 8 days old -- Microsoft.NET
14-04-2008 15:34:40 256 byte 7 days old -- system.ini
14-04-2008 23:18:44 73216 byte 7 days old -- ST6UNST.EXE
14-04-2008 23:18:48 286720 byte 7 days old -- Setup1.exe
14-04-2008 23:18:48 1623 byte 7 days old -- ST6UNST.000
15-04-2008 18:46:22 (DIR) 0 byte 6 days old -- Installer
15-04-2008 21:03:23 691545 byte 6 days old -- unins000.exe
15-04-2008 21:07:49 2546 byte 6 days old -- unins000.dat
15-04-2008 21:09:13 (DIR) 0 byte 6 days old -- inf
15-04-2008 22:23:09 (DIR) 0 byte 6 days old -- AppPatch
15-04-2008 22:25:43 (DIR) 0 byte 6 days old -- Downloaded Program Files
15-04-2008 22:34:10 (DIR) 0 byte 6 days old -- SoftwareDistribution
16-04-2008 17:50:15 (DIR) 0 byte 5 days old -- Minidump
16-04-2008 17:50:17 (DIR) 0 byte 5 days old -- Debug
17-04-2008 11:13:10 613 byte 4 days old -- wininit.ini
17-04-2008 18:51:14 22 byte 4 days old -- pskt.ini
17-04-2008 21:10:19 101178 byte 4 days old -- BM2b83eb8d.xml
17-04-2008 21:11:15 23835 byte 4 days old -- BM2b83eb8d.txt
19-04-2008 09:49:46 1409 byte 2 days old -- QTFont.for
20-04-2008 21:31:34 5300 byte 1 days old -- setupapi.log
20-04-2008 21:36:52 9808 byte 1 days old -- EventSystem.log
20-04-2008 21:48:33 143664 byte 1 days old -- ntbtlog.txt
20-04-2008 23:00:49 (DIR) 0 byte 1 days old -- Prefetch
21-04-2008 01:19:25 2048 byte 0 days old -- bootstat.dat
21-04-2008 01:19:41 157 byte 0 days old -- wiadebug.log
21-04-2008 01:19:41 50 byte 0 days old -- wiaservc.log
21-04-2008 01:19:42 1176585 byte 0 days old -- WindowsUpdate.log
21-04-2008 01:19:47 0 byte 0 days old -- 0.log
21-04-2008 01:20:11 54 byte 0 days old -- zoom.dat
21-04-2008 01:20:13 54156 byte 0 days old -- QTFont.qfn
21-04-2008 01:21:35 (DIR) 0 byte 0 days old -- temp
21-04-2008 01:21:53 5870 byte 0 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
21-04-2008 01:22:25 (DIR) 0 byte 0 days old -- system32
07-04-2008 10:16:41 (DIR) 0 byte 14 days old -- Fonts
09-04-2008 03:14:40 11932 byte 12 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
10-04-2008 09:01:00 (DIR) 0 byte 11 days old -- $NtUninstallKB945553$
10-04-2008 09:01:09 (DIR) 0 byte 11 days old -- $NtUninstallKB944338$
10-04-2008 09:02:31 (DIR) 0 byte 11 days old -- $NtUninstallKB948590$
10-04-2008 09:02:37 (DIR) 0 byte 11 days old -- $NtUninstallKB941693$
10-04-2008 09:02:49 (DIR) 0 byte 11 days old -- $NtUninstallKB947864$
10-04-2008 09:02:58 (DIR) 0 byte 11 days old -- $hf_mig$
10-04-2008 09:02:58 (DIR) 0 byte 11 days old -- $NtUninstallKB948881$

