ComboFix 09-01-21.04 - Per Magne Jensen 2009-01-31 18:35:00.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1044.18.511.91 [GMT 1:00] Kjører fra: c:\documents and settings\Per Magne Jensen\Skrivebord\ComboFix.exe AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated) FW: Personlig brannmur *enabled* . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\win32hlp.cnf . ((((((((((((((((((((((((((( Filer Opprettet Fra 2008-12-28 til 2009-01-31 ))))))))))))))))))))))))))))))))) . 2009-01-31 14:09 . 2009-01-31 14:09 d-------- c:\documents and settings\Per Magne Jensen\Programdata\Malwarebytes 2009-01-31 14:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-31 14:08 . 2009-01-31 14:09 d-------- c:\programfiler\Malwarebytes' Anti-Malware 2009-01-31 14:08 . 2009-01-31 14:08 d-------- c:\documents and settings\All Users.WINDOWS\Programdata\Malwarebytes 2009-01-31 14:08 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-31 01:10 . 2009-01-31 15:08 dr-h----- c:\documents and settings\Per Magne Jensen\Siste 2009-01-31 00:54 . 2009-01-31 00:54 d-------- c:\programfiler\CCleaner 2009-01-31 00:51 . 2009-01-31 00:51 3,171,208 --a------ c:\programfiler\ccsetup216.exe 2009-01-30 18:39 . 2009-01-30 18:39 32,034,360 --a------ c:\programfiler\Norman_Malware_Cleaner.exe 2009-01-30 18:21 . 2009-01-30 18:21 d-------- c:\documents and settings\NetworkService.NT-MYNDIGHET\Start-meny 2009-01-30 18:20 . 2009-01-31 18:11 d-------- c:\programfiler\Norman 2009-01-30 18:20 . 2008-05-16 11:28 212,024 --a------ c:\windows\system32\nscrnsav.scr 2009-01-30 18:20 . 2008-02-07 12:12 79,752 --a------ c:\windows\system32\drivers\ndis_rd.sys 2009-01-30 18:20 . 2008-02-07 12:12 74,624 --a------ c:\windows\system32\drivers\tdi_rd.sys 2009-01-30 18:20 . 2008-04-16 12:57 42,552 --a------ c:\windows\system32\drivers\ale_nf.sys 2009-01-30 18:20 . 2008-09-02 12:48 19,512 --a------ c:\windows\system32\drivers\nvcw32mf.sys 2009-01-29 19:14 . 2009-01-29 19:14 125,440 --a------ c:\windows\system32\userinit.exe 2009-01-29 11:19 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll 2009-01-29 11:19 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui 2009-01-28 16:35 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll 2009-01-28 16:28 . 2009-01-28 16:35 d-------- c:\windows\system32\XPSViewer 2009-01-28 16:28 . 2009-01-28 16:28 d-------- c:\programfiler\Reference Assemblies 2009-01-28 16:28 . 2009-01-28 16:28 d-------- c:\programfiler\MSBuild 2009-01-28 16:28 . 2009-01-28 16:28 d-------- C:\fbbf11e3826617ce800e90f3 2009-01-28 16:28 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll 2009-01-28 16:28 . 2008-07-06 13:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll 2009-01-28 16:28 . 2008-07-06 11:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-01-28 16:28 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\xpsshhdr.dll 2009-01-28 16:28 . 2008-07-06 13:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll 2009-01-28 16:28 . 2008-07-06 13:06 117,760 --------- c:\windows\system32\prntvpt.dll 2009-01-28 16:28 . 2008-07-06 13:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-01-28 16:21 . 2009-01-28 16:22 d-------- c:\windows\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$ 2009-01-28 16:20 . 2009-01-28 16:20 d-------- c:\programfiler\Microsoft CAPICOM 2.1.0.2 2009-01-28 14:49 . 