ComboFix 09-04-28.02 - Umaad 29.04.2009 0:55.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.47.1044.18.958.341 [GMT 2:00] Kjører fra: c:\users\Umaad\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) AV: Norman Security Suite ver. 7.00 *On-access scanning enabled* (Updated) FW: Personlig brannmur *enabled* * Opprettet nytt gjenopprettingspunkt . [i] ADS - system32: deleted 12 bytes in 1 streams. [/i] ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_RelevantKnowledge ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-28 til 2009-4-28 ))))))))))))))))))))))))))))))))) . 2009-04-28 22:28 . 2009-04-28 22:28 -------- d-----w c:\users\Umaad\AppData\Roaming\Malwarebytes 2009-04-28 22:28 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-28 22:28 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-28 22:28 . 2009-04-28 22:28 -------- d-----w c:\programdata\Malwarebytes 2009-04-28 22:28 . 2009-04-28 22:28 -------- d-----w c:\users\All Users\Malwarebytes 2009-04-28 22:28 . 2009-04-28 22:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-28 21:40 . 2009-04-28 22:11 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-04-28 21:40 . 2009-04-28 21:40 -------- d-----w c:\programdata\Avira 2009-04-28 21:40 . 2009-04-28 21:40 -------- d-----w c:\users\All Users\Avira 2009-04-28 21:40 . 2009-04-28 21:40 -------- d-----w c:\program files\Avira 2009-04-21 17:19 . 2008-10-21 23:31 2048 ----a-w c:\windows\system32\tzres.dll 2009-04-21 11:02 . 2008-04-19 08:13 268800 ----a-w c:\windows\system32\es.dll 2009-04-21 11:02 . 2008-10-21 05:16 1645568 ----a-w c:\windows\system32\connect.dll 2009-04-21 11:02 . 2008-06-26 03:22 303616 ----a-w c:\windows\system32\wmpeffects.dll 2009-04-21 11:02 . 2008-06-26 00:33 12240896 ----a-w c:\windows\system32\NlsLexicons0007.dll 2009-04-21 11:02 . 2008-06-26 00:33 2644480 ----a-w c:\windows\system32\NlsLexicons0009.dll 2009-04-21 11:00 . 2008-06-26 00:34 4164096 ----a-w c:\windows\system32\NlsLexicons0002.dll 2009-04-21 10:59 . 2008-04-26 08:02 1327104 ----a-w c:\windows\system32\quartz.dll 2009-04-21 10:58 . 2009-02-09 01:59 2028032 ----a-w c:\windows\system32\win32k.sys 2009-04-17 17:51 . 2008-03-21 22:41 503864 ----a-w c:\windows\system32\drivers\Wdf01000.sys 2009-04-17 17:51 . 2008-03-21 22:41 35896 ----a-w c:\windows\system32\drivers\WdfLdr.sys 2009-04-17 17:42 . 2009-04-17 17:42 1107296 ----a-w c:\windows\system32\WdfCoInstaller01007.dll 2009-04-17 17:42 . 2009-04-17 17:42 24616 ----a-w c:\windows\system32\drivers\ggsemc.sys 2009-04-17 17:42 . 2009-04-17 17:42 13224 ----a-w c:\windows\system32\drivers\ggflt.sys 2009-04-17 17:42 . 2009-04-17 17:42 -------- d-----w c:\program files\Sony Ericsson 2009-04-02 13:43 . 2009-04-02 13:43 -------- d-----w c:\program files\Red Kawa . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-28 23:09 . 2008-02-25 21:16 83635 ----a-w c:\users\Umaad\AppData\Roaming\nvModes.dat 2009-04-28 23:07 . 2006-11-21 05:16 79408 ----a-w c:\windows\system32\perfc014.dat 2009-04-28 23:07 . 2006-11-21 05:16 476858 ----a-w c:\windows\system32\perfh014.dat 2009-04-21 17:42 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini 2009-04-21 17:39 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail 2009-04-21 17:38 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat 2009-04-21 17:38 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat 2009-04-21 17:38 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat 2009-04-21 17:38 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat 2009-04-17 17:51 . 2009-04-17 17:51 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf 2009-04-17 17:51 . 