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
13-04-2008 09:03:32 72804 byte 8 days old -- perfc01D.dat
13-04-2008 09:03:32 61494 byte 8 days old -- perfc009.dat
13-04-2008 09:03:32 400240 byte 8 days old -- perfh009.dat
13-04-2008 09:03:32 906592 byte 8 days old -- PerfStringBackup.INI
13-04-2008 09:03:32 403158 byte 8 days old -- perfh01D.dat
14-04-2008 15:35:34 118784 byte 7 days old -- icq5s.dll
14-04-2008 15:47:53 12067 byte 7 days old -- SIntf16.dll
14-04-2008 15:47:54 17212 byte 7 days old -- SIntf32.dll
14-04-2008 15:47:54 21840 byte 7 days old -- SIntfNT.dll
15-04-2008 20:56:57 708543 byte 6 days old -- rhmgblex.ini
15-04-2008 21:08:34 30590 byte 6 days old -- pavas.ico
15-04-2008 21:08:34 2550 byte 6 days old -- Uninstall.ico
15-04-2008 21:08:34 1406 byte 6 days old -- Help.ico
15-04-2008 22:25:22 775882 byte 6 days old -- wgqdjdok.ini
15-04-2008 22:34:16 (DIR) 0 byte 6 days old -- ActiveScan
15-04-2008 22:34:41 (DIR) 0 byte 6 days old -- config
15-04-2008 22:38:26 (DIR) 0 byte 6 days old -- wbem
17-04-2008 18:55:48 0 byte 4 days old -- clkcnt.txt
20-04-2008 21:31:26 (DIR) 0 byte 1 days old -- CatRoot2
21-04-2008 01:07:07 (DIR) 0 byte 0 days old -- drivers
21-04-2008 01:19:22 12288 byte 0 days old -- WLCtrl32.dll
21-04-2008 01:19:53 13738 byte 0 days old -- wpa.dbl
21-04-2008 01:21:33 12288 byte 0 days old -- WLCtrl32.dl_
09-04-2008 10:50:53 (DIR) 0 byte 12 days old -- CatRoot
10-04-2008 09:02:53 (DIR) 0 byte 11 days old -- dllcache
10-04-2008 09:09:33 124520 byte 11 days old -- FNTCACHE.DAT

----- recent files in C:\WINDOWS\system32\drivers\
15-04-2008 21:43:17 (DIR) 0 byte 6 days old -- etc
21-04-2008 01:21:33 27008 byte 0 days old -- Epq73.sys

----- recent files in C:\WINDOWS\temp\
21-04-2008 01:19:48 255 byte 0 days old -- WGAErrLog.txt
21-04-2008 01:19:56 409 byte 0 days old -- WGANotify.settings
21-04-2008 01:21:33 46592 byte 0 days old -- BN5.tmp

----- recent files in C:\Program\
01-04-2008 12:30:20 (DIR) 0 byte 20 days old -- PartyGaming
03-04-2008 16:50:15 (DIR) 0 byte 18 days old -- Holdem Indicator
23-03-2008 01:11:14 (DIR) 0 byte 29 days old -- DotA Gaming Network
14-04-2008 23:18:11 (DIR) 0 byte 7 days old -- WinRAR
15-04-2008 22:09:12 (DIR) 0 byte 6 days old -- FlashMute
15-04-2008 22:09:18 (DIR) 0 byte 6 days old -- Google
15-04-2008 22:09:52 (DIR) 0 byte 6 days old -- Internet Explorer
15-04-2008 22:10:28 (DIR) 0 byte 6 days old -- iTunes
15-04-2008 22:16:53 (DIR) 0 byte 6 days old -- Spybot - Search & Destroy
16-04-2008 17:13:40 (DIR) 0 byte 5 days old -- Trend Micro
16-04-2008 17:14:21 (DIR) 0 byte 5 days old -- CCleaner
17-04-2008 18:53:00 (DIR) 0 byte 4 days old -- Malwarebytes' Anti-Malware
19-04-2008 17:02:12 (DIR) 0 byte 2 days old -- Warcraft III
21-04-2008 01:21:47 (DIR) 0 byte 0 days old -- DC++
21-04-2008 01:22:40 (DIR) 0 byte 0 days old -- Mozilla Firefox

----- recent files in C:\Program\Delade filer\

----- recent files in C:\Documents and Settings\Philip\Application Data\
31-03-2008 14:19:54 (DIR) 0 byte 21 days old -- uTorrent
17-04-2008 18:53:03 (DIR) 0 byte 4 days old -- Malwarebytes
07-04-2008 10:16:25 (DIR) 0 byte 14 days old -- Soldat
07-04-2008 17:49:07 (DIR) 0 byte 14 days old -- U3

