Løsning: Virtumonde-trojaner, Wixawin-popups. antivirusXP 2008...

norbat · 22. august 2008

Plagsomme pop-ups fra Wixawin, Antivirus XP/Vista 2008 m.fl.

VG har en artikkel om dette: Trojaner på MSN.no

Digi.no skriver at man frykter en ny runde med virusepidemier: http://www.digi.no/php/art.php?id=784164

Så langt jeg kan se så er problemet knyttet til filer av typen:

C:\WINDOWS\system32\__c00E920F.dat <-.dat-fila opptrer i mange varianter.

C:\WINDOWS\system32\~.exe / i1.exe

Vundo-trojan drar også med seg en mengde med .dll-filer med tilfeldige navn (eks. efcyvss.dll, fccaxyy.dll, gebbbby.dll)

Årsaken til infeksjonen (kan være andre) skyldes et sikkerhetshull i eldre flash-player. Oppdater derfor til nyeste versjon: Adobe Flash Player. Selv om reklamen er fjernet fra msn.no, så har en utdatert Flash Player fortsatt sårbarheten. Derfor, oppdatere flashplayeren nå!

Disse trojanerene fører ofte med seg andre infeksjoner, og antall filer som til slutt er knyttet til malware, blir ofte mange.

En rask og grei løsning for å fjerne denne malwaren:

Punkt 1:

Last ned Malwarebytes Anti-Malware til skrivebordet.

Kjør og installer programmet. Velg Norsk-språk

La programmet oppdatere seg og velg å kjør en 'hurtig systemscan', klikk Skann.

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

Klikk på 'Vis resultat'-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

Det vil deretter åpnes en logg i notisblokk. Den kopiere du og poster senere.

Punkt 2:

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Ønsker du videre hjelp, kan du poste loggene fra combofix og mbam.

NB!

I noen sammenhenger, kan man miste nettforbindelsen etter at man har renset ut infeksjonen. Dette skyldes i de fleste tilfeller at winsock-fila blir korrupt. Det kan derfor være lurt å laste ned Winsockfix til skrivebordet, før man scanner med programmene over

Endret 22. september 2008 av norbat

r2d290 · 27. august 2008

- Reinstaller all programvaren. Det er det eneste helt sikre. Får du malware, er det fryktelig vanskelig å bli kvitt

Bare jeg som missliker at folk går ut med slike uttalelser i media? :no:

Fin veiledning though

Capa Barsavi · 28. august 2008

Etter å ha kjørt de to programmene er det mulig at skiten er borte, eller må jeg poste logger osv

r2d290 · 28. august 2008

det er mulig at skiten er borte, men for å være sikker, bør du poste loggene

mushi · 7. september 2008

Sprer denne seg over nettverk? Fått det på den ene pc'n på jobb så jeg, og må vite om jeg må stå opp en halvtime tidligere i mårra for å fjerne det på alle pc'ne eller ikke

norbat · 7. september 2008

Så vidt jeg vet, så sprer den seg ikke på nettverket.

mushi · 7. september 2008

Takk gud! Er mange pc'r på jobb :!:

Endret 7. september 2008 av mushi

braken · 15. september 2008

Malwarebytes' Anti-Malware 1.28

Database versjon: 1152

Windows 5.1.2600 Service Pack 2

15.09.2008 20:33:30

mbam-log-2008-09-15 (20-33-30).txt

Skanntype: Rask Skann

Objekter skannet: 50755

Tid tilbakelagt: 4 minute(s), 56 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 1

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\rhctrsj0e5cp (Rogue.Multiple) -> Quarantined and deleted successfully.

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\WINDOWS\system32\pphcprsj0e5cp.exe (Trojan.FakeAlert) -> Quarantined

Hva finner en utav dette??

norbat · 15. september 2008

-at du fikk fjernet en fil knyttet til et rogue program.

Har du opplevd noe i tilknytning til et slikt program?

Kjør gjerne combofix da det kan fortell om det fortsatt ligger noe rusk på pc'n

braken · 15. september 2008

-at du fikk fjernet en fil knyttet til et rogue program.
Har du opplevd noe i tilknytning til et slikt program?

