ComboFix 10-04-21.01 - Håkon Mikalsen 26.04.2010 16:04:18.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.447.231 [GMT 2:00] Kjører fra: c:\documents and settings\Håkon Mikalsen\Mine dokumenter\Nedlastinger\ComboFix.exe AV: Sikkerhetspakken 9.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: Sikkerhetspakken 9.01 *enabled* {D4747503-0346-49EB-9262-997542F79BF4} ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !! . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-2356613267-57074699-2786546710-1003 c:\windows\aewrc.dat c:\windows\cdjlh.dat c:\windows\czbha.dat c:\windows\frcay.dat c:\windows\gxsej.dat c:\windows\hkyyw.dat c:\windows\lofdu.dat c:\windows\nuxem.dat c:\windows\system32\addzx32.dll c:\windows\system32\apila32.dll c:\windows\system32\appem32.dll c:\windows\system32\appmn32.dll c:\windows\system32\atliz32.dll c:\windows\system32\aycjg.dat c:\windows\system32\cdobl.dat c:\windows\system32\d3hq32.dll c:\windows\system32\d3im.dll c:\windows\system32\dhggs.dat c:\windows\system32\eqwdy.dll c:\windows\system32\fihxb.dat c:\windows\system32\hkbrk.dat c:\windows\system32\hnbnn.dat c:\windows\system32\hwblg.dat c:\windows\system32\javakx.dll c:\windows\system32\khppr.dat c:\windows\system32\lkajj.dat c:\windows\system32\lzjqv.dat c:\windows\system32\mfceq.dll c:\windows\system32\msrfp.dat c:\windows\system32\npene.dat c:\windows\system32\pavxw.dat c:\windows\system32\rlkuc.dat c:\windows\system32\rvgpn.dat c:\windows\system32\sagfx.dll c:\windows\system32\sqxti.dat c:\windows\system32\sysjx.dll c:\windows\system32\vmgmz.dat c:\windows\system32\znzhx.dll c:\windows\tljkz.dat c:\windows\tmcbh.dat c:\windows\tqopx.dat c:\windows\tyiyb.dat c:\windows\update.ini c:\windows\uylpt.dat c:\windows\vnmor.dat c:\windows\wdvti.dat c:\windows\wmhkl.dat c:\windows\xzgut.dat c:\windows\zwxfu.dat . ((((((((((((((((((((((((((( Filer Opprettet Fra 2010-03-26 til 2010-04-26 ))))))))))))))))))))))))))))))))) . 2010-04-26 13:10 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-26 13:10 . 2010-04-26 13:10 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes 2010-04-26 13:10 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-26 13:10 . 2010-04-26 13:10 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2010-04-26 12:59 . 2010-04-26 13:08 -------- d---a-w- c:\documents and settings\All Users\Programdata\TEMP . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-26 13:57 . 2004-12-16 16:16 -------- d-----w- c:\programfiler\Fellesfiler\Symantec Shared 2010-04-26 13:02 . 2009-10-09 17:46 -------- d-----w- c:\programfiler\Voobly 2010-04-26 00:29 . 2009-12-25 21:55 -------- d-----w- c:\programfiler\NortonInstaller 2010-04-26 00:29 . 2009-02-08 15:50 -------- d-----w- c:\documents and settings\All Users\Programdata\Norton 2010-04-26 00:28 . 2004-12-16 16:15 -------- d-----w- c:\documents and settings\All Users\Programdata\Symantec 2010-04-26 00:14 . 2005-07-01 19:18 -------- d-----w- c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy 2010-03-28 09:49 . 2004-09-07 23:41 83724 ----a-w- c:\windows\system32\perfc014.dat 2010-03-28 09:49 . 2004-09-07 23:41 452426 ----a-w- c:\windows\system32\perfh014.dat 2010-03-18 22:17 . 2005-07-01 19:18 -------- d-----w- c:\programfiler\Spybot - Search & Destroy 2010-03-18 22:12 . 2010-03-18 22:12 -------- d-----w- c:\programfiler\CCleaner 2010-03-17 16:05 . 2009-12-26 10:37 -------- d-----w- c:\programfiler\Canal Digital Sikkerhetspakken 2010-03-10 06:17 . 2002-02-26 13:58 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-04 22:38 . 2010-03-04 22:35 -------- d-----w- c:\programfiler\Windows Live Safety Center 2010-02-25 06:20 . 2004-11-11 18:53 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2004-09-07 23:41 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-17 21:39 . 2010-02-17 21:39 664 -c--a-w- c:\windows\system32\d3d9caps.dat 2010-02-17 12:10 . 2004-09-07 23:41 2191744 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 19:10 . 2002-09-09 14:07 2068608 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 10:03 . 2010-03-13 16:34 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-12 04:35 . 2004-09-07 23:40 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2004-09-07 23:41 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-08-02 4493312] "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-08-02 86016] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Symantec PIF AlertEng"="c:\programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-09-13 149280] "ANIWZCS2Service"="c:\programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2009-05-07 98304] "D-Link D-Link Wireless N DWA-140"="c:\programfiler\D-Link\DWA-140 revB\AirNCFG.exe" [2009-05-07 1683456] "F-Secure Manager"="c:\programfiler\Canal Digital Sikkerhetspakken\Common\FSM32.EXE" [2009-08-05 199264] "F-Secure TNB"="c:\programfiler\Canal Digital Sikkerhetspakken\FSGUI\TNBUtil.exe" [2009-08-05 2349664] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ Adobe Reader Speed Launch.lnk - c:\programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] 2004-05-12 14:18 241664 ----a-w- c:\programfiler\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2003-08-04 16:28 49152 -c--a-w- c:\programfiler\HP\HP Software Update\hpwuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-11-04 09:30 413696 ----a-w- c:\programfiler\QuickTime\QTTask.