----- recent files in C:\DOCUME~1\Philip\LOKALA~1\Temp\
16-04-2008 01:04:07 16384 byte 5 days old -- ~DF2E63.tmp
16-04-2008 05:35:06 16384 byte 5 days old -- ~DF921F.tmp
16-04-2008 16:25:57 16384 byte 5 days old -- ~DF8649.tmp
16-04-2008 23:23:38 16384 byte 5 days old -- ~DF429C.tmp
17-04-2008 18:34:43 32768 byte 4 days old -- ~DF8E22.tmp
17-04-2008 18:47:03 32768 byte 4 days old -- ~DF6408.tmp
17-04-2008 18:51:20 16384 byte 4 days old -- ~DF3229.tmp
17-04-2008 20:15:13 311296 byte 4 days old -- ~DFBDC3.tmp
17-04-2008 21:14:35 16384 byte 4 days old -- ~DF4608.tmp
18-04-2008 17:06:04 16384 byte 3 days old -- ~DF5DF8.tmp
18-04-2008 23:56:50 16384 byte 3 days old -- ~DF7685.tmp
19-04-2008 09:49:45 16384 byte 2 days old -- ~DF7479.tmp
19-04-2008 17:15:50 16384 byte 2 days old -- ~DF91E8.tmp
20-04-2008 00:39:28 16384 byte 1 days old -- ~DF73E3.tmp
20-04-2008 00:44:46 16384 byte 1 days old -- ~DF6CB5.tmp
20-04-2008 00:45:11 16384 byte 1 days old -- ~DFCC9B.tmp
20-04-2008 12:05:34 16384 byte 1 days old -- ~DF8492.tmp
20-04-2008 16:22:50 16384 byte 1 days old -- ~DF6272.tmp
20-04-2008 21:13:08 16384 byte 1 days old -- ~DF3883.tmp
20-04-2008 21:33:18 16384 byte 1 days old -- ~DF725E.tmp
20-04-2008 21:49:59 16384 byte 1 days old -- ~DF7022.tmp
20-04-2008 21:51:50 16384 byte 1 days old -- ~DF3EB7.tmp
20-04-2008 22:56:19 16384 byte 1 days old -- ~DFA63E.tmp
20-04-2008 22:59:20 16384 byte 1 days old -- ~DFA317.tmp
20-04-2008 23:02:45 2611 byte 1 days old -- E220AutoRunLog.tmp
21-04-2008 01:01:22 311296 byte 0 days old -- ~DF6C99.tmp
21-04-2008 01:05:49 16384 byte 0 days old -- ~DF9588.tmp
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Temporary Internet Files
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Tidigare
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Cookies
21-04-2008 01:20:12 16384 byte 0 days old -- ~DF7901.tmp
21-04-2008 01:21:16 0 byte 0 days old -- JETF2B7.tmp
21-04-2008 01:21:35 55 byte 0 days old -- systemscan.ini
21-04-2008 01:21:36 16384 byte 0 days old -- ~DF7D9B.tmp
21-04-2008 01:21:36 (DIR) 0 byte 0 days old -- nsw7.tmp

==========================================
Scan completed in 0 minutes
End of report


Notera dessa filer:

21-04-2008 01:21:33 46592 byte 0 days old -- BN5.tmp

21-04-2008 01:21:33 27008 byte 0 days old -- Epq73.sys (bytt namn)?

21-04-2008 01:21:33 12288 byte 0 days old -- WLCtrl32.dl_
15-04-2008 22:25:22 775882 byte 6 days old -- wgqdjdok.ini
21-04-2008 01:19:22 12288 byte 0 days old -- WLCtrl32.dll

Tog vi inte bort dom 3 innan? Väldigt skummt detta...
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #16
2008-04-21 kl 08:08

filerna återskapas, frågan är bara av vad. det kan va dolda filer som är orsaken, det kan va en enda fil som är problemet. det är inte alls otroligt att även den här filen ska bort system32\icq5s.dll men både den och sys filen kan va ok...
om du kollar i första avenger loggen så kunde alla filer tas bort utom sys filen men efter omstart så va dom tillbaka.

eftersom det är flera filer i olika mappar som ska bort/är misstänkta så skulle man behöva scanna datorn med andra program.
börja med sdfix, sen kör du en scan med avira antirootkit
http://downloads.andymanchesta.com/RemovalTools/S
DFix.exe
spara SDFix.exe på skrivbordet >klicka på SDFix.exe >sdfix packas upp här: C:\SDFix.
starta om i felsäkert läge (F8) >gå hit: C:\SDFix >klicka på runthis.bat >välj y.
när scanningen är klar så tryck på valfri tangent för att starta om.
när det står finished så tryck på valfri tangent. en logg kommer automatiskt att visas (C:\SDFix\report.txt), kopiera in loggen hit.
(notera att sdfix återställer hostsfilen till original inställningen, aktiverar tjänster som windows brandvägg/säkerhetscenter och automatiska uppdateringar)

http://www.bleepingcomputer.com/forums/topic13129
9.html --- guide

http://dl.antivir.de/down/windows/antivir_rootkit
.zip
om nåt hittas:
när du scannat så antar jag att du kan ska en logg genom att klicka på view report, posta den innan du flyttar några filer till karantän
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #17
2008-04-21 kl 19:39

