ComboFix 09-03-12.01 - silje 2009-03-13 19:45:02.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1044.18.2047.1218 [GMT 1:00] Kjører fra: c:\documents and settings\silje\Skrivebord\ComboFix.exe AV: Norton Internet Security Online *On-access scanning disabled* (Updated) FW: Norton Internet Security Online *enabled* * Opprettet nytt gjenopprettingspunkt . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\DUMP7fde.tmp . ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-02-13 til 2009-03-13 ))))))))))))))))))))))))))))))))) . 2009-03-13 17:09 . 2009-03-13 17:09 d-------- c:\programfiler\Malwarebytes' Anti-Malware 2009-03-13 17:09 . 2009-03-13 17:09 d-------- c:\documents and settings\silje\Programdata\Malwarebytes 2009-03-13 17:09 . 2009-03-13 17:09 d-------- c:\documents and settings\All Users\Programdata\Malwarebytes 2009-03-13 17:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-13 17:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-13 16:46 . 2009-03-13 16:46 d--h----- c:\documents and settings\All Users\Programdata\CanonBJ 2009-03-13 16:45 . 2009-03-13 16:45 d--h----- c:\windows\system32\CanonIJ Uninstaller Information 2009-03-13 16:45 . 2009-03-13 16:45 d--h----- c:\programfiler\CanonBJ 2009-03-13 16:44 . 2009-03-13 16:44 d-------- c:\programfiler\Freecorder Toolbar 2009-03-13 16:38 . 2009-03-13 16:42 d-------- c:\documents and settings\Administrator.SMR\Programdata 2009-03-13 16:38 . 2009-03-13 16:42 d-------- c:\documents and settings\Administrator.SMR\Maler 2009-03-13 16:38 . 2009-03-13 16:42 d-------- c:\documents and settings\Administrator.SMR\Lokale innstillinger 2009-03-13 16:38 . 2009-03-13 16:42 d---s---- c:\documents and settings\Administrator.SMR 2009-03-08 14:14 . 2009-03-13 16:44 d-------- c:\documents and settings\Administrator\Programdata 2009-03-08 14:14 . 2009-03-13 16:44 d-------- c:\documents and settings\Administrator\Maler 2009-03-08 14:14 . 2009-03-13 19:46 d-------- c:\documents and settings\Administrator\Lokale innstillinger 2009-02-19 12:03 . 2008-06-13 13:45 579,464 --a------ c:\windows\system32\SymNeti.dll 2009-02-19 12:03 . 2008-06-13 13:45 207,240 --a------ c:\windows\system32\SymRedir.dll 2009-02-19 11:31 . 2008-06-13 13:13 184,240 --a------ c:\windows\system32\drivers\symtdi.sys 2009-02-19 11:31 . 2008-06-13 13:13 96,432 --a------ c:\windows\system32\drivers\symfw.sys 2009-02-19 11:31 . 2008-06-13 13:13 41,008 --a------ c:\windows\system32\drivers\symndisv.sys 2009-02-19 11:31 . 2008-06-13 13:13 38,576 --a------ c:\windows\system32\drivers\symids.sys 2009-02-19 11:31 . 2008-06-13 13:13 37,424 --a------ c:\windows\system32\drivers\symndis.sys 2009-02-19 11:31 . 2008-06-13 13:13 22,320 --a------ c:\windows\system32\drivers\symredrv.sys 2009-02-19 11:31 . 2008-06-13 13:13 13,616 --a------ c:\windows\system32\drivers\symdns.sys 2009-02-19 11:31 . 2008-06-13 13:14 13,093 --a------ c:\windows\system32\drivers\SymRedir.cat 2009-02-19 11:31 . 2008-06-13 13:14 1,611 --a------ c:\windows\system32\drivers\SymRedir.inf 2009-02-15 11:20 . 2009-02-15 11:20 d-------- C:\Josefine 2009-02-15 10:42 . 2009-02-15 10:42 d-------- c:\programfiler\Vision Park 2009-02-14 18:56 . 2009-02-14 18:56 d-------- c:\windows\system32\Adobe 2009-02-14 10:39 . 2009-03-13 16:45 d-------- c:\windows\system32\QuickTime 2009-02-14 10:39 . 2009-03-13 16:45 d-------- c:\programfiler\QuickTime(2) 2009-02-14 10:38 . 