ComboFix 10-08-21.06 - Bakken 22.08.2010 12:06:23.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.47.1044.18.3327.2392 [GMT 2:00]
Kjører fra: c:\users\Bakken\Downloads\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Opprettet nytt gjenopprettingspunkt
.
((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\7Loader.TAG
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2010-07-22 til 2010-08-22 )))))))))))))))))))))))))))))))))
.
2010-08-21 19:19 . 2010-08-21 19:19 63488 ----a-w- c:\users\Bakken\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-21 19:18 . 2010-08-21 19:18 52224 ----a-w- c:\users\Bakken\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-21 19:18 . 2010-08-21 19:18 117760 ----a-w- c:\users\Bakken\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-21 19:18 . 2010-08-21 19:18 -------- d-----w- c:\users\Bakken\AppData\Roaming\SUPERAntiSpyware.com
2010-08-21 19:18 . 2010-08-21 19:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-21 18:17 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 18:17 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-18 14:30 . 2010-08-21 01:26 -------- d-----w- c:\program files\QuickTime
2010-08-16 16:17 . 2010-08-16 16:17 -------- d-----w- C:\$AVG
2010-08-16 16:14 . 2010-08-16 16:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-16 16:14 . 2010-08-16 16:14 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-16 16:14 . 2010-08-16 16:14 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-16 16:14 . 2010-08-22 09:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-08-16 16:14 . 2010-08-16 16:14 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-08-13 04:19 . 2010-08-13 04:24 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2010-08-13 01:01 . 2010-08-13 01:01 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\WLDM
2010-08-13 01:00 . 2010-08-13 01:00 85392 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-13 01:00 . 2010-08-13 01:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Logitech
2010-08-10 21:23 . 2010-08-10 21:23 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-10 00:59 . 2010-08-10 00:59 21584 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-08-06 18:18 . 2010-08-06 18:18 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-07-28 14:03 . 2010-07-28 14:03 -------- d-----w- c:\program files\iPod
2010-07-28 14:03 . 2010-08-21 18:18 -------- d-----w- c:\program files\iTunes
2010-07-28 14:01 . 2010-07-28 14:01 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 10:18 . 2010-03-20 14:36 -------- d-----w- c:\users\Bakken\AppData\Roaming\Skype
2010-08-22 10:16 . 2010-02-08 15:23 -------- d-----w- c:\programdata\NVIDIA
2010-08-22 09:33 . 2010-02-08 14:20 -------- d-----w- c:\users\Bakken\AppData\Roaming\Spotify
2010-08-22 09:25 . 2010-03-20 14:36 -------- d-----w- c:\users\Bakken\AppData\Roaming\skypePM
2010-08-21 18:17 . 2010-04-30 14:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-21 16:56 . 2010-08-21 01:30 112 ----a-w- c:\programdata\sNLaCY8f.dat
2010-08-21 15:00 . 2010-02-08 14:01 -------- d-----w- c:\program files\Microsoft LifeChat
2010-08-16 16:12 . 2010-02-08 14:05 -------- d-----w- c:\programdata\avg9
2010-08-11 22:27 . 2010-03-09 08:00 -------- d-----w- c:\users\Bakken\AppData\Roaming\vlc
2010-08-06 18:17 . 2010-02-07 14:40 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-02 00:52 . 2010-02-07 17:13 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-28 14:03 . 2010-03-17 23:41 -------- d-----w- c:\program files\Common Files\Apple
2010-07-15 01:01 . 2010-02-27 15:55 -------- d-----w- c:\programdata\Microsoft Help
2010-07-09 15:06 . 2010-07-09 15:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2010-06-30 11:09 . 2010-06-30 11:08 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-30 11:04 . 2010-06-30 11:04 -------- d-----w- c:\program files\Bonjour
2010-06-03 19:48 . 2010-06-03 19:48 331776 ----a-w- c:\users\Bakken\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\setup.exe
2010-06-03 19:48 . 2010-06-03 19:48 2010726 ----a-w- c:\users\Bakken\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\ISSetup.dll
2010-05-27 07:24 . 2010-06-16 13:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-16 13:11 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
[code]
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Logitech\GamePanel Software\LgDevAgt .exe
c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore .exe
c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon .exe
c:\program files\Microsoft LifeChat\LifeChat .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Windows Live\Device Manager\msgrdvmn .exe
[/code]
------- Sigcheck -------
[-] 2009-07-14 01:20 . E947B34A132BABEF8E6A450BF5991D7B . 710720 . . [------] . . c:\windows\System32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [N/A]
"Steam"="e:\spel og fanteri\Steam\Steam.exe" [2010-05-07 1238352]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [N/A]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [N/A]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-02-08 7711264]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [N/A]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [N/A]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [N/A]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [N/A]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
R1 MpKsla9d085c0;MpKsla9d085c0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{66185D08-F53F-453B-A17A-C90A6C221FB3}\MpKsla9d085c0.sys [x]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 RzSynapse;Razer Naga Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2010-03-11 60032]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-27 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-08-16 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-08-16 243024]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-08-16 308136]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-11 240232]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.startsiden.no/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\users\Bakken\AppData\Roaming\Mozilla\Firefox\Profiles\fzfh2ocj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startsiden.no/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\users\Bakken\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - TOMME PEKERE FJERNET - - - -
Toolbar-Locked - (no file)
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x866DDEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x859704e0
QueryNameProcedure -> 0x85970670
user & kernel MBR OK
**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
[HKEY_USERS\S-1-5-21-4093747405-4025984700-1698411581-1000\Software\SecuROM\License information*]
"datasecu"=hex:4c,6f,e6,dc,e0,db,87,53,06,2c,ce,eb,44,03,c0,85,a8,b8,63,b3,21,
25,5d,22,a6,6d,d9,83,37,32,10,91,6e,26,76,37,6b,dc,e0,f7,a6,ce,0a,35,5f,cd,\
"rkeysecu"=hex:69,57,e9,d4,1e,4d,09,ac,2b,a8,b3,bc,11,f4,12,12
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\taskhost.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2010-08-22 12:22:32 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2010-08-22 10:22
Pre-Run: 106 171 731 968 byte ledig
Post-Run: 106 529 538 048 byte ledig
- - End Of File - - 0929DED71AEC30EC5CD10B48BE5F5D26