SDFix: Version 1.173
Run by Philip on 2008-04-21 at 12:27

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
zeqbqwp
EPQ73

Path :
\??\C:\WINDOWS\zeqbqwp.sys
System32\Drivers\Epq73.sys

zeqbqwp - Deleted
EPQ73 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting

Service EPQ73 - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\system32\drivers\EPQ73.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 12:44:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
ices\BTHPORT\Parameters\Keys\000b6b5bab0f]
"001b5910f901"=hex:f5,52,97,19,32,ff,92,98,ee,bc,be
,08,ee,6d,31,16
"0015b9eeb8d4"=hex:50,f8,c0,c3,42,4d,5c,f4,bc,44,96
,6f,e7,37,23,5d
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
ices\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,36,c3,e4,fb,ec,75,11,4b,12,
b7,ee,22,0c,1d,36,1e,11,..
"hj34z0"=hex:e0,2e,af,8e,ad,eb,f8,56,5d,41,21,6a,82
,7c,5d,fc,42,0b,c4,a5,57,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
ices\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,36,c3,e4,fb,4d,b4,18,c2,12,
b7,ee,22,70,7f,36,1e,11,..
"hj34z0"=hex:e0,2e,af,8e,ad,eb,f8,56,5d,41,21,6a,82
,7c,5d,fc,42,0b,c4,a5,e1,..
"hj34z1"=hex:64,2f,a7,0c,c7,ea,df,d1,5e,41,65,e6,81
,7c,3e,6d,40,0b,45,33,73,..
"hj34z2"=hex:61,2f,7f,9c,c2,ea,65,41,5b,41,48,76,84
,7c,6f,dd,45,0b,38,80,76,..
"hj34z3"=hex:6d,2f,b8,d3,ce,ea,65,37,57,41,02,0c,88
,7c,fb,96,49,0b,ed,ca,7a,..
"hj34z4"=hex:69,2f,ec,e2,ca,ea,77,26,53,41,ff,1e,8c
,7c,7a,85,4d,0b,ab,d8,7e,..
"hj34z5"=hex:75,2f,49,c6,d6,ea,04,1a,4f,41,32,3b,90
,7c,75,a9,51,0b,fb,fc,62,..
"hj34z6"=hex:70,2f,74,77,d3,ea,3f,ab,4a,41,92,6b,94
,7c,c2,f9,55,0b,4f,ac,66,..
"hj34z7"=hex:7c,2f,c3,0a,df,ea,d7,de,46,41,d2,e1,99
,7c,eb,73,58,0b,be,36,6b,..
"hj34z8"=hex:7b,2f,49,62,d8,ea,7f,a6,41,41,08,9e,9e
,7c,94,0b,5f,0b,ae,5e,6c,..
"hj34z9"=hex:47,2f,4f,b8,e4,ea,9a,6c,7d,41,c2,57,a2
,7c,39,bd,63,0b,21,e1,50,..
"hj34z10"=hex:42,2f,ef,eb,e1,ea,5e,3e,78,41,2c,06,a
7,7c,2c,93,66,0b,12,d7,55,..
