ComboFix 09-02-17.02 - eier 2009-02-18 17:08:54.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1044.18.1014.548 [GMT 1:00] Kjører fra: c:\documents and settings\eier\Skrivebord\ComboFix.exe Command switches brukt :: c:\documents and settings\eier\Skrivebord\CFScript.txt AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) FW: Trend Micro Personal Firewall *enabled* * Opprettet nytt gjenopprettingspunkt FILE :: C:\df.exe c:\documents and settings\eier\bz.exe C:\fef.exe C:\nan.exe c:\windows\bin.exe c:\windows\system32\izktkvwu.exe c:\windows\system32\kysvr32.exe c:\windows\system32\rpvgdxv.exe c:\windows\system32\wsncs.exe c:\windows\temp\IZ26A.EXE . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\df.exe c:\documents and settings\eier\bz.exe C:\fef.exe C:\nan.exe c:\programfiler\fsdfs c:\programfiler\fsdfs\aliases.ini c:\programfiler\fsdfs\kiss.exe c:\programfiler\fsdfs\mirc.ini c:\programfiler\fsdfs\murd3r c:\programfiler\fsdfs\remote.ini c:\programfiler\fsdfs\S.exe c:\programfiler\fsdfs\Sys32.rar c:\programfiler\fsdfs\TmEncryptTemp.000 c:\programfiler\fsdfs\TmEncryptTemp.001 c:\programfiler\fsdfs\Win32.rar c:\windows\bin.exe c:\windows\system32\izktkvwu.exe c:\windows\system32\kysvr32.exe c:\windows\system32\rpvgdxv.exe c:\windows\system32\wsncs.exe . ((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_mailKmd ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-18 til 2009-02-18 ))))))))))))))))))))))))))))))))) . 2009-02-18 14:03 . 2009-02-18 17:06 dr-h----- c:\documents and settings\eier\Siste 2009-02-14 17:20 . 2009-02-14 17:25 d-------- c:\documents and settings\All Users\Programdata\YoYoGames 2009-02-11 15:09 . 2009-02-11 15:09 118 --a------ c:\windows\system32\MRT.INI 2009-02-07 17:38 . 2009-02-07 17:38 d-------- c:\documents and settings\eier\Programdata\Malwarebytes 2009-02-07 17:38 . 2009-02-07 17:38 d-------- c:\documents and settings\All Users\Programdata\Malwarebytes 2009-02-07 17:38 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-07 17:38 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-07 17:35 . 2009-02-14 13:50 d-------- c:\programfiler\Malwarebytes' Anti-Malware 2009-02-06 19:59 . 2009-02-06 19:59 308,104 --a------ c:\windows\WLXPGSS.SCR 2009-02-06 18:52 . 2009-02-06 18:52 49,504 --a------ c:\windows\system32\sirenacm.dll 2009-01-23 15:35 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll 2009-01-23 15:34 . 2009-01-23 15:34 d-------- c:\programfiler\Microsoft ActiveSync 2009-01-23 15:33 . 2009-01-23 15:34 d-------- c:\windows\SHELLNEW 2009-01-23 15:26 . 2009-01-23 15:30 419,174,400 --a------ C:\OFFICE2003.ISO 2009-01-23 15:25 . 2009-01-23 15:26 82,219,008 --a------ C:\ONENOTE.ISO 2009-01-23 15:23 . 2009-01-23 15:35 382 --a------ c:\windows\ODBC.INI 2009-01-23 15:21 . 2009-01-23 15:21 d-------- c:\programfiler\Microsoft.NET 2009-01-23 15:20 . 2009-01-23 15:20 dr-h----- C:\MSOCache . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-18 16:15 --------- d-----w c:\programfiler\Steam 2009-02-18 12:02 --------- d-----w c:\programfiler\Microsoft 2009-02-18 12:01 --------- d-----w c:\programfiler\Windows Live 2009-02-14 23:36 --------- d-----w c:\documents and settings\eier\Programdata\LimeWire 2009-02-08 22:24 34 ----a-w c:\documents and settings\eier\jagex_runescape_preferences.dat 2009-02-06 17:08 55,152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys 2009-01-19 12:43 --------- d-----w c:\programfiler\LingDys 3.0 2009-01-15 22:24 --------- d-----w c:\programfiler\Google 2009-01-09 23:02 --------- d-----w c:\programfiler\Windows Live Toolbar 2009-01-09 22:58 --------- d-----w c:\programfiler\Microsoft Sync Framework 2009-01-09 22:53 --------- d-----w c:\programfiler\Windows Live SkyDrive 2009-01-09 22:50 --------- d-----w c:\programfiler\Fellesfiler\Windows Live 2008-12-26 21:32 --------- d-----w c:\programfiler\Microsoft Silverlight 2008-12-26 14:31 --------- d-----w c:\programfiler\LMMS 0.4.2 2008-12-24 23:31 28,648 ----a-w c:\windows\system32\drivers\INFCACHE.1 . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\programfiler\fsdfs\S.exe -- Unable to find Resource table header. MD5: b0b048dc53df60c280a10c2f0ce6e42a ---- Directory of c:\programfiler\fsdfs ---- 2009-02-18 16:42 3171 --a------ c:\programfiler\fsdfs\mirc.ini 2009-02-10 23:38 11069 --a------ c:\programfiler\fsdfs\Win32.rar 2008-08-15 18:51 14412 --a------ c:\programfiler\fsdfs\Sys32.rar 2007-09-14 05:14 634494 --a------ c:\programfiler\fsdfs\TmEncryptTemp.001 2007-09-14 05:14 634494 --a------ c:\programfiler\fsdfs\TmEncryptTemp.000 2007-09-14 05:14 634368 --a------ c:\programfiler\fsdfs\kiss.exe 2007-09-14 05:14 6192 --a------ c:\programfiler\fsdfs\aliases.ini 2007-09-14 05:14 3104 --a------ c:\programfiler\fsdfs\S.exe 2007-09-14 05:14 127 --a------ c:\programfiler\fsdfs\remote.ini 2006-10-08 23:05 1144 --a------ c:\programfiler\fsdfs\murd3r ((((((((((((((((((((((((((((( SnapShot_2009-02-14_14.21.45.25 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-18 13:44:43 49,152 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\1a69f2433c9d15d5ed86091964aa5184\WindowsLiveWriter.ni.exe + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE - 2009-01-15 20:49:39 80,395 ----a-r c:\windows\Installer\{33FE4D58-2D62-4969-8B0F-7F7ACBB7BD23}\MsblIco.Exe + 2009-02-18 11:59:12 80,395 ----a-r c:\windows\Installer\{33FE4D58-2D62-4969-8B0F-7F7ACBB7BD23}\MsblIco.Exe + 2009-02-18 12:00:37 132,096 ----a-r c:\windows\Installer\{B8A39F2F-BD4D-4F12-8E9F-35E23CBDD4DA}\WLXPhotoGalleryIcon.exe - 2009-01-15 20:50:25 58,945 ----a-r c:\windows\Installer\{CCA238D3-4FFC-4B3E-B34F-3AD78AD11523}\wlmail.exe + 2009-02-18 11:59:37 58,945 ----a-r c:\windows\Installer\{CCA238D3-4FFC-4B3E-B34F-3AD78AD11523}\wlmail.exe + 2009-02-06 17:08:42 55,152 -c--a-w c:\windows\system32\DRVSTORE\fssfltr_EF055C4397902A7196443A03732BB6F4104D1ADB\fssfltr_tdi.sys - 2009-01-09 23:10:46 64,176 ----a-w c:\windows\system32\perfc009.dat + 2009-02-18 13:43:33 64,176 ----a-w c:\windows\system32\perfc009.dat - 2009-01-09 23:10:46 72,840 ----a-w c:\windows\system32\perfc014.dat + 2009-02-18 13:43:33 72,840 ----a-w c:\windows\system32\perfc014.dat - 2009-01-09 23:10:46 406,976 ----a-w c:\windows\system32\perfh009.dat + 2009-02-18 13:43:33 406,976 ----a-w c:\windows\system32\perfh009.dat - 2009-01-09 23:10:46 411,016 ----a-w c:\windows\system32\perfh014.dat + 2009-02-18 13:43:33 411,016 ----a-w c:\windows\system32\perfh014.dat + 2008-04-21 12:44:12 300,392 ----a-w c:\windows\temp\EW332.EXE . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-28 68856] "MsnMsgr"="c:\programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885400] "Steam"="c:\programfiler\Steam\Steam.exe" [2008-12-07 1410296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\programfiler\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "LaunchAp"="c:\programfiler\Launch Manager\LaunchAp.exe" [2005-07-25 32768] "HotkeyApp"="c:\programfiler\Launch Manager\HotkeyApp.exe" [2006-11-09 192512] "Wbutton"="c:\programfiler\Launch Manager\Wbutton.exe" [2006-11-09 86016] "SynTPEnh"="c:\programfiler\Synaptics\SynTP\SynTPEnh.exe" [2006-04-21 761946] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "fssui"="c:\programfiler\Windows Live\Family Safety\fsui.exe" [2009-02-06 454000] "OfficeScanNT Monitor"="c:\programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-04-21 710000] "QuickTime Task"="c:\programfiler\QuickTime\qttask.exe" [2008-03-28 413696] "CtrlVol"="c:\programfiler\Launch Manager\CtrlVol.exe" [BU] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl] "SMSERIAL"="sm56hlpr.exe" [2006-01-20 c:\windows\sm56hlpr.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ Bluetooth Manager.lnk - c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-08-02 2760704] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programfiler\\Messenger\\msmsgs.exe"= "c:\\Programfiler\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Programfiler\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Programfiler\\Synaptics\\SynTP\\SynTPEnh.exe"= "c:\\Programfiler\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe"=c:\\Programfiler\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe "c:\\WINDOWS\\system32\\svchost.exe"=c:\\WINDOWS\\system32\\svchost.exe "c:\\WINDOWS\\RTHDCPL.EXE"= c:\\WINDOWS\\RTHDCPL.exe "c:\\Programfiler\\Toshiba\\Bluetooth Toshiba Stack\\tosOBEX.exe"= c:\\Programfiler\\Toshiba\\Bluetooth Toshiba Stack\\TosOBEX.exe "c:\\Programfiler\\Trend Micro\\OfficeScan Client\\ntrtscan.exe"=c:\\Programfiler\\Trend Micro\\OfficeScan Client\\ntrtscan.exe "c:\\Programfiler\\Trend Micro\\OfficeScan Client\\CNTAoSMgr.exe"=c:\\Programfiler\\Trend Micro\\OfficeScan Client\\CNTAoSMgr.exe "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Programfiler\\Windows Live\\Sync\\WindowsLiveSync.