2009-03-11, 00:18
#1
Såg precis att processen winlogon käkade halva min cpu (50%). Jag använder XP SP3 och har kört en check med den vanligaste antispywareprogammen. Googlade och hittade en del, men inget som hjälpt mig.
Om ngn kunde hjälpa mig vore jag lycklig. Här är min hijack-logg i två delar:
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program\Alwil Software\Avast4\aswUpdSv.exe
E:\Program\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program\Google\Update\GoogleUpdate.exe
E:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program\Bonjour\mDNSResponder.exe
E:\Program\Java\jre6\bin\jqs.exe
E:\Program\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program\Spyware Terminator\sp_rsser.exe
E:\WINDOWS\system32\svchost.exe
E:\Program\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
E:\Program\Alwil Software\Avast4\ashMaiSv.exe
E:\Program\Alwil Software\Avast4\ashWebSv.exe
E:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
E:\WINDOWS\system32\winlogon.exe
E:\Program\iPod\bin\iPodService.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\RunDLL32.exe
E:\Program\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\VM301Snap.exe
E:\WINDOWS\Domino.exe
E:\Program\ALWILS~1\Avast4\ashDisp.exe
E:\Program\Google\Google Desktop Search\GoogleDesktop.exe
E:\WINDOWS\system32\iid.exe
E:\Program\Google\Gmail Notifier\gnotify.exe
E:\Program\iTunes\iTunesHelper.exe
E:\Program\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Program\windows\SystemExplorer.exe
E:\Program\Google\Google Desktop Search\GoogleDesktop.exe
E:\Documents and Settings\Mattias\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe
E:\Program\Personal\bin\Personal.exe
E:\Program\Spotify\spotify.exe
E:\Program\uTorrent\uTorrent.exe
E:\WINDOWS\System32\svchost.exe
E:\Program\Skype\Phone\Skype.exe
E:\Program\Skype\Plugin Manager\skypePM.exe
E:\Program\Last.fm\LastFM.exe
E:\Program\Mozilla Firefox\firefox.exe
E:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
E:\WINDOWS\system32\msiexec.exe
E:\WINDOWS\system32\MsiExec.exe
E:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\MsiExec.exe
E:\Program\Spybot - Search & Destroy\SDUpdate.exe
E:\Program\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - E:\Program\Desktop Sidebar\sbhelp.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin. dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VirtualCloneDrive] "E:\Program\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [PinnacleDriverCheck] E:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BigDogPath] E:\WINDOWS\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)
O4 - HKLM\..\Run: [Domino] E:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [avast!] E:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "E:\Program\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Net iD] E:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FileZilla Server Interface] "E:\Program\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SystemExplorer] "D:\Program\windows\SystemExplorer.exe" /TRAY
O4 - HKCU\..\Run: [Mmm] "E:\Program\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Mattias\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] E:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUt il.exe -p
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-606747145-861567501-725345543-1004.bak\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-606747145-861567501-725345543-1005\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User 'Isak')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BankID säkerhetsprogram.lnk = E:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://E:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\Program\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\Program\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
....
Om ngn kunde hjälpa mig vore jag lycklig. Här är min hijack-logg i två delar:
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program\Alwil Software\Avast4\aswUpdSv.exe
E:\Program\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program\Google\Update\GoogleUpdate.exe
E:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program\Bonjour\mDNSResponder.exe
E:\Program\Java\jre6\bin\jqs.exe
E:\Program\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program\Spyware Terminator\sp_rsser.exe
E:\WINDOWS\system32\svchost.exe
E:\Program\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
E:\Program\Alwil Software\Avast4\ashMaiSv.exe
E:\Program\Alwil Software\Avast4\ashWebSv.exe
E:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
E:\WINDOWS\system32\winlogon.exe
E:\Program\iPod\bin\iPodService.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\RunDLL32.exe
E:\Program\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\VM301Snap.exe
E:\WINDOWS\Domino.exe
E:\Program\ALWILS~1\Avast4\ashDisp.exe
E:\Program\Google\Google Desktop Search\GoogleDesktop.exe
E:\WINDOWS\system32\iid.exe
E:\Program\Google\Gmail Notifier\gnotify.exe
E:\Program\iTunes\iTunesHelper.exe
E:\Program\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Program\windows\SystemExplorer.exe
E:\Program\Google\Google Desktop Search\GoogleDesktop.exe
E:\Documents and Settings\Mattias\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe
E:\Program\Personal\bin\Personal.exe
E:\Program\Spotify\spotify.exe
E:\Program\uTorrent\uTorrent.exe
E:\WINDOWS\System32\svchost.exe
E:\Program\Skype\Phone\Skype.exe
E:\Program\Skype\Plugin Manager\skypePM.exe
E:\Program\Last.fm\LastFM.exe
E:\Program\Mozilla Firefox\firefox.exe
E:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
E:\WINDOWS\system32\msiexec.exe
E:\WINDOWS\system32\MsiExec.exe
E:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\MsiExec.exe
E:\Program\Spybot - Search & Destroy\SDUpdate.exe
E:\Program\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - E:\Program\Desktop Sidebar\sbhelp.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin. dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VirtualCloneDrive] "E:\Program\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [PinnacleDriverCheck] E:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BigDogPath] E:\WINDOWS\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)
O4 - HKLM\..\Run: [Domino] E:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [avast!] E:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "E:\Program\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Net iD] E:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FileZilla Server Interface] "E:\Program\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SystemExplorer] "D:\Program\windows\SystemExplorer.exe" /TRAY
O4 - HKCU\..\Run: [Mmm] "E:\Program\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Mattias\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] E:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUt il.exe -p
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-606747145-861567501-725345543-1004.bak\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-606747145-861567501-725345543-1005\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User 'Isak')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BankID säkerhetsprogram.lnk = E:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://E:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\Program\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\Program\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
....