"hj34z11"=hex:41,2f,08,f4,e2,ea,0a,2b,7b,41,1d,eb,a
4,7c,d5,78,65,0b,17,22,56,..
"hj34z12"=hex:4c,2f,ea,f7,ef,ea,81,2a,76,41,8d,15,a
9,7c,bc,7e,68,0b,d0,23,5b,..
"hj34z13"=hex:4b,2f,54,ec,e8,ea,e1,30,71,41,17,03,a
e,7c,0b,90,6f,0b,b0,ca,5c,..
"hj34z14"=hex:56,2f,f6,b7,f5,ea,9b,6a,6c,41,4e,55,b
3,7c,2a,be,72,0b,45,e0,41,..
"hj34z15"=hex:54,2f,5e,73,f7,ea,10,56,6f,41,ff,69,b
0,7c,8a,fa,71,0b,14,ac,42,..
"hj34z16"=hex:53,2f,4f,3f,f0,ea,3e,e2,69,41,8b,dd,b
6,7c,cd,46,77,0b,b3,18,44,..
"hj34z17"=hex:5e,2f,9e,d8,fd,ea,fe,0f,64,41,fc,31,b
b,7c,ef,a2,7a,0b,43,c4,49,..
"hj34z18"=hex:5c,2f,bb,62,ff,ea,22,b8,66,41,81,9b,b
9,7c,3a,08,78,0b,e9,52,4b,..
"hj34z19"=hex:5b,2f,f7,fa,f8,ea,f7,21,61,41,e5,13,b
e,7c,21,80,7f,0b,f7,da,4c,..
"hj34z20"=hex:59,2f,62,61,fa,ea,80,a4,63,41,02,9f,b
c,7c,91,0b,7d,0b,b3,5f,4e,..
"hj34z21"=hex:24,2f,89,d1,87,ea,3b,37,1e,41,40,0e,c
1,7c,a3,9a,00,0b,5b,cc,33,..
"hj34z22"=hex:22,2f,8b,4d,81,ea,4e,93,18,41,68,a2,c
7,7c,87,36,06,0b,af,68,35,..
"hj34z23"=hex:21,2f,ea,92,82,ea,33,48,1b,41,72,4b,c
4,7c,85,df,05,0b,9a,83,36,..
"hj34z24"=hex:2f,2f,8a,e5,8c,ea,59,3b,15,41,3d,1a,c
a,7c,c5,8e,0b,0b,d7,d0,38,..
"hj34z25"=hex:2d,2f,ec,3e,8e,ea,4b,e4,17,41,04,df,c
8,7c,c8,4b,09,0b,c2,1f,3a,..
"hj34z26"=hex:2b,2f,89,62,88,ea,76,b8,11,41,d5,9a,c
e,7c,00,0f,0f,0b,00,50,3c,..
"hj34z27"=hex:36,2f,8e,91,95,ea,86,77,0c,41,fb,49,d
3,7c,64,da,12,0b,53,8d,21,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
ices\d347prt\Cfg\0Jf42]
"khjeh"=hex:20,02,00,00,53,ed,6b,de,17,93,1d,df,7e,
c7,6a,67,09,5b,39,44,b8,..
"hj34z0"=hex:fe,8b,7e,4d,35,20,52,fe,15,f3,e7,6f,da
,b9,df,cd,ba,5e,be,e6,4a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
ices\d347prt\Cfg\0Jf43]
"khjeh"=hex:20,02,00,00,a1,d3,6b,de,21,16,79,f3,70,
31,8d,1b,d3,30,f8,46,4a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\BTHPORT\Parameters\Keys\000b6b5bab0f]
"001b5910f901"=hex:f5,52,97,19,32,ff,92,98,ee,bc,be
,08,ee,6d,31,16
"0015b9eeb8d4"=hex:50,f8,c0,c3,42,4d,5c,f4,bc,44,96
,6f,e7,37,23,5d