Kjør gjerne combofix da det kan fortell om det fortsatt ligger noe rusk på pc'n

ComboFix 08-09-15.01 - Eier 2008-09-15 21:01:12.1 - NTFSx86

Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\.protected

C:\Documents and Settings\Eier\err.log

C:\Documents and Settings\Eier\ResErrors.log

C:\Documents and Settings\Eier\Skrivebordblackbird.jpg

C:\Documents and Settings\Eier\SkrivebordEditorFKWP1.5.exe

C:\Documents and Settings\Eier\SkrivebordEditorFKWP2.0.exe

C:\Documents and Settings\Eier\Skrivebordfilemanagerclient.exe

C:\Documents and Settings\Eier\Skrivebordfkwp1.5.exe

C:\Documents and Settings\Eier\Skrivebordfkwp2.0.exe

C:\Documents and Settings\Eier\Skrivebordfwebd.exe

C:\Documents and Settings\Eier\SkrivebordFWebdEditor.exe

C:\Documents and Settings\Eier\SkrivebordTrojan.Win32.BlackBird.exe

C:\Documents and Settings\Eier\Skrivebordvirii

C:\Documents and Settings\Eier\Skrivebordvirii\Trojan-Downloader.Win32.Agent.bl.exe

C:\Documents and Settings\Eier\Skrivebordvirii\Trojan-Downloader.Win32.Agent.p.exe

C:\Documents and Settings\Eier\Skrivebordvirii\Trojan-Downloader.Win32.Agent.r.exe

C:\Documents and Settings\Eier\Skrivebordvirii\Trojan-Downloader.Win32.Agent.t.exe

C:\Documents and Settings\Eier\Skrivebordvirii\Trojan-Downloader.Win32.Agent.v.exe

C:\Documents and Settings\Eier\Start-meny\Programmer\Oppstart\.protected

C:\Programfiler\3

C:\Programfiler\3\3.exe

C:\Programfiler\3\3.exe.local

C:\Programfiler\3\database.dat

C:\Programfiler\3\license.txt

C:\Programfiler\3\MFC71.dll

C:\Programfiler\3\MFC71ENU.DLL

C:\Programfiler\3\msvcp71.dll

C:\Programfiler\3\msvcr71.dll

C:\Programfiler\3\Uninstall.exe

C:\WINDOWS\Installer\{08bd88c9-36e1-463c-86ae-5859e8f6da25}\SysPrx.dll

C:\WINDOWS\system32\pphcprsj0e5cp.exe

----- BITS: Possible infected sites -----

http://au.download.windowsupdj+|Cv+@J:NGD_DQ{ztHG.X

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_sysrest.sys

((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))

.

2008-09-14 23:48 . 2008-09-14 23:48 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste

2008-09-14 23:05 . 2008-09-14 23:05 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-14 23:05 . 2008-09-14 23:05 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Malwarebytes

2008-09-14 23:05 . 2008-09-14 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-14 23:05 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-14 23:05 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-14 22:24 . 2008-09-14 22:24 <DIR> d-------- C:\Programfiler\Enigma Software Group

2008-09-14 12:31 . 2008-09-14 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-09-13 05:13 . 2008-09-13 05:13 0 --a------ C:\WINDOWS\system32\1D5.tmp

2008-09-11 16:19 . 2008-09-14 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\jcnevoho

2008-09-08 16:11 . 2008-09-14 23:20 <DIR> d-------- C:\Programfiler\uxtnbmc

2008-09-08 16:11 . 2008-09-10 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\opcjyhcf

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-15 19:10 --------- d-----w C:\Documents and Settings\Eier\Programdata\Skype

2008-09-15 14:13 --------- d-----w C:\Documents and Settings\Eier\Programdata\AVG7

2008-09-14 21:40 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-09-14 10:38 --------- d-----w C:\Programfiler\Lavasoft

2008-09-14 10:32 --------- d-----w C:\Documents and Settings\Eier\Programdata\Lavasoft

2008-09-05 09:01 --------- d-----w C:\Programfiler\DC++

2008-08-18 09:27 --------- d-----w C:\Programfiler\QuickTime

2008-08-09 20:50 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-08-09 20:50 --------- d-----w C:\Programfiler\Stabenfeldt

2008-07-26 21:41 --------- d-----w C:\Programfiler\EA GAMES

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2007-09-22 12:25 49,609 ----a-w C:\Documents and Settings\Eier\last_report.dat

2005-06-29 00:18 9,098,208 ------w C:\Programfiler\winamp5093_full_hawthorne_emusic-7plus.exe