2009-02-14 10:38 d-------- c:\documents and settings\All Users\Programdata\QuickTime 2009-02-14 10:36 . 2009-02-14 18:25 d-------- c:\programfiler\PAN Vision . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-13 18:46 --------- d-----w c:\programfiler\Fellesfiler\Symantec Shared 2009-03-13 16:14 --------- d-----w c:\documents and settings\All Users\Programdata\Symantec 2009-03-13 15:54 --------- d-----w c:\documents and settings\All Users\Programdata\Microsoft Help 2009-03-13 15:45 --------- d--h--w c:\programfiler\InstallShield Installation Information 2009-03-13 15:45 --------- d-----w c:\programfiler\Windows Desktop Search 2009-03-13 15:45 --------- d-----w c:\programfiler\Freecorder 2009-03-13 15:45 --------- d-----w c:\programfiler\CanonBJ(2) 2009-03-13 15:45 --------- d-----w c:\programfiler\Canon 2009-03-13 15:45 --------- d-----w c:\documents and settings\All Users\Programdata\CanonBJ(2) 2009-03-11 17:06 110,592 ----a-w c:\windows\DUMP77df.tmp 2009-03-11 17:04 110,592 ----a-w c:\windows\DUMP76d5.tmp 2009-03-11 17:02 110,592 ----a-w c:\windows\DUMP7a50.tmp 2009-03-11 17:00 110,592 ----a-w c:\windows\DUMP76f5.tmp 2009-03-11 16:58 110,592 ----a-w c:\windows\DUMP79a4.tmp 2009-03-11 16:56 110,592 ----a-w c:\windows\DUMP7937.tmp 2009-03-11 16:54 110,592 ----a-w c:\windows\DUMP7956.tmp 2009-03-11 16:52 110,592 ----a-w c:\windows\DUMP7e09.tmp 2009-03-11 16:50 110,592 ----a-w c:\windows\DUMP7a31.tmp 2009-03-11 16:48 110,592 ----a-w c:\windows\DUMP7649.tmp 2009-03-11 16:46 110,592 ----a-w c:\windows\DUMP76b6.tmp 2009-03-11 16:44 110,592 ----a-w c:\windows\DUMP7966.tmp 2009-03-11 16:42 110,592 ----a-w c:\windows\DUMP7cf0.tmp 2009-03-08 13:33 110,592 ----a-w c:\windows\DUMP8194.tmp 2009-03-08 13:31 110,592 ----a-w c:\windows\DUMP7fce.tmp 2009-02-22 18:21 110,592 ----a-w c:\windows\DUMP7fb4.tmp 2009-02-22 18:18 110,592 ----a-w c:\windows\DUMP7ea8.tmp 2009-02-22 18:16 110,592 ----a-w c:\windows\DUMP802d.tmp 2009-02-22 18:14 110,592 ----a-w c:\windows\DUMP7fa0.tmp 2009-02-22 18:12 110,592 ----a-w c:\windows\DUMP806e.tmp 2009-02-22 18:10 110,592 ----a-w c:\windows\DUMP7e6a.tmp 2009-02-22 18:08 110,592 ----a-w c:\windows\DUMP7ee6.tmp 2009-02-22 18:06 110,592 ----a-w c:\windows\DUMP808b.tmp 2009-02-22 18:04 110,592 ----a-w c:\windows\DUMP7f91.tmp 2009-02-22 18:02 110,592 ----a-w c:\windows\DUMP808a.tmp 2009-02-22 18:00 110,592 ----a-w c:\windows\DUMP8108.tmp 2009-02-22 17:58 110,592 ----a-w c:\windows\DUMP7eb6.tmp 2009-02-22 17:56 110,592 ----a-w c:\windows\DUMP7fb3.tmp 2009-02-22 17:54 110,592 ----a-w c:\windows\DUMP80c9.tmp 2009-02-22 17:51 110,592 ----a-w c:\windows\DUMP7fb2.tmp 2009-02-22 17:49 110,592 ----a-w c:\windows\DUMP7ef5.tmp 2009-02-22 17:47 110,592 ----a-w c:\windows\DUMP8193.tmp 2009-02-22 17:45 110,592 ----a-w c:\windows\DUMP7f9f.tmp 2009-02-22 17:43 110,592 ----a-w c:\windows\DUMP80c8.tmp 2009-02-22 17:41 110,592 ----a-w c:\windows\DUMP7fb1.tmp 2009-02-22 17:39 110,592 ----a-w c:\windows\DUMP8155.tmp 2009-02-22 17:37 110,592 ----a-w c:\windows\DUMP7f64.tmp 2009-02-22 17:35 110,592 ----a-w c:\windows\DUMP8137.tmp 2009-02-22 17:33 110,592 ----a-w c:\windows\DUMP7e96.tmp 2009-02-22 17:31 110,592 ----a-w c:\windows\DUMP7fee.tmp 2009-02-22 17:29 110,592 ----a-w c:\windows\DUMP804c.tmp 2009-02-22 17:27 110,592 ----a-w c:\windows\DUMP7eb5.tmp 2009-02-22 17:24 110,592 ----a-w c:\windows\DUMP803d.tmp 2009-02-22 17:22 110,592 ----a-w c:\windows\DUMP807a.tmp 2009-02-22 17:20 110,592 ----a-w c:\windows\DUMP7e19.tmp 2009-02-22 17:18 110,592 ----a-w c:\windows\DUMP81e3.tmp 2009-02-22 17:16 110,592 ----a-w c:\windows\DUMP831a.tmp 2009-02-22 17:14 110,592 ----a-w c:\windows\DUMP7ea7.tmp 2009-02-22 17:12 110,592 ----a-w c:\windows\DUMP8107.tmp 2009-02-22 17:10 110,592 ----a-w c:\windows\DUMP7e69.tmp 2009-02-22 17:08 110,592 ----a-w c:\windows\DUMP78d9.tmp 2009-02-22 17:06 110,592 ----a-w c:\windows\DUMP7ea6.tmp 2009-02-22 17:04 110,592 ----a-w c:\windows\DUMP8117.tmp 2009-02-22 17:02 110,592 ----a-w c:\windows\DUMP7f63.tmp 2009-02-22 17:00 110,592 ----a-w c:\windows\DUMP8387.tmp 2009-02-22 16:57 110,592 ----a-w c:\windows\DUMP7f33.tmp 2009-02-22 16:55 110,592 ----a-w c:\windows\DUMP81d2.tmp 2009-02-22 16:53 110,592 ----a-w c:\windows\DUMP7f71.tmp 2009-02-22 16:51 110,592 ----a-w c:\windows\DUMP7e57.tmp 2009-02-22 16:47 110,592 ----a-w c:\windows\DUMP800d.tmp 2009-02-22 16:46 110,592 ----a-w c:\windows\DUMP804b.tmp 2009-02-22 16:44 110,592 ----a-w c:\windows\DUMP7e49.tmp 2009-02-22 16:42 110,592 ----a-w c:\windows\DUMP801d.tmp 2009-02-22 16:40 110,592 ----a-w c:\windows\DUMP805d.tmp 2009-02-22 16:38 110,592 ----a-w c:\windows\DUMP806d.tmp 2009-02-22 16:35 110,592 ----a-w c:\windows\DUMP801c.tmp 2009-02-22 16:33 110,592 ----a-w c:\windows\DUMP7fff.tmp 2009-02-22 16:31 110,592 ----a-w c:\windows\DUMP7f32.tmp 2009-02-22 16:29 110,592 ----a-w c:\windows\DUMP7ee5.tmp 2009-02-22 16:27 110,592 ----a-w c:\windows\DUMP7f90.tmp 2009-02-22 16:25 110,592 ----a-w c:\windows\DUMP7e38.tmp 2009-02-22 16:23 110,592 ----a-w c:\windows\DUMP7e68.tmp 2009-02-22 16:21 110,592 ----a-w c:\windows\DUMP7f05.tmp 2009-02-22 16:19 110,592 ----a-w c:\windows\DUMP806c.tmp 2009-02-22 16:17 110,592 ----a-w c:\windows\DUMP8126.tmp 2009-02-22 16:15 110,592 ----a-w c:\windows\DUMP7ffe.tmp 2009-02-22 16:13 110,592 ----a-w c:\windows\DUMP7f22.tmp 2009-02-22 16:11 110,592 ----a-w c:\windows\DUMP7fb0.tmp 2009-02-22 16:08 110,592 ----a-w c:\windows\DUMP81e2.tmp 2009-02-22 16:06 110,592 ----a-w c:\windows\DUMP805c.tmp 2009-02-22 16:04 110,592 ----a-w c:\windows\DUMP7f04.tmp 2009-02-22 16:02 110,592 ----a-w c:\windows\DUMP7e48.tmp 2009-02-22 16:00 110,592 ----a-w c:\windows\DUMP80aa.tmp 2009-02-22 15:58 110,592 ----a-w c:\windows\DUMP802c.tmp 2009-02-22 15:56 110,592 ----a-w c:\windows\DUMP805b.tmp 2009-02-22 15:54 110,592 ----a-w c:\windows\DUMP8184.tmp 2009-02-22 15:52 110,592 ----a-w c:\windows\DUMP803c.tmp 2009-02-22 15:50 110,592 ----a-w c:\windows\DUMP7ba8.tmp 2009-02-22 15:48 110,592 ----a-w c:\windows\DUMP7faf.tmp 2009-02-22 15:46 110,592 ----a-w c:\windows\DUMP80a9.tmp 2009-02-22 15:44 110,592 ----a-w c:\windows\DUMP7f53.tmp . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\programfiler\Freecorder\tbFre0.dll" [2008-07-04 1569304] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] 2008-07-04 09:13 1569304 --a------ c:\programfiler\Freecorder\tbFre0.