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:TCP"= 12345:TCP:Trend Micro OfficeScan Listener R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2008-09-12 9867] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-01-09 55152] R2 fsssvc;Windows Live Tryggere for familien;c:\programfiler\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360] R2 SeaPort;SeaPort;c:\programfiler\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656] R2 TmFilter;Trend Micro Filter;c:\programfiler\Trend Micro\OfficeScan Client\tmxpflt.sys [2008-08-16 205328] R2 TmPreFilter;Trend Micro PreFilter;c:\programfiler\Trend Micro\OfficeScan Client\tmpreflt.sys [2008-08-16 36368] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-04 315920] R3 TmPfw;OfficeScan NT Firewall;c:\programfiler\Trend Micro\OfficeScan Client\TmPfw.exe [2008-02-04 939344] R3 WisLMSvc;WisLMSvc;c:\programfiler\Launch Manager\WisLMSvc.exe [2008-09-12 118784] S2 WSNCS;Windows Server Network Colocation Service;c:\windows\system32\wsncs.exe --> c:\windows\system32\wsncs.exe [?] S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2008-11-22 90536] S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2008-11-22 15016] S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2008-11-22 122152] S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2008-11-22 115496] S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2008-11-22 25768] S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2008-11-22 111912] S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2008-11-22 117672] S3 TmProxy;OfficeScan NT Proxy Service;c:\programfiler\Trend Micro\OfficeScan Client\TmProxy.exe [2008-02-04 558416] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f80d0a4-a729-11dd-8e44-0018de366120}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4c921af-8007-11dd-8e14-001641969765}] \Shell\Auto\command - Start.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff499072-ab56-11dd-8e4a-001641969765}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . . ------- Tilleggsskanning ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-18 17:12:34 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CtrlVol = c:\programfiler\Launch Manager\CtrlVol.exe??X???0???\???????0??????????????|???|???????|????????L???????8'????F?????????????h?????????????B????????|@??|????=??|[?A?????????z?A??RA???B~??????F?4^@???????????????A?????????z?A???@?('??6u@?('???RA???@?8'????? skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . ------------------------ Andre Kjørende Prosesser ------------------------ . c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe c:\programfiler\Trend Micro\OfficeScan Client\NTRtScan.exe c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\programfiler\Trend Micro\OfficeScan Client\TmListen.exe c:\windows\temp\EW332.EXE c:\programfiler\Trend Micro\OfficeScan Client\CNTAoSMgr.exe c:\windows\system32\rundll32.exe c:\programfiler\OpenOffice.org 3\program\soffice.exe c:\programfiler\OpenOffice.org 3\program\soffice.bin c:\programfiler\Launch Manager\WLBTTray.exe c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe c:\programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe c:\programfiler\Windows Live\Contacts\wlcomm.exe . ************************************************************************** . Tidspunkt ferdig: 2009-02-18 17:19:35 - maskinen ble startet på nytt ComboFix-quarantined-files.txt 2009-02-18 16:19:31 Pre-Run: 105 688 395 776 byte ledig Post-Run: 105,696,829,440 byte ledig 253 --- E O F --- 2009-02-11 14:10:13