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 50


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\serv
ices\sharedaccess\parameters\firewallpolicy\stand
ardprofile\authorizedapplications\list]
"C:\\Program\\utorrent\\utorrent.exe"="C:\\Program\\utor
rent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program\\iTunes\\iTunes.exe"="C:\\Program\\iTunes\\
iTunes.exe:*:Enabled:iTunes"
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program\\Skype\\Phone\\Skype.exe"="C:\\Program\\Sky
pe\\Phone\\Skype.exe:*:Enabled:Skype"
"c:\\xiwrndv.exe"="c:\\xiwrndv.exe:*:Enabled:ipsec"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system3
2\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\serv
ices\sharedaccess\parameters\firewallpolicy\domai
nprofile\authorizedapplications\list]
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system3
2\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program\Spybot - Search & Destroy\TeaTimer.exe"
Fri 1 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Philip\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

Inget hittas med Avira antirootkit.
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #18
2008-04-21 kl 21:33

sdfix hitta en rootkit fil som måste funnits ett tag då den inte syns i loggarna. posta en ny system scan logg
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #19
2008-04-21 kl 22:28

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Philip\Skrivbord\sys99900.exe
Running in: User mode
Date: 2008-04-21
Time: 22:27:46

Output limited to:
-Recent files

===================== RECENT FILES =====================

Showing files newer than 30 days

----- recent files in C:\
17-04-2008 18:47:03 (DIR) 0 byte 4 days old -- VundoFix Backups
18-04-2008 23:36:59 984 byte 3 days old -- VundoFix.txt
20-04-2008 22:54:14 (DIR) 0 byte 1 days old -- Documents and Settings
20-04-2008 22:54:14 2772 byte 1 days old -- avenger.txt
20-04-2008 22:56:07 (DIR) 0 byte 1 days old -- avenger
21-04-2008 12:24:08 (DIR) 0 byte 0 days old -- WINDOWS
21-04-2008 12:33:31 805306368 byte 0 days old -- pagefile.sys
21-04-2008 12:33:32 (DIR)535285760 byte 0 days old -- hiberfil.sys
21-04-2008 12:49:01 (DIR) 0 byte 0 days old -- SDFix
21-04-2008 15:40:59 (DIR) 0 byte 0 days old -- Program
07-04-2008 10:16:41 (DIR) 0 byte 14 days old -- Soldat
07-04-2008 10:25:28 0 byte 14 days old -- logwmemory.bin

----- recent files in C:\WINDOWS\
13-04-2008 09:03:19 (DIR) 0 byte 8 days old -- WinSxS
13-04-2008 09:08:08 (DIR) 0 byte 8 days old -- assembly
13-04-2008 09:08:09 (DIR) 0 byte 8 days old -- Microsoft.NET
14-04-2008 15:34:40 256 byte 7 days old -- system.ini
14-04-2008 23:18:44 73216 byte 7 days old -- ST6UNST.EXE
14-04-2008 23:18:48 286720 byte 7 days old -- Setup1.exe
14-04-2008 23:18:48 1623 byte 7 days old -- ST6UNST.000
15-04-2008 21:03:23 691545 byte 6 days old -- unins000.exe
15-04-2008 21:07:49 2546 byte 6 days old -- unins000.dat
15-04-2008 21:09:13 (DIR) 0 byte 6 days old -- inf
15-04-2008 22:23:09 (DIR) 0 byte 6 days old -- AppPatch
15-04-2008 22:25:43 (DIR) 0 byte 6 days old -- Downloaded Program Files
15-04-2008 22:34:10 (DIR) 0 byte 6 days old -- SoftwareDistribution
16-04-2008 17:50:15 (DIR) 0 byte 5 days old -- Minidump
16-04-2008 17:50:17 (DIR) 0 byte 5 days old -- Debug
17-04-2008 11:13:10 613 byte 4 days old -- wininit.ini
17-04-2008 18:51:14 22 byte 4 days old -- pskt.ini
17-04-2008 21:10:19 101178 byte 4 days old -- BM2b83eb8d.xml
17-04-2008 21:11:15 23835 byte 4 days old -- BM2b83eb8d.txt
19-04-2008 09:49:46 1409 byte 2 days old -- QTFont.for
20-04-2008 21:31:34 5300 byte 1 days old -- setupapi.log
20-04-2008 21:36:52 9808 byte 1 days old -- EventSystem.log
20-04-2008 23:00:49 (DIR) 0 byte 1 days old -- Prefetch
21-04-2008 01:20:11 54 byte 0 days old -- zoom.dat
21-04-2008 01:28:54 (DIR) 0 byte 0 days old -- Installer
21-04-2008 10:20:14 74768 byte 0 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
21-04-2008 12:24:30 (DIR) 0 byte 0 days old -- ERUNT
21-04-2008 12:24:54 293466 byte 0 days old -- ntbtlog.txt
21-04-2008 12:32:27 (DIR) 0 byte 0 days old -- system32
21-04-2008 12:33:40 2048 byte 0 days old -- bootstat.dat
21-04-2008 12:33:55 159 byte 0 days old -- wiadebug.log
21-04-2008 12:33:56 50 byte 0 days old -- wiaservc.log
21-04-2008 12:34:41 0 byte 0 days old -- 0.log
21-04-2008 12:49:01 (DIR) 0 byte 0 days old -- temp
21-04-2008 12:49:25 54156 byte 0 days old -- QTFont.qfn
21-04-2008 13:52:46 1244323 byte 0 days old -- WindowsUpdate.log
07-04-2008 10:16:41 (DIR) 0 byte 14 days old -- Fonts
09-04-2008 03:14:40 11932 byte 12 days old -- ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
10-04-2008 09:01:00 (DIR) 0 byte 11 days old -- $NtUninstallKB945553$
10-04-2008 09:01:09 (DIR) 0 byte 11 days old -- $NtUninstallKB944338$
10-04-2008 09:02:31 (DIR) 0 byte 11 days old -- $NtUninstallKB948590$
10-04-2008 09:02:37 (DIR) 0 byte 11 days old -- $NtUninstallKB941693$
10-04-2008 09:02:49 (DIR) 0 byte 11 days old -- $NtUninstallKB947864$
10-04-2008 09:02:58 (DIR) 0 byte 11 days old -- $hf_mig$
10-04-2008 09:02:58 (DIR) 0 byte 11 days old -- $NtUninstallKB948881$