2005-05-15 18:42 4,400,264 ----a-w C:\Programfiler\Messenger Plus! - Setup.exe

2005-02-15 07:52 5,909,216 ------w C:\Programfiler\SkypeSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2006-02-06 19490344]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"OE"="C:\Programfiler\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 315392]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-02-23 3026944]

"UpdateManager"="c:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-12-18 118784]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 176128]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]

"HP Component Manager"="C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"pccguide.exe"="C:\Programfiler\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 3112960]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 579584]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-12-11 267048]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-05-27 413696]

"nwiz"="nwiz.exe" [2004-02-23 C:\WINDOWS\system32\nwiz.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 C:\WINDOWS\AGRSMMSG.exe]

"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-30 219136]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

LightSurf.lnk - C:\Programfiler\LightSurf\Common\IconMgr.exe [2005-06-29 98304]

Logitech Desktop Messenger.lnk - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-11-13 196608]

PC-s›k i Windows.lnk - C:\Programfiler\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Documents and Settings\\All Users\\Programdata\\Spontania4Skype\\spontania4skype.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avgemc.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-VoipStunt - C:\programfiler\voipstunt.com\voipstunt\voipstunt.exe

HKLM-Run-PS2 - C:\WINDOWS\system32\ps2.exe

HKLM-Run-gdccw - C:\PROGRA~1\FELLES~1\SECURE~1\GDCcw.exe

HKLM-Run-slkvfkrn - C:\WINDOWS\system32\slkvfkrn.exe

HKLM-Run-SM3 - C:\Programfiler\3\3.exe

HKLM-Run-VTTimer - VTTimer.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\yeb0coqd.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com

FF -: plugin - C:\Programfiler\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - C:\Programfiler\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - C:\Programfiler\Mozilla Firefox\plugins\np_gp.dll

FF -: plugin - C:\Programfiler\Mozilla Firefox\plugins\NPAdbESD.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-15 21:06:44

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\scardsvr.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\searchindexer.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\hpzipm12.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\searchprotocolhost.exe

C:\Programfiler\Java\jre1.6.0_05\bin\jucheck.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\searchfilterhost.exe

.

**************************************************************************

.

Completion time: 2008-09-15 21:15:44 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-15 19:15:38

Pre-Run: 132,490,510,336 byte ledig

Post-Run: 132,406,345,728 byte ledig

206 --- E O F --- 2008-09-13 03:47:53

Jah, hehe, takk for meget hurtig svar!!! Men dette sier meg like lite...

Og jeg merker ikke at "Antivirus XP 2008" følger med et annet program.

Mvh Kenneth

braken · 15. september 2008

Men når det er sagt, så ser d ut som "viruset" er borte nå... Hm... kommer tilbake med mer info senere!

Kenneth

norbat · 15. september 2008

Bruk utforsker til å finne og slett følgende:

Fil:

C:\WINDOWS\system32\1D5.tmp

Mappe:

C:\Documents and Settings\All Users\Programdata\jcnevoho

C:\Programfiler\uxtnbmc

C:\Documents and Settings\All Users\Programdata\opcjyhcf

Fjern deretter combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Ut over dette ser ting og tang bra ut.

braken · 15. september 2008

Bruk utforsker til å finne og slett følgende:

Fil:

C:\WINDOWS\system32\1D5.tmp

Mappe:

C:\Documents and Settings\All Users\Programdata\jcnevoho

C:\Programfiler\uxtnbmc

C:\Documents and Settings\All Users\Programdata\opcjyhcf

Fjern deretter combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Ut over dette ser ting og tang bra ut.

Heisann!

Alt ser herlig normalt ut! Finner ikke alle mappene du skriver, bare C:/programfiler/uxt-ett-eller-annet... Slettet den. Er det viktig? Og kjære Combofixen min,-må den også bort??

Tusen takk for hurtig respons!!!

Mvh Kenneth

norbat · 15. september 2008

Du finner ikke de to andre mappene fordi du må slå på 'Vis skjulte filer og mapper' (kontrollpanel->mappealternativer->vis)

Når du fjerner combofix på den måten som er nevnt, rydder det opp etter seg ved å slette karantenefiler + nullstiller systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Om du ikke ønsker å fjerne combofix (den vil oppdatere seg automatisk neste gang du kjører den om det har kommet ny versjon), så bør du uansett 'nullstille' systemgjenopprettingen.

