[Løst]Virus / spyware fri? Takk til norbat!

[Lauritz1]

Jeg ble offer for "Antivirus XP 2008" tidligere i dag, og lurer på om jeg har fått fjerna alt etter skiten,

noen som hadde giddet å sett gjennom loggene? Takk

 

SAS logg:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 08/31/2008 at 02:49 PM

 

Application Version : 4.20.1046

 

Core Rules Database Version : 3552

Trace Rules Database Version: 1540

 

Scan type : Quick Scan

Total Scan Time : 00:22:39

 

Memory items scanned : 259

Memory threats detected : 0

Registry items scanned : 320

Registry threats detected : 3

File items scanned : 11867

File threats detected : 8

 

Rogue.AntiVirus XP 2008

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

 

Trojan.FakeAlert/Desktop

HKU\S-1-5-21-1645522239-308236825-725345543-1003\CONTROL PANEL\DESKTOP#WALLPAPER

HKU\S-1-5-21-1645522239-308236825-725345543-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER

HKU\S-1-5-21-1645522239-308236825-725345543-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

 

Rogue.AntiVirus 2008

C:\Documents and Settings\xxx\Application Data\RHCN6FJ0EPCR

C:\WINDOWS\SYSTEM32\PHCJ6FJ0EPCR.BMP

 

NotHarmful.Sysinternals Bluescreen Screen Saver

C:\WINDOWS\SYSTEM32\BLPHCJ6FJ0EPCR.SCR

C:\WINDOWS\Prefetch\BLPHCJ6FJ0EPCR.SCR-1C84C443.pf

 

Rogue.MalwareProtector/Variant

C:\WINDOWS\SYSTEM32\PPHCJ6FJ0EPCR.EXE

C:\WINDOWS\Prefetch\PPHCJ6FJ0EPCR.EXE-09B782D8.pf

 

Trojan.Downloader-Gen/Suspicious

F:\DOWNS SYNDROM!\TORRENTZ\SPEED.VIDEO.CONVERTER.V3.0.48.WINALL.INCL.KEYGEN-CRD\KEYGEN\KEYGEN.EXE

 

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 08/31/2008 at 03:13 PM

 

Application Version : 4.20.1046

 

Core Rules Database Version : 3552

Trace Rules Database Version: 1540

 

Scan type : Quick Scan

Total Scan Time : 00:03:25

 

Memory items scanned : 289

Memory threats detected : 0

Registry items scanned : 321

Registry threats detected : 0

File items scanned : 5746

File threats detected : 18

 

Adware.Tracking Cookie

.doubleclick.net [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.chitika.net [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

ad.yieldmanager.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.adtech.de [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.adbrite.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.adultadworld.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.adultadworld.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

.adultadworld.com [ C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\cookies.txt ]

 

NotHarmful.Sysinternals Bluescreen Screen Saver

C:\WINDOWS\SYSTEM32\BLPHCJ6FJ0EPCR.SCR

C:\WINDOWS\Prefetch\BLPHCJ6FJ0EPCR.SCR-1C84C443.pf

HijackThis

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:22:11, on 31.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{5962E034-023B-494C-B591-233CB1F8C9F1}: NameServer = 195.204.39.3,195.204.39.20

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

 

--

End of file - 3267 bytes

ComboFix

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-08-30.03 - xxx 2008-08-31 16:40:52.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.614 [GMT 2:00]

Running from: C:\Documents and Settings\xxx\Desktop\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_TDSSSERV

-------\Service_TDSSserv

 

 

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))

.

 

2008-08-31 15:40 . 2008-08-31 15:41 <DIR> d-------- C:\WINDOWS\ERUNT

2008-08-31 15:36 . 2008-08-31 15:36 <DIR> d-------- C:\sdfix

2008-08-31 14:56 . 2008-08-31 14:56 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Program Files\CCleaner

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Documents and Settings\xxx\Application Data\SUPERAntiSpyware.com

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-08-31 13:35 . 2008-08-31 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-08-31 12:59 . 2008-08-31 12:59 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll

2008-08-29 13:31 . 2008-08-29 13:31 <DIR> d-------- C:\Logs

2008-08-29 02:34 . 2008-08-29 02:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-08-29 02:31 . 2008-08-29 02:31 <DIR> d-------- C:\Program Files\DVD Shrink

2008-08-28 12:36 . 2008-08-28 12:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-07-18 03:04 . 2008-06-13 15:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-07-02 23:05 . 2008-08-10 19:47 23 --a------ C:\Documents and Settings\xxx\jagex_runescape_preferences.dat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-31 14:41 --------- d-----w C:\Documents and Settings\xxx\Application Data\uTorrent

2008-08-31 12:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-08-30 08:08 --------- d-----w C:\Program Files\mIRC

2008-08-30 04:46 --------- d-----w C:\Documents and Settings\xxx\Application Data\dvdcss

2008-08-29 14:32 267,056 ----a-w C:\Program Files\utorrent.exe

2008-08-28 15:59 --------- d-----w C:\Documents and Settings\xxx\Application Data\LimeWire

2006-03-20 14:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe

2005-08-07 23:51 282,624 ----a-w C:\Program Files\w3chart.exe

2002-08-09 10:25 163,840 -c--a-w C:\Program Files\PowerOff 3.0.0.1.5.exe

2001-02-14 14:45 36,864 -c--a-w C:\Program Files\Shutdown Timer.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16 286720]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 10:53 65024 C:\WINDOWS\SOUNDMAN.EXE]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\utorrent.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"F:\\Spill\\Steam\\SteamApps\\robert123417\\counter-strike\\hl.exe"=