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
13-04-2008 09:03:32 72804 byte 8 days old -- perfc01D.dat
13-04-2008 09:03:32 61494 byte 8 days old -- perfc009.dat
13-04-2008 09:03:32 400240 byte 8 days old -- perfh009.dat
13-04-2008 09:03:32 906592 byte 8 days old -- PerfStringBackup.INI
13-04-2008 09:03:32 403158 byte 8 days old -- perfh01D.dat
14-04-2008 15:35:34 118784 byte 7 days old -- icq5s.dll
14-04-2008 15:47:53 12067 byte 7 days old -- SIntf16.dll
14-04-2008 15:47:54 17212 byte 7 days old -- SIntf32.dll
14-04-2008 15:47:54 21840 byte 7 days old -- SIntfNT.dll
15-04-2008 20:56:57 708543 byte 6 days old -- rhmgblex.ini
15-04-2008 21:08:34 30590 byte 6 days old -- pavas.ico
15-04-2008 21:08:34 1406 byte 6 days old -- Help.ico
15-04-2008 21:08:34 2550 byte 6 days old -- Uninstall.ico
15-04-2008 22:25:22 775882 byte 6 days old -- wgqdjdok.ini
15-04-2008 22:34:16 (DIR) 0 byte 6 days old -- ActiveScan
15-04-2008 22:34:41 (DIR) 0 byte 6 days old -- config
15-04-2008 22:38:26 (DIR) 0 byte 6 days old -- wbem
17-04-2008 18:55:48 0 byte 4 days old -- clkcnt.txt
20-04-2008 21:31:26 (DIR) 0 byte 1 days old -- CatRoot2
21-04-2008 12:43:26 13738 byte 0 days old -- wpa.dbl
21-04-2008 15:41:00 (DIR) 0 byte 0 days old -- drivers
09-04-2008 10:50:53 (DIR) 0 byte 12 days old -- CatRoot
10-04-2008 09:02:53 (DIR) 0 byte 11 days old -- dllcache
10-04-2008 09:09:33 124520 byte 11 days old -- FNTCACHE.DAT

----- recent files in C:\WINDOWS\system32\drivers\
21-04-2008 12:28:23 (DIR) 0 byte 0 days old -- etc

----- recent files in C:\WINDOWS\temp\
21-04-2008 12:43:23 255 byte 0 days old -- WGAErrLog.txt
21-04-2008 12:43:29 409 byte 0 days old -- WGANotify.settings

----- recent files in C:\Program\
01-04-2008 12:30:20 (DIR) 0 byte 20 days old -- PartyGaming
03-04-2008 16:50:15 (DIR) 0 byte 18 days old -- Holdem Indicator
23-03-2008 01:11:14 (DIR) 0 byte 29 days old -- DotA Gaming Network
14-04-2008 23:18:11 (DIR) 0 byte 7 days old -- WinRAR
15-04-2008 22:09:12 (DIR) 0 byte 6 days old -- FlashMute
15-04-2008 22:09:18 (DIR) 0 byte 6 days old -- Google
15-04-2008 22:09:52 (DIR) 0 byte 6 days old -- Internet Explorer
15-04-2008 22:10:28 (DIR) 0 byte 6 days old -- iTunes
15-04-2008 22:16:53 (DIR) 0 byte 6 days old -- Spybot - Search & Destroy
16-04-2008 17:13:40 (DIR) 0 byte 5 days old -- Trend Micro
16-04-2008 17:14:21 (DIR) 0 byte 5 days old -- CCleaner
17-04-2008 18:53:00 (DIR) 0 byte 4 days old -- Malwarebytes' Anti-Malware
19-04-2008 17:02:12 (DIR) 0 byte 2 days old -- Warcraft III
21-04-2008 02:52:00 (DIR) 0 byte 0 days old -- DC++
21-04-2008 15:40:58 (DIR) 0 byte 0 days old -- InstallShield Installation Information
21-04-2008 15:40:59 (DIR) 0 byte 0 days old -- Avira GmbH
21-04-2008 17:59:41 (DIR) 0 byte 0 days old -- Mozilla Firefox