Endret 15. september 2008 av norbat

Mortzz · 16. september 2008

Malwarebytes' Anti-Malware 1.28

Database versjon: 1161

Windows 5.1.2600 Service Pack 2

16.09.2008 22:53:12

mbam-log-2008-09-16 (22-53-08).txt

Skanntype: Rask Skann

Objekter skannet: 42698

Tid tilbakelagt: 4 minute(s), 17 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 4

Registerverdier infisert: 1

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 2

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

C:\WINDOWS\system32\__c0047E87.dat (Trojan.Zlob) -> No action taken.

Registernøkler infisert:

HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0047e87 (Trojan.Vundo) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1a6fe2.exe (Trojan.Agent) -> No action taken.

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\WINDOWS\system32\__c0047E87.dat (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> No action taken.

Hva betyr dette? =P

snippsat · 16. september 2008

At du har dette problemet posten omhandler Fattima.

Merk av så MBAM sletter det den finner.

Da skal det ikke stå ->No action taken.

Endret 16. september 2008 av SNIPPSAT

alda88 · 17. september 2008

Hejsan, hoppas ni kan hjälpa en stackars svensk som fått AntivirXP08 på PCn....

Har först rensat med Malwarebytes och sedan kört Combofix. Det finns fortfarande några rester kvar, för jag klarar inte att komma ut på internet.

Så här ser loggen ut:

ComboFix 08-09-14.02 - 2008-09-16 18:48:01.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.635 [GMT 2:00]

Running from: L:\ComboFix.exe

Command switches used :: C:\Documents and Settings\\Desktop\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))

.

2008-09-16 17:44 . 2008-09-16 17:44 <DIR> d-------- C:\Documents and Settings\name\Application Data\Malwarebytes

2008-09-16 17:44 . 2008-09-16 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-16 17:44 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-16 17:44 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-14 09:59 . 2008-09-14 09:59 <DIR> d-------- C:\Documents and Settings\name\Application Data\Symantec

2008-09-14 09:56 . 2008-09-14 09:56 <DIR> d-------- C:\Documents and Settings\\Application Data\Teleca

2008-09-14 09:56 . 2008-09-14 09:56 <DIR> d-------- C:\Documents and Settings\\Application Data\Sony Ericsson

2008-09-14 00:41 . 2008-04-14 02:12 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll

2008-09-14 00:41 . 2008-04-14 02:12 9,728 --a------ C:\WINDOWS\system32\rwnh.dll

2008-09-13 23:46 . 2008-09-13 23:46 0 --a------ C:\9.tmp

2008-09-13 20:05 . 2008-09-13 20:05 186,592 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys

2008-09-11 16:15 . 2008-09-11 16:15 <DIR> d--hs---- C:\Documents and Settings\\PrivacIE

2008-09-11 16:13 . 2008-09-11 16:13 <DIR> d-------- C:\Documents and Settings\\Application Data\BearShare

2008-09-08 20:11 . 2008-09-08 20:11 <DIR> d-------- C:\Documents and Settings\\Application Data\muvee Technologies

2008-09-08 20:11 . 2008-09-08 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies

2008-09-07 19:27 . 2008-09-07 19:27 <DIR> d-------- C:\Documents and Settings\\Application Data\ArcSoft

2008-09-07 19:26 . 2008-09-07 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15

2008-09-07 19:26 . 2008-09-07 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp

2008-09-07 19:26 . 2008-09-08 20:11 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT

2008-09-07 19:22 . 2008-09-07 19:22 <DIR> d-------- C:\Documents and Settings\\Application Data\Nikon

2008-09-07 19:22 . 2008-09-07 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nikon

2008-09-07 19:21 . 2008-09-07 19:21 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies

2008-09-07 19:20 . 2001-10-09 10:02 434,176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL

2008-09-07 19:20 . 2001-10-09 10:02 230,400 --a------ C:\WINDOWS\system32\DC265.DLL

2008-09-07 19:20 . 2000-05-02 03:17 212,480 --a------ C:\WINDOWS\system32\PCDLIB32.DLL

2008-09-07 19:20 . 2002-09-11 11:00 181,248 --a------ C:\WINDOWS\system32\LFPNG12N.DLL

2008-09-07 19:20 . 2002-09-11 10:50 60,416 --a------ C:\WINDOWS\system32\LFPCT12N.DLL