2009-01-30 22:50 4,352 --a------ c:\windows\system32\drivers\cleanhelper.sys 2009-01-27 19:48 . 2009-01-30 18:02 d-------- c:\documents and settings\All Users.WINDOWS\Programdata\avg8 2009-01-27 19:43 . 2009-01-30 00:05 d--hs---- c:\windows\system32\twain32 2009-01-27 17:15 . 2009-01-27 18:01 5,529 --a------ C:\biin.exe 2009-01-27 16:28 . 2009-01-27 16:28 51,712 --a------ c:\windows\system32\303369.exe 2009-01-27 13:44 . 2009-01-27 13:44 5,513 --a------ C:\bacn.exe 2009-01-26 22:38 . 2009-01-27 20:35 d-------- c:\documents and settings\Per Magne Jensen\Programdata\Twain 2009-01-26 21:04 . 2009-01-26 21:04 54,157,776 --a------ C:\avg_free_stf_en_8_176a1400.exe 2009-01-26 19:42 . 2009-01-31 09:59 59 --a------ c:\windows\system32\senekarlanulqu.dat 2009-01-26 19:37 . 2009-01-31 13:58 89,868 --a------ c:\windows\system32\senekafhmxorcc.dat 2009-01-26 00:35 . 2009-01-26 20:17 16,827 --a------ c:\windows\system32\drivers\hosts 2009-01-25 22:19 . 2009-01-27 17:59 4,014 --a------ C:\pps.exe 2009-01-24 21:35 . 2009-01-24 21:35 31,643 --a------ C:\lv.exe 2009-01-24 20:10 . 2009-01-28 14:18 d-------- c:\programfiler\%systemdir% . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-31 01:02 --------- d-----w c:\programfiler\Symantec 2009-01-31 01:02 --------- d-----w c:\programfiler\Fellesfiler\Symantec Shared 2009-01-31 01:02 --------- d-----w c:\documents and settings\All Users.WINDOWS\Programdata\Symantec 2009-01-30 22:54 5,154,304 ----a-w c:\programfiler\WindowsDefender.msi 2009-01-30 18:44 --------- d-----w c:\programfiler\ZoomText 9.0 2009-01-30 17:16 39,863,808 ----a-w c:\programfiler\NormanSecuritySuite_710_NOR_R08.msi 2009-01-26 19:09 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Programdata\TEMP 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-10-27 13:26 1,680,640 ----a-w c:\programfiler\TeamViewer_Setup.exe 2008-10-27 13:17 13,765,176 ----a-w c:\programfiler\sdasetup.exe 2008-10-23 12:43 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 20:33 826,368 ----a-w c:\windows\system32\wininet.dll 2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 13:07 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-03 10:04 247,326 ----a-w c:\windows\system32\strmdll.dll . ------- Sigcheck ------- 2004-08-04 13:00 24576 025d58a521e0063b92adebd84f147e68 c:\windows\$NtServicePackUninstall$\userinit.exe 2008-04-14 17:23 26112 5ee32955c86d583627f8d37350c1e145 c:\windows\ServicePackFiles\i386\userinit.exe 2009-01-29 19:14 125440 17d71928e92322118d6a8132e987202b c:\windows\system32\userinit.exe . ((((((((((((((((((((((((((((( snapshot@2009-01-31_14.33.42.43 ))))))))))))))))))))))))))))))))))))))))) . - 2009-01-31 13:19:55 225,066 ----a-w c:\windows\system32\inetsrv\MetaBase.bin + 2009-01-31 17:13:09 225,060 ----a-w c:\windows\system32\inetsrv\MetaBase.bin + 2009-01-31 17:11:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_64c.dat . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Norman ZANDA"="c:\programfiler\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616] "NPCTray"="c:\programfiler\Norman\npc\bin\npc_tray.exe" [2007-09-17 126008] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] c:\documents and settings\All Users.WINDOWS\Start-meny\Programmer\Oppstart\ Ralink Wireless Utility.lnk - c:\programfiler\RALINK\Common\RaUI.exe [2008-10-27 630784] Service Manager.lnk - c:\programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920] VC5 Server Manager.lnk - c:\programfiler\NEDAP\VC5\BIN\VC5ServerManager.exe [2007-10-01 233472] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\awtqpOeC [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programfiler\\Messenger\\msmsgs.exe"= "c:\\Programfiler\\TeamViewer3\\TeamViewer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers\ndis_rd.sys [2009-01-30 79752] R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [2006-09-18 7296] R1 NPROSEC;Norman Security driver;c:\programfiler\Norman\Ngs\Bin\nprosec.sys [2009-01-30 53816] R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [2009-01-30 74624] R3 NPC;Norman Parental Control;c:\programfiler\Norman\Npc\Bin\npcsvc32.exe [2009-01-30 416880] R3 nsesvc;Norman Scanner Engine Service;c:\programfiler\Norman\Nse\Bin\Nsesvc.exe [2009-01-30 183352] R3 NUAA;Norman User Activity Agent;c:\programfiler\Norman\Npc\Bin\nuaa.exe [2009-01-30 117816] R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2009-01-30 19512] R3 nvcoas;Norman Virus Control on-access component;c:\programfiler\Norman\nvc\bin\Nvcoas.exe [2009-01-30 191544] R3 NVCScheduler;Norman Virus Control Scheduler;c:\programfiler\Norman\Npm\Bin\nvcsched.exe [2009-01-30 154680] R4 MSSQL$VC5;MSSQL$VC5;c:\programfiler\Microsoft SQL Server\MSSQL$VC5\Binn\sqlservr.exe [2005-05-03 9154560] R4 Ndiskio;Ndiskio;c:\programfiler\Norman\Nse\Bin\Ndiskio.sys [2009-01-30 20448] R4 NEDAP VC4 Controller Server;NEDAP VC4 Controller Server;c:\programfiler\NEDAP\VC5\BIN\VC4Server.exe [2007-10-01 700416] R4 NEDAP VC5 Scheduler;NEDAP VC5 Scheduler;c:\programfiler\NEDAP\VC5\BIN\VC5Scheduler.exe [2007-10-01 1437696] R4 NPFSvc32;Norman Personal Firewall Service;c:\programfiler\Norman\Npf\Bin\npfsvc32.exe [2009-01-30 597104] R4 NPROSECSVC;Norman Security service;c:\programfiler\Norman\Ngs\Bin\nprosec.exe [2009-01-30 121912] R4 NVOY;Norman's Very Own supplY of resources;c:\programfiler\Norman\Npm\Bin\nvoy.exe [2009-01-30 121912] R4 SQLAgent$VC5;SQLAgent$VC5;c:\programfiler\Microsoft SQL Server\MSSQL$VC5\Binn\sqlagent.EXE [2005-05-03 323584] --- Andre tjenester/drivere lastet i minnet --- *Deregistered* - mchInjDrv [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68b0b579-02d8-11dc-a175-000c76af206b}] \Shell\AutoRun\command - E:\LaunchU3.exe . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2009-01-31 c:\windows\Tasks\qeoljajl.job - c:\windows\system32\efcBsTJC.dll [] . . ------- Tilleggsskanning ------- . uStart Page = hxxp://www.aftenbladet.no/ LSP: c:\programfiler\Norman\npc\bin\nlf.dll DPF: {76E11BD9-E2F5-4F12-9922-A372B26B0F56} - hxxp://medlem.tine.no/hk/komponent/ddTabHandler.dll DPF: {B6C10489-FB89-11D4-93C9-006008A7EED4} - hxxp://localhost/vc5/navigation/teechart/Teesmall5.cab DPF: {FEE62325-41BF-4421-8811-33CAFBE7EF6C} - hxxp://localhost/vc5/navigation/socketx/socketx.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-31 18:35:27 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . Tidspunkt ferdig: 2009-01-31 18:37:22 ComboFix-quarantined-files.txt 2009-01-31 17:37:18 ComboFix2.txt 2009-01-31 13:34:48 Pre-Run: 64,790,990,848 byte ledig Post-Run: 64,789,487,616 byte ledig WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 190 --- E O F --- 2009-01-29 17:01:10