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\programfiler\Freecorder\tbFre0.dll" [2008-07-04 1569304] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\programfiler\Freecorder\tbFre0.dll" [2008-07-04 1569304] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programfiler\Fellesfiler\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136] "SoftAuto.exe"="c:\programfiler\Creative\Software Update 3\SoftAuto.exe" [2008-05-28 401408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="c:\programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\programfiler\Norton Internet Security\osCheck.exe" [2007-08-25 714608] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "GrooveMonitor"="c:\programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "StartCCC"="c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="c:\programfiler\Fellesfiler\Nero\Lib\NeroCheck.exe" [2008-02-28 570664] "NBKeyScan"="c:\programfiler\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352] "CanonSolutionMenu"="c:\programfiler\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488] "CanonMyPrinter"="c:\programfiler\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648] "CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "c:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Programfiler\\uTorrent\\uTorrent.exe"= R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2007-05-24 22968] R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2007-07-05 20424] R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2007-07-05 161352] R2 LiveUpdate Notice;LiveUpdate Notice;c:\programfiler\Fellesfiler\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352] R2 RadeSvc;Citrix Streaming Service;c:\programfiler\Citrix\Streaming Client\RadeSvc.exe [2007-07-05 237568] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programfiler\Fellesfiler\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-09 101936] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888] S3 CTUPnPSv;Creative Centrale Media Server;c:\programfiler\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000] --- Andre tjenester/drivere lastet i minnet --- *NewlyCreated* - COMHOST [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ae33967-8e29-11dd-861f-00112fbaf361}] \Shell\AutoRun\command - N:\LaunchU3.exe -a . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2009-03-09 c:\windows\Tasks\Norton Internet Security Online - Kjør full systemskanning - silje.job - c:\programfiler\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 02:19] . - - - - TOMME PEKERE FJERNET - - - - WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) . ------- Tilleggsskanning ------- . uStart Page = hxxp://online.no/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-13 19:48:34 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'winlogon.exe'(804) c:\windows\system32\Ati2evxx.dll . ------------------------ Andre Kjørende Prosesser ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\programfiler\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\programfiler\Fellesfiler\Citrix\System32\CdfSvc.exe c:\programfiler\Creative\Shared Files\CTDevSrv.exe c:\programfiler\Nero\Nero8\Nero BackItUp\NBService.exe c:\windows\system32\IoctlSvc.exe c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\programfiler\Fellesfiler\Nero\Lib\NMIndexingService.exe . ************************************************************************** . Tidspunkt ferdig: 2009-03-13 19:51:12 - maskinen ble startet på nytt ComboFix-quarantined-files.txt 2009-03-13 18:51:09 Pre-Run: 104 250 400 768 byte ledig Post-Run: 105,240,756,224 byte ledig WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 273 --- E O F --- 2009-03-13 15:55:58