2008-09-07 19:20 . 2002-09-11 10:50 36,864 --a------ C:\WINDOWS\system32\LFPSD12N.DLL

2008-09-07 19:20 . 2002-09-11 10:50 26,112 --a------ C:\WINDOWS\system32\LFPCX12N.DLL

2008-09-07 19:20 . 2002-09-11 10:50 19,968 --a------ C:\WINDOWS\system32\LFPCD12N.DLL

2008-09-07 19:19 . 1995-08-01 04:44 212,480 --------- C:\WINDOWS\PCDLIB32.DLL

2008-09-07 19:18 . 2008-09-07 19:22 <DIR> d-------- C:\Program Files\Common Files\Nikon

2008-09-06 12:40 . 2008-09-06 12:40 <DIR> d-------- C:\Program Files\Common Files\xing shared

2008-08-28 18:29 . 2008-08-28 18:29 <DIR> d--hs---- C:\Documents and Settings\\PrivacIE

2008-08-28 18:18 . 2008-08-28 18:19 <DIR> d--h-c--- C:\WINDOWS\ie8

2008-08-27 19:36 . 2008-08-27 19:36 <DIR> d-------- C:\Documents and Settings\\Application Data\Saxo Bank

2008-08-27 18:20 . 2008-08-27 18:20 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-08-27 18:20 . 2008-08-27 18:20 <DIR> d-------- C:\WINDOWS\system32\en

2008-08-27 18:20 . 2008-08-27 18:20 <DIR> d-------- C:\WINDOWS\l2schemas

2008-08-27 17:14 . 2008-04-14 02:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll

2008-08-27 17:14 . 2008-04-14 02:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll

2008-08-27 17:14 . 2008-04-14 02:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll

2008-08-27 17:14 . 2008-04-14 02:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll

2008-08-27 17:14 . 2008-04-14 02:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll

2008-08-27 17:14 . 2008-04-14 02:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll

2008-08-27 17:12 . 2008-04-14 02:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll

2008-08-27 17:11 . 2008-04-14 02:11 233,472 --------- C:\WINDOWS\system32\azroles.dll

2008-08-27 17:11 . 2008-04-14 02:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll

2008-08-27 17:11 . 2008-04-14 02:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll

2008-08-22 03:07 . 2008-08-22 03:07 18,944 --------- C:\WINDOWS\system32\dllcache\corpol.dll

2008-08-22 03:05 . 2008-08-22 03:05 48,640 --------- C:\WINDOWS\system32\PrivacIE.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-16 16:41 --------- d-----w C:\Documents and Settings\\Application Data\LimeWire

2008-09-13 21:46 14,336 ----a-w C:\WINDOWS\system32\svchost.exe

2008-09-13 21:46 14,336 ----a-w C:\WINDOWS\system32\dllcache\svchost.exe

2008-09-10 18:40 --------- d-----w C:\Program Files\TVUPlayer

2008-09-07 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-09-07 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-09-06 10:39 --------- d-----w C:\Program Files\Common Files\Real

2008-08-30 12:49 --------- d-----w C:\Program Files\Java

2008-08-30 12:48 --------- d-----w C:\Program Files\Opera

2008-08-27 20:23 --------- d-----w C:\Documents and Settings\\Application Data\MSN6

2008-08-27 17:23 --------- d-----w C:\Program Files\MSN Messenger

2008-08-22 01:16 637,984 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-08-22 01:10 11,985,408 ----a-w C:\WINDOWS\system32\dllcache\ieframe.dll

2008-08-22 01:09 5,699,584 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-08-22 01:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll

2008-08-22 01:08 878,592 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll

2008-08-22 01:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll

2008-08-22 01:08 43,008 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll

2008-08-22 01:08 236,544 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll

2008-08-22 01:08 1,206,784 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll

2008-08-22 01:07 755,200 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll

2008-08-22 01:07 193,536 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll

2008-08-22 01:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll

2008-08-22 01:07 116,224 ----a-w C:\WINDOWS\system32\dllcache\occache.dll

2008-08-22 01:07 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll

2008-08-22 01:05 70,656 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll

2008-08-22 01:05 630,272 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll

2008-08-22 01:05 61,952 ----a-w C:\WINDOWS\system32\dllcache\icardie.dll

2008-08-22 01:05 580,608 ----a-w C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-08-22 01:05 53,760 ----a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-08-22 01:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll

2008-08-22 01:05 48,128 ----a-w C:\WINDOWS\system32\dllcache\mshtmler.dll

2008-08-22 01:05 45,056 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll

2008-08-22 01:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll

2008-08-22 01:05 35,840 ----a-w C:\WINDOWS\system32\dllcache\imgutil.dll

2008-08-22 01:05 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll

2008-08-22 01:05 217,088 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll

2008-08-22 01:05 186,880 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll

2008-08-22 01:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe

2008-08-22 01:04 45,568 ----a-w C:\WINDOWS\system32\dllcache\mshta.exe

2008-08-22 01:00 68,608 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll

2008-08-22 00:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll

2008-08-22 00:57 156,160 ----a-w C:\WINDOWS\system32\dllcache\msls31.dll

2008-08-22 00:42 443,392 ----a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-08-13 01:15 --------- d-----w C:\Program Files\Google

2008-08-10 10:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Telenor

2008-08-10 10:15 --------- d-----w C:\Program Files\Telenor

2008-08-10 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum

2008-08-07 21:10 --------- d-----w C:\Documents and Settings\\Application Data\BearShare

2008-08-05 15:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll

2008-07-28 17:52 --------- d-----w C:\Documents and Settings\\Application Data\vlc

2008-07-28 17:32 3,168,382 ----a-w C:\Documents and Settings\\SopCast.zip

2008-07-23 16:24 --------- d-----w C:\Documents and Settings\\Application Data\DVD Profiler

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll

2008-06-24 19:22 543 ----a-w C:\Program Files\Shortcut to InterVocative Software.lnk

2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll

2008-06-23 16:57 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll

2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys

2007-12-07 18:49 47,360 ----a-w C:\Documents and Settings\\Application Data\pcouffin.sys

2007-07-03 15:01 81,920 ----a-w C:\Documents and Settings\\Application Data\ezpinst.exe

2005-05-12 10:25 1,864,085 ----a-w C:\Program Files\cwpro.exe

2005-04-08 16:48 7,184,689 ----a-w C:\Program Files\WSFTP_HomeT128_Install.exe

2005-03-23 19:02 1,163,643 ----a-w C:\Program Files\wrar342.exe

2007-06-21 17:38 30,280 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll

2007-06-21 17:38 79,432 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll

2007-06-21 17:38 71,240 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll

2007-06-21 17:38 140,872 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll

2007-06-21 17:39 38,472 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll

2007-06-21 17:39 46,664 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll

2007-06-21 17:39 34,376 ----a-w C:\Program Files\mozilla firefox\plugins\logging.dll

2007-06-21 17:39 685,640 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll

2007-06-21 17:40 30,280 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-25 67128]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"RMC"="C:\program files\reuters\rmc\rmc.exe" [2007-11-15 4145248]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 3022848]

"WinCinemaMgr"="C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" [2003-09-16 184320]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 286720]

"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2003-03-21 127022]

"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2003-04-01 57344]

"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2003-04-01 155648]

"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2003-11-24 155648]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-30 71304]

"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]

"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-01-07 100056]

"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-16 190464]

"Eicon TechnologyLAN_DAEMON"="C:\Program Files\Eicon\Diva\watch.exe" [2003-11-25 196608]

"CGServer"="C:\Program Files\Eicon\Diva\cgserver.exe" [2003-11-25 45056]

"Telenorhjelpen"="C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"LLPush"="C:\Program Files\iLinc\Client\bin\LLPush.exe" [2005-01-14 258560]

"nwiz"="nwiz.exe" [2003-11-17 C:\WINDOWS\system32\nwiz.exe]

"CTHelper"="CTHELPER.EXE" [2003-05-28 C:\WINDOWS\system32\cthelper.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-28 54424]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 C:\WINDOWS\mididef.exe]

C:\Documents and Settings\\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - D:\Downloads\LimeWire\LimeWire.exe [2008-06-18 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-01 110592]

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-25 67128]

NkbMonitor.exe.lnk - D:\photos\NkbMonitor.exe [2008-09-07 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.mxmc"= MimicICM.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"D:\\SopCast\\SopCast.exe"=