----- recent files in C:\Program\Delade filer\

----- recent files in C:\Documents and Settings\Philip\Application Data\
31-03-2008 14:19:54 (DIR) 0 byte 21 days old -- uTorrent
17-04-2008 18:53:03 (DIR) 0 byte 4 days old -- Malwarebytes
07-04-2008 10:16:25 (DIR) 0 byte 14 days old -- Soldat
07-04-2008 17:49:07 (DIR) 0 byte 14 days old -- U3

----- recent files in C:\DOCUME~1\Philip\LOKALA~1\Temp\
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Temporary Internet Files
21-04-2008 01:13:24 (DIR) 0 byte 0 days old -- Tidigare
21-04-2008 12:32:28 (DIR) 0 byte 0 days old -- Cookies
21-04-2008 12:50:38 16384 byte 0 days old -- ~DFAE8.tmp
21-04-2008 13:40:41 (DIR) 0 byte 0 days old -- Google Toolbar
21-04-2008 13:45:03 (DIR) 0 byte 0 days old -- plugtmp
21-04-2008 15:41:17 0 byte 0 days old -- 13.tmp
21-04-2008 15:41:34 688128 byte 0 days old -- ~DF21BA.tmp
21-04-2008 15:41:35 512 byte 0 days old -- ~DF22B3.tmp
21-04-2008 15:41:56 688128 byte 0 days old -- ~DF49DF.tmp
21-04-2008 15:41:57 512 byte 0 days old -- ~DF4A0D.tmp
21-04-2008 15:49:08 (DIR) 0 byte 0 days old -- avirarkd
21-04-2008 21:32:30 (DIR) 0 byte 0 days old -- MessengerCache
21-04-2008 22:25:51 4010649 byte 0 days old -- fla72.tmp
21-04-2008 22:27:33 16384 byte 0 days old -- ~DFA30F.tmp
21-04-2008 22:27:33 55 byte 0 days old -- systemscan.ini
21-04-2008 22:27:34 (DIR) 0 byte 0 days old -- nsn75.tmp

==========================================
Scan completed in 0,1 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~
~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this lol
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #20
2008-04-21 kl 22:37

nu ser det bättre ut, dom här kan du ta bort
rhmgblex.ini
wgqdjdok.ini
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #21
2008-04-22 kl 07:53

Ett stort tack ska du ha för all hjälp antimalwareGuru! :x

BN1-5.tmp filerna är borta från processer nu, internet funkar som det ska och allt :)

Hittar dock inte dom där .ini filerna -.-
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #22
2008-04-22 kl 10:13

ställ in visningen på detaljerad lista i mappen system32, sen klickar du på listen namn så visas ju alla filerna i bokstavsordning

jag tror inte filerna är dolda men har du visning på dolda filer?
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #23
2008-04-22 kl 11:41

Jag kollade precis igenom. visar dolda filer. Filerna är inte där. Ska jag posta en systemscan log?
AntimalwareGuru
  • Registrerad 2008-07-09
  • Poster: 595
  • Från N/A
Rapportera #24
2008-04-22 kl 12:07

engentligen spelar det ingen roll för dom kan inte ställa till med nåt. du kan ju göra en logg och ser du dom inte i det stycket som gäller system32 mappen så finns dom ju inte kvar

annars kan man ta bort filern med ett verktyg som det här. kan man inte leta upp filen så går det ju att kopiera in sökvägen och klicka på den röda ikonen
http://killbox.net/downloads/KillBox.exe
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #25
2008-04-22 kl 16:49

Dom är borta nu, Tack för all hjälp! :x :x :x :x :x
Ping
  • Registrerad 2008-07-09
  • Poster: 86
  • Från N/A
Rapportera #26
2008-04-23 kl 08:16

Eehm, det har dykt upp en sak. Nämligen att jag kan inte ladda ner saker via DC på skolans nätverk. Jag kan chatta och se alla men så fort jag vill se deras "file list" så står det bara connecting...
  • 26 svar
Avatar

Inte inloggad

Logga in Bli medlem

Läs mer

  • Senaste
  • Mest läst
  • Mest kommenterat

Kom in i diskussionen

Detta innehåll är skapat av PC Hemmas besökare

Logga in som administratör

1 kommentar

Markus: Hur gör jag om man har glömt vad man tog för första lösenord till proffesional?

Forum

Detta innehåll är skapat av PC Hemmas medlemmar.

Tester

  • Senaste
  • Mest läst
  • Mest kommenterat

Artikelkommentarer


Egmont logo
© Egmont Tidskrifter