ComboFix 10-07-22.01 - LTran 23.07.2010 11:37:56.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.1014.439 [GMT 2:00] Kjører fra: c:\documents and settings\ltran\Skrivebord\ComboFix.exe AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Opprettet nytt gjenopprettingspunkt . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\ltran\Lokale innstillinger\Programdata\Windows Server c:\documents and settings\ltran\Lokale innstillinger\Programdata\Windows Server\flags.ini c:\documents and settings\ltran\Lokale innstillinger\Programdata\Windows Server\uses32.dat c:\windows\xpsp1hfm.log ----- BITS: Mulige infiserte sider ----- hxxp://siosysop c:\windows\system32\kernel32.dll . . . er infisert!! . ((((((((((((((((((((((((((( Filer Opprettet Fra 2010-06-23 til 2010-07-23 ))))))))))))))))))))))))))))))))) . 2010-07-23 08:19 . 2010-07-23 08:19 -------- d-----w- c:\documents and settings\ltran\Programdata\Malwarebytes 2010-07-23 08:19 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-07-23 08:19 . 2010-07-23 08:19 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes 2010-07-23 08:19 . 2010-07-23 08:19 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2010-07-23 08:19 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-23 06:05 . 2007-05-30 17:33 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2010-06-06 12:43 . 2008-07-25 14:57 58640 ----a-w- c:\documents and settings\ltran\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2010-06-06 12:43 . 2010-06-06 12:42 -------- d-----w- c:\programfiler\Songr 2010-05-22 07:25 . 2010-05-22 07:25 503808 ----a-w- c:\documents and settings\ltran\Programdata\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5899a5b9-n\msvcp71.dll 2010-05-22 07:25 . 2010-05-22 07:25 499712 ----a-w- c:\documents and settings\ltran\Programdata\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5899a5b9-n\jmc.dll 2010-05-22 07:25 . 2010-05-22 07:25 348160 ----a-w- c:\documents and settings\ltran\Programdata\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5899a5b9-n\msvcr71.dll 2007-06-26 11:31 . 2007-06-26 11:31 318 ------w- c:\programfiler\Snarvei til Preload (C).lnk 2009-08-31 19:07 . 2009-03-29 08:36 23864 ------w- c:\programfiler\mozilla firefox\components\Scriptff.dll 2008-04-25 12:32 . 2008-04-25 12:32 5817064 ------w- c:\programfiler\mozilla firefox\plugins\ScorchPDFWrapper.dll . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-17 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896] "SynTPLpr"="c:\programfiler\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592] "SynTPEnh"="c:\programfiler\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568] "TPKMAPHELPER"="c:\programfiler\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 856064] "TpShocks"="TpShocks.exe" [2006-03-15 106496] "TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208] "TP4EX"="tp4ex.exe" [2005-10-16 65536] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 110592] "AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2005-11-14 487424] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSPM Startup"="c:\progra~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "AwaySch"="c:\programfiler\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632] "TVT Scheduler Proxy"="c:\programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-14 503808] "DiskeeperSystray"="c:\programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696] "ACWLIcon"="c:\programfiler\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-02-19 110592] "cssauth"="c:\programfiler\Lenovo\Client Security Solution\cssauth.exe" [2006-07-14 2341632] "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072] "USBKeypadMs"="c:\progra~1\USBKEY~1\USBKPad.EXE" [2004-02-23 65536] "USBKeypad USBKPDrv"="c:\progra~1\USBKEY~1\KPDRV4XP.EXE" [2001-10-25 32768] "SSBkgdUpdate"="c:\programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\programfiler\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-31 57393] "IndexSearch"="c:\programfiler\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-31 40960] "ControlCenter2.0"="c:\programfiler\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256] "Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SoundMAXPnP"="c:\programfiler\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "ShStatEXE"="c:\programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-08-31 124240] "QuickTime Task"="c:\programfiler\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\programfiler\iTunes\iTunesHelper.exe" [2009-07-13 292128] "McAfeeUpdaterUI"="c:\programfiler\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ BTTray.lnk - c:\programfiler\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-5-30 24576] VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2009-2-8 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "LogonType"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] 2006-08-16 17:07 49152 ------w- c:\programfiler\Lenovo\AwayTask\AwayNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-04-25 17:20 40448 ------w- c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau Notification Packages REG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programfiler\\Danware Data\\NetOp Remote Control\\HOST\\Nhstw32.exe"= "c:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "c:\\Programfiler\\iTunes\\iTunes.exe"= "c:\\Programfiler\\McAfee\\Common Framework\\FrameworkService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management R1 NHostNT1;NetOp Driver 1 ver. 8.00 (2005048);c:\windows\system32\drivers\NHOSTNT1.SYS [19.05.2008 10:26 65808] R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\programfiler\McAfee\SiteAdvisor Enterprise\McSACore.exe [06.08.2009 17:53 222528] R2 McAfeeEngineService;McAfee Engine Service;c:\programfiler\McAfee\VirusScan Enterprise\EngineServer.exe [31.08.2009 