"C:\\Documents and Settings\\\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"C:\\Program Files\\TVAnts\\Tvants.exe"=

"D:\\SopCast\\adv\\SopAdver.exe"=

"C:\\Program Files\\Reuters\\RMC\\RMC.exe"=

"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"C:\\Program Files\\Eicon\\Diva\\watch.exe"=

"C:\\Program Files\\Telenor\\Telenorhjelpen\\Telenor.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"D:\\Downloads\\LimeWire\\LimeWire.exe"=

R2 litsgt;litsgt;C:\WINDOWS\system32\DRIVERS\litsgt.sys [2007-04-24 137344]

R2 tansgt;tansgt;C:\WINDOWS\system32\DRIVERS\tansgt.sys [2007-04-24 12032]

R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-02-25 334304]

R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-04-28 24192]

S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 61600]

S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-05-01 9360]

S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-05-01 97184]

S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-05-01 86560]

S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536]

S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 9360]

S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 97088]

S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 88624]

S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 18704]

S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 86432]

S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 90800]

S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 61536]

S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 9360]

S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 97088]

S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 88624]

S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 18704]

S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 86432]

S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 90800]

.

Contents of the 'Scheduled Tasks' folder

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-16 18:49:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-09-16 18:51:03

ComboFix-quarantined-files.txt 2008-09-16 16:50:34

ComboFix2.txt 2008-09-16 16:44:01

Pre-Run: 4,533,510,144 bytes free

Post-Run: 4,507,082,752 bytes free

277 --- E O F --- 2008-09-10 01:00:19

Om det är någon som kan se på detta och säga vad jag måste göra så är jag mycket tacksam!

norbat · 17. september 2008

Kom nettproblemene før eller etter at du kjørte MBAM og Combofix?

Ser du kjørte med CFScript.txt, hva inneholdt den fila?

Det kan være winsock-fila som er korrupt. Prøv følgende:

Klikk: Start->Kjør

Skriv: netsh winsock reset catalog

Restart pc'n og sjekk nettforbindelsen.

alda88 · 17. september 2008

Kom nettproblemene før eller etter at du kjørte MBAM og Combofix?
Ser du kjørte med CFScript.txt, hva inneholdt den fila?

Det kan være winsock-fila som er korrupt. Prøv følgende:

Klikk: Start->Kjør

Skriv: netsh winsock reset catalog

Restart pc'n og sjekk nettforbindelsen.

Nettproblemerna kom med viruset och verkar vara det enda som fortfarande är kvar...Ska checka CFScript-filen när jag kommer hem och kommer tillbaka om inte ditt tips fungerar...

Tack för hjälp så länge!

alda88 · 18. september 2008

Kom nettproblemene før eller etter at du kjørte MBAM og Combofix?
Ser du kjørte med CFScript.txt, hva inneholdt den fila?

Det kan være winsock-fila som er korrupt. Prøv følgende:

Klikk: Start->Kjør

Skriv: netsh winsock reset catalog

Restart pc'n og sjekk nettforbindelsen.

Har gjort detta nu, men kommer fortfarande inte ut på nätet via Internet Explorer. Förbindelsen är OK in till PCn men det ligger något "skit" inne som blockerar tillgången.

När jag högerklickar på en internetbrowser och ser på properties står det:

res://ieframe.dll/dnserrordiagoff.htm#http://www.sol.no/

gissar att det är här felet ligger men vet inte hur man ändrar...

Fick ett tips i en annan tråd att köra SFScript'en men har inte det tillgängligt nu, hoppas det inte är avgörande för att jag kan få hjälp eller inte...

Hursomhelst, körde en ny rensning med efterfölgande Combofix, här är loggen til den:

ComboFix 08-09-14.02 - 2008-09-17 19:56:38.4 - NTFSx86

Running from: L:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\\Local Settings\Temporary Internet Files\SuggestedSites.dat

.

((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))

.

2008-09-16 17:44 . 2008-09-16 17:44 <DIR> d-------- C:\Documents and Settings\\Application Data\Malwarebytes

2008-09-16 17:44 . 2008-09-16 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-16 17:44 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-16 17:44 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-14 09:59 . 2008-09-14 09:59 <DIR> d-------- C:\Documents and Settings\\Application Data\Symantec

2008-09-14 09:56 . 2008-09-14 09:56 <DIR> d-------- C:\Documents and Settings\h\Application Data\Teleca