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Civilization3GOYSetup.exe"=c:\docume~1\HKONMI~1\SKRIVE~1\CIVILI~1.EXE /r "RollerCoasterTycoon2Setup.exe"=c:\downlo~1\ROLLER~1.EXE /r "LineOfSightVietnamSetup.exe"=c:\downlo~1\LINEOF~1.EXE /r [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programfiler\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Håkon Mikalsen\\Programdata\\GameRanger\\GameRanger\\GameRanger.exe"= "c:\\Programfiler\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\Documents and Settings\\Håkon Mikalsen\\Skrivebord\\Age of Empires II\\age2_x1.exe"= "c:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [26.12.2009 12:40 33920] R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [26.12.2009 12:39 80000] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\programfiler\Canal Digital Sikkerhetspakken\HIPS\drivers\fshs.sys [26.12.2009 12:38 68064] R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [23.11.2009 18:32 147456] R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;c:\programfiler\Symantec\LiveUpdate\AluSchedulerSvc.exe [05.10.2006 18:14 554352] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\programfiler\Canal Digital Sikkerhetspakken\Anti-Virus\minifilter\fsgk.sys [26.12.2009 12:37 111296] R3 FSORSPClient;F-Secure ORSP Client;c:\programfiler\Canal Digital Sikkerhetspakken\ORSP Client\fsorsp.exe [26.12.2009 12:38 55992] S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [29.01.2009 15:42 84608] S3 o1394bul;o1394bul;\??\c:\docume~1\HKONMI~1\LOKALE~1\Temp\o1394bul.sys --> c:\docume~1\HKONMI~1\LOKALE~1\Temp\o1394bul.sys [?] S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [13.08.2008 12:48 83880] S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [13.08.2008 12:48 15016] S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [13.08.2008 12:48 110632] S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [13.08.2008 12:48 104616] S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [13.08.2008 12:48 25512] S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [13.08.2008 12:48 100648] S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [13.08.2008 12:48 110120] S4 F-Secure Filter;F-Secure File System Filter;c:\programfiler\Canal Digital Sikkerhetspakken\Anti-Virus\win2k\fsfilter.sys [26.12.2009 12:37 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\programfiler\Canal Digital Sikkerhetspakken\Anti-Virus\win2k\fsrec.sys [26.12.2009 12:37 25184] . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2010-04-25 c:\windows\Tasks\Diskopprydding.job - c:\windows\system32\cleanmgr.exe [2004-09-07 16:22] . . ------- Tilleggsskanning ------- . uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage uInternet Connection Wizard,ShellNext = iexplore IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 LSP: c:\programfiler\Canal Digital Sikkerhetspakken\FSPS\program\FSLSP.DLL Trusted Zone: buypass.no Trusted Zone: headit.no Trusted Zone: norsk-tipping.no TCP: {044C9D6D-EBB9-4822-9A59-E10AC65F7338} = 103.67.15.198,193.213.112.4 TCP: {2C6EE8F5-E318-4326-96BD-1FC3EE950C1B} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Håkon Mikalsen\Programdata\Mozilla\Firefox\Profiles\ttz44hm0.Standardbruker\ FF - component: c:\programfiler\Canal Digital Sikkerhetspakken\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll FF - plugin: c:\programfiler\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\programfiler\Mozilla Firefox\plugins\npOGAPlugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - TOMME PEKERE FJERNET - - - - HKLM-Run-Wizard - (no file) MSConfigStartUp-Telenor Online Start - c:\programfiler\Telenor\Online Start\Telenor.exe MSConfigStartUp-Telenorhjelpen - c:\programfiler\Telenor\Telenorhjelpen\Telenor.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-26 16:16 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84AF88E8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28 \Driver\ACPI -> ACPI.sys @ 0xf743ecb8 \Driver\atapi -> 0x84af88e8 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615 ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615 ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'lsass.exe'(804) c:\programfiler\Canal Digital Sikkerhetspakken\FSPS\program\FSLSP.DLL . Tidspunkt ferdig: 2010-04-26 16:22:49 ComboFix-quarantined-files.txt 2010-04-26 14:22 Pre-Run: 129 816 358 912 byte ledig Post-Run: 132 002 938 880 byte ledig - - End Of File - - 9EFE6F41E339E0BFE8E4B92C830B6C77