21:07 21256] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [29.03.2009 10:36 70728] R2 NetOp Host for NT Service;NetOp Helper ver. 8.00 (2005048);c:\programfiler\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [19.05.2008 10:26 1184016] R2 smi2;smi2;c:\programfiler\SMI2\smi2.sys [14.07.2006 15:55 3968] R2 smihlp;SMI helper driver;c:\programfiler\ThinkVantage Fingerprint Software\smihlp.sys [25.04.2006 19:00 3456] R2 USBKBFlt;Dritek USB Keypad Filter;c:\windows\system32\drivers\USBKBFLT.SYS [22.08.2001 08:58 31632] R3 NHOSTNT3;NetOp Driver 3 ver. 8.00 (2005048) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [19.05.2008 10:26 3216] R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [04.09.2008 21:53 33920] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [03.09.2008 20:50 10752] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [29.03.2009 10:36 65448] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25.02.2006 15:00 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2010-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2010-06-06 c:\windows\Tasks\OGADaily.job - c:\windows\system32\OGAVerify.exe [2008-12-31 15:04] 2010-07-23 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAVerify.exe [2008-12-31 15:04] 2010-07-23 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-05-30 16:13] . . ------- Tilleggsskanning ------- . uInternet Settings,ProxyOverride = *.local DPF: {0CDC8A43-059E-47CD-A3D0-FA46E01F6496} - hxxp://tellus.lawson.com/Tellus/Misc/TellusExportAx.CAB DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 DPF: {1C7CF466-F149-478F-B232-BC6F72638D28} - hxxp://tellus.lawson.com/Tellus/Misc/TellusList.CAB DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 DPF: {B8C681FD-D629-4CCE-90CD-89493F1F2799} - hxxp://wp2.sio-net.no/mwp/ieui/IEMod.cab DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 FF - ProfilePath - c:\documents and settings\ltran\Programdata\Mozilla\Firefox\Profiles\3g92zqwf.default\ FF - component: c:\programfiler\Mozilla Firefox\components\Scriptff.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); . - - - - TOMME PEKERE FJERNET - - - - Notify-ACNotify - ACNotify.dll Notify-NavLogon - (no file) AddRemove-Install AccountMatch 9.8 - g:\akaoek\bankavstemming\setup\setup.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-23 11:49 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- LÅSTE REGISTERNØKLER --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'winlogon.exe'(284) c:\windows\system32\CSGina.dll c:\windows\system32\vrlogon.dll c:\programfiler\ThinkPad\ConnectUtilities\ACNotify.dll c:\programfiler\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\programfiler\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\programfiler\ThinkPad\ConnectUtilities\ACHelper.dll c:\windows\system32\psqlpwd.dll c:\programfiler\ThinkVantage Fingerprint Software\infra.dll c:\programfiler\ThinkVantage Fingerprint Software\homefus2.dll c:\windows\system32\biologon.dll c:\programfiler\ThinkVantage Fingerprint Software\homepass.dll c:\programfiler\ThinkVantage Fingerprint Software\bio.dll c:\programfiler\ThinkVantage Fingerprint Software\remote.dll c:\windows\system32\tphklock.dll c:\programfiler\Lenovo\AwayTask\AwayNotify.dll - - - - - - - > 'lsass.exe'(340) c:\windows\system32\psqlpwd.dll c:\programfiler\ThinkVantage Fingerprint Software\infra.dll c:\programfiler\ThinkVantage Fingerprint Software\homefus2.dll - - - - - - - > 'explorer.exe'(5804) c:\windows\system32\PROCHLP.DLL c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andre Kjørende Prosesser ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\programfiler\Intel\Wireless\Bin\EvtEng.exe c:\programfiler\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\programfiler\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\programfiler\Bonjour\mDNSResponder.exe c:\programfiler\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\programfiler\Cisco Systems\VPN Client\cvpnd.exe c:\programfiler\Diskeeper Corporation\Diskeeper\DkService.exe c:\programfiler\McAfee\Common Framework\FrameworkService.exe c:\programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe c:\programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE c:\programfiler\Intel\Wireless\Bin\RegSrvc.exe c:\programfiler\McAfee\Common Framework\naPrdMgr.exe c:\programfiler\lenovo\system update\suservice.exe c:\programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe c:\windows\System32\TPHDEXLG.EXE c:\windows\system32\TpKmpSVC.exe c:\programfiler\Lenovo\Client Security Solution\tvttcsd.exe c:\programfiler\Lenovo\Rescue and Recovery\rrservice.exe c:\programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe c:\programfiler\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\programfiler\McAfee\VirusScan Enterprise\Mcshield.exe c:\programfiler\ThinkPad\ConnectUtilities\AcSvc.exe c:\programfiler\McAfee\VirusScan Enterprise\mfeann.exe c:\windows\system32\wbem\wmiapsrv.exe c:\programfiler\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\programfiler\Intel\Wireless\Bin\Dot1XCfg.exe c:\windows\system32\rundll32.exe c:\windows\system32\TpShocks.exe c:\programfiler\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe c:\programfiler\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe c:\windows\system32\ICO.EXE c:\windows\system32\igfxsrvc.exe c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE c:\programfiler\iPod\bin\iPodService.exe c:\programfiler\McAfee\Common Framework\McTray.exe . ************************************************************************** . Tidspunkt ferdig: 2010-07-23 11:55:22 - maskinen ble startet på nytt ComboFix-quarantined-files.txt 2010-07-23 09:55 Pre-Run: 38 092 062 720 byte ledig Post-Run: 38 627 147 776 byte ledig WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 14BE4804A711402C6AEDB4CAFEF73360