2009-04-17 17:51 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf 2009-04-17 17:39 . 2007-05-27 07:16 -------- d-----w c:\program files\Common Files\InstallShield 2009-04-02 13:43 . 2009-03-12 21:45 -------- d-----w c:\program files\Common Files\Common Share 2009-03-17 03:16 . 2009-04-21 11:00 40960 ----a-w c:\windows\AppPatch\apihex86.dll 2009-03-17 03:16 . 2009-04-21 11:00 14848 ----a-w c:\windows\system32\apilogen.dll 2009-03-17 03:16 . 2009-04-21 11:00 25600 ----a-w c:\windows\system32\amxread.dll 2009-03-12 22:39 . 2009-03-12 21:45 -------- d-----w c:\program files\OJOsoft 2009-03-03 04:24 . 2009-04-21 11:00 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-03-03 04:24 . 2009-04-21 11:00 3469280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-03-03 04:20 . 2009-04-21 10:58 826368 ----a-w c:\windows\system32\wininet.dll 2009-03-03 04:19 . 2009-04-21 11:00 158720 ----a-w c:\windows\system32\sdohlp.dll 2009-03-03 04:19 . 2009-04-21 11:00 549888 ----a-w c:\windows\system32\rpcss.dll 2009-03-03 04:19 . 2009-04-21 11:00 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll 2009-03-03 04:16 . 2009-04-21 10:58 56320 ----a-w c:\windows\system32\iesetup.dll 2009-03-03 04:16 . 2009-04-21 11:00 97280 ----a-w c:\windows\system32\iasrecst.dll 2009-03-03 04:16 . 2009-04-21 11:00 53248 ----a-w c:\windows\system32\iasads.dll 2009-03-03 04:16 . 2009-04-21 11:00 37888 ----a-w c:\windows\system32\iasdatastore.dll 2009-03-03 04:16 . 2009-04-21 10:58 52736 ----a-w c:\windows\AppPatch\iebrshim.dll 2009-03-03 04:16 . 2009-04-21 10:58 78336 ----a-w c:\windows\system32\ieencode.dll 2009-03-03 04:15 . 2009-04-21 10:58 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-03 02:40 . 2009-04-21 11:00 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe 2009-03-03 02:08 . 2009-04-21 10:58 26624 ----a-w c:\windows\system32\ieUnatt.exe 2009-03-03 00:44 . 2009-04-21 10:58 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-02-13 07:26 . 2009-04-21 11:00 72704 ----a-w c:\windows\system32\secur32.dll 2009-02-13 07:26 . 2009-04-21 11:00 1233408 ----a-w c:\windows\system32\lsasrv.dll 2009-02-13 07:26 . 2009-04-21 11:00 7680 ----a-w c:\windows\system32\lsass.exe . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-02-27 1232896] "BitTorrent DNA"="c:\users\Umaad\Program Files\DNA\btdna.exe" [2008-12-19 342848] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-26 90191] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-26 7770112] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-26 81920] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-28 176128] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 180224] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776] "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{480212CA-74D9-4659-8746-59EFF65EEA98}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone) "{2117017E-5D58-4A0E-9400-190207C801FF}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play "{A12FA7CF-D22A-42F6-8F91-3A0E4148CFD7}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program "{642B65C9-3617-4318-B9EF-0D33C7769001}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{D899E1CF-786F-4CF2-B5E4-FEFC241F0A91}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{D2CC9CA3-3EE0-42A6-9C23-E2F32BE6BFD8}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{630C1D55-5FAA-4A27-A855-C87DA6CDEF35}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{7C07D242-84A3-49D0-9431-78775ADE6163}"= UDP:c:\program files\DNA\btdna.exe:DNA "{BDA6DD8B-A30F-4240-842D-5575E8618097}"= TCP:c:\program files\DNA\btdna.exe:DNA "{43978AFE-CD36-4937-B5E4-F5AF0F9269E0}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "{A1A114E3-F78F-4227-9A14-08ADB68465F7}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "TCP Query User{E0058FD4-4CA6-4B5D-AC63-E101C29373EC}c:\\users\\umaad\\program files\\dna\\btdna.exe"= UDP:c:\users\umaad\program files\dna\btdna.exe:btdna.exe "UDP Query User{9980941F-B43E-4519-A33B-4AFEB71766E5}c:\\users\\umaad\\program files\\dna\\btdna.exe"= TCP:c:\users\umaad\program files\dna\btdna.exe:btdna.exe "TCP Query User{F82EB5D2-B504-482A-AC1E-4ACCDBFDFD44}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:bittorrent "UDP Query User{A19625D5-CA3C-41C3-972B-21917EF802CE}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:bittorrent "TCP Query User{B961827C-FB57-49D8-9343-4DA0E3F75BB1}c:\\users\\umaad\\program files\\dna\\btdna.exe"= UDP:c:\users\umaad\program files\dna\btdna.exe:btdna.exe "UDP Query User{998C8B7C-B31B-4267-ADD1-FF68F7E44136}c:\\users\\umaad\\program files\\dna\\btdna.exe"= TCP:c:\users\umaad\program files\dna\btdna.exe:btdna.exe "TCP Query User{9AB23A78-7A64-4F95-8D0A-CB27D1EA2ED6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{C6B52C1C-C6E8-42AD-81B3-35D73495078D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "{14657C32-F86D-4BB9-8407-7AC0BDFF673B}"= UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe "{557545EC-5B03-4C55-A47B-A6B5766E390B}"= TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe "TCP Query User{83C010A5-E648-4F72-903A-AD4566960F33}c:\\program files\\sony ericsson\\update service\\update service.exe"= UDP:c:\program files\sony ericsson\update service\update service.exe:Update Service "UDP Query User{1E8B1AB8-26FA-47E2-8254-64213ECEAAE4}c:\\program files\\sony ericsson\\update service\\update service.exe"= TCP:c:\program files\sony ericsson\update service\update service.exe:Update Service "{28BB0656-72D1-4AB2-AF25-28518C7E4877}"= UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe "{814FF2A3-FAF5-484F-A8B4-AD17D03EC5D4}"= TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-04-17 13224] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-28 108289] . - - - - TOMME PEKERE FJERNET - - - - HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe HKLM-Run-NPCTray - c:\program files\Norman\npc\bin\npc_tray.exe . ------- Tilleggsskanning ------- . uStart Page = hxxp://www.google.no/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=73&bd=PRESARIO&pf=laptop uInternet Settings,ProxyOverride = *.local . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-29 01:09 Windows 6.0.6000 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- LÅSTE REGISTERNØKLER --------------------- [HKEY_USERS\S-1-5-21-144406609-1343098639-68337825-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0D9B5E3F-EAC8-9B5A-AEF6-702726EC9D20}*] @Allowed: (Read) (RestrictedCode) "iaaeelkopafdibjkdf"=hex:6b,61,6d,67,67,65,6f,64,61,63,69,63,68,62,64,65,63,62, 64,64,61,64,00,00 "hakfcmhnoakobahk"=hex:6b,61,6d,67,67,65,6f,64,61,63,69,63,68,62,64,65,63,62, 64,64,61,64,00,00 [HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Andre Kjørende Prosesser ------------------------ . c:\windows\System32\audiodg.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\System32\drivers\XAudio.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\System32\conime.exe c:\windows\System32\rundll32.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Tidspunkt ferdig: 2009-04-28 1:12 - maskinen ble startet på nytt ComboFix-quarantined-files.txt 2009-04-28 23:12 Pre-Run: 28 801 445 888 byte ledig Post-Run: 28 618 072 064 byte ledig 243 --- E O F --- 2009-04-21 17:28