"F:\\Spill\\BF1942\\BF1942.exe"=

"F:\\Spill\\LieroX v0.56b Pack 1.7\\LieroX.exe"=

"F:\\Spill\\Half-Life\\hl.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"F:\\Spill\\Snes\\zsnesw.exe"=

"C:\\Program Files\\Hamachi\\hamachi.exe"=

"F:\\Spill\\Warcraft III\\Warcraft III.exe"=

"F:\\Spill\\Steam\\SteamApps\\alice94\\condition zero\\hl.exe"=

"F:\\Spill\\Steam\\SteamApps\\alice94\\counter-strike\\hl.exe"=

"F:\\Spill\\FlatOut2\\FlatOut2.exe"=

 

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-ISUSPM - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

MSConfigStartUp-lphcj6fj0epcr - C:\WINDOWS\system32\lphcj6fj0epcr.exe

MSConfigStartUp-SMrhcn6fj0epcr - C:\Program Files\rhcn6fj0epcr\rhcn6fj0epcr.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-31 16:42:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-08-31 16:43:56 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-31 14:43:53

 

Pre-Run: 4,828,405,760 bytes free

Post-Run: 4,766,236,672 bytes free

 

111 --- E O F --- 2008-08-06 12:31:12

Endret 2. september 2008 av Lauritz1

[norbat]

Vi kjører en ekstra runde:

 

Last ned Malwarebytes Anti-Malware til skrivebordet.

Kjør og installer programmet. Velg Norsk-språk

La programmet oppdatere seg og velg å kjør en 'hurtig systemskann', klikk Skann.

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

 

Klikk på Vis resultat-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

 

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

 

Det vil deretter åpnes en logg i notisblokk. Den kan du kopiere og poste senere.

 

---

 

Kjør Combofix og post loggen sammen med loggen fra MBAM.

[Lauritz1]

Ok, vi prøver igjen

 

Comfix

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-08-30.03 - xxx 2008-08-31 17:43:30.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.706 [GMT 2:00]

Running from: C:\Documents and Settings\xxx\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))

.

 

2008-08-31 17:27 . 2008-08-31 17:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-08-31 17:27 . 2008-08-31 17:27 <DIR> d-------- C:\Documents and Settings\xxx\Application Data\Malwarebytes

2008-08-31 17:27 . 2008-08-31 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-08-31 17:27 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-31 17:27 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-31 15:40 . 2008-08-31 15:41 <DIR> d-------- C:\WINDOWS\ERUNT

2008-08-31 15:36 . 2008-08-31 15:36 <DIR> d-------- C:\sdfix

2008-08-31 14:56 . 2008-08-31 14:56 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Program Files\CCleaner

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Documents and Settings\xxx\Application Data\SUPERAntiSpyware.com

2008-08-31 14:21 . 2008-08-31 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-08-31 13:35 . 2008-08-31 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-08-29 13:31 . 2008-08-29 13:31 <DIR> d-------- C:\Logs

2008-08-29 02:34 . 2008-08-29 02:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-08-29 02:31 . 2008-08-29 02:31 <DIR> d-------- C:\Program Files\DVD Shrink

2008-08-28 12:36 . 2008-08-28 12:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-07-18 03:04 . 2008-06-13 15:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-07-02 23:05 . 2008-08-10 19:47 23 --a------ C:\Documents and Settings\xxx\jagex_runescape_preferences.dat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-31 15:14 --------- d-----w C:\Documents and Settings\xxx\Application Data\uTorrent

2008-08-31 12:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-08-30 08:08 --------- d-----w C:\Program Files\mIRC

2008-08-30 04:46 --------- d-----w C:\Documents and Settings\xxx\Application Data\dvdcss

2008-08-29 14:32 267,056 ----a-w C:\Program Files\utorrent.exe

2008-08-28 15:59 --------- d-----w C:\Documents and Settings\xxx\Application Data\LimeWire

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2006-03-20 14:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe

2005-08-07 23:51 282,624 ----a-w C:\Program Files\w3chart.exe

2002-08-09 10:25 163,840 -c--a-w C:\Program Files\PowerOff 3.0.0.1.5.exe

2001-02-14 14:45 36,864 -c--a-w C:\Program Files\Shutdown Timer.exe

.

 

((((((((((((((((((((((((((((( snapshot@2008-08-31_16.43.41.73 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-08-31 13:51:44 63,528 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-08-31 14:46:30 63,528 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-08-31 13:51:44 406,328 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-08-31 14:46:30 406,328 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16 286720]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 10:53 65024 C:\WINDOWS\SOUNDMAN.EXE]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\utorrent.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"F:\\Spill\\Steam\\SteamApps\\robert123417\\counter-strike\\hl.exe"=

"F:\\Spill\\BF1942\\BF1942.exe"=

"F:\\Spill\\LieroX v0.56b Pack 1.7\\LieroX.exe"=

"F:\\Spill\\Half-Life\\hl.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"F:\\Spill\\Snes\\zsnesw.exe"=

"C:\\Program Files\\Hamachi\\hamachi.exe"=

"F:\\Spill\\Warcraft III\\Warcraft III.exe"=

"F:\\Spill\\Steam\\SteamApps\\alice94\\condition zero\\hl.exe"=

"F:\\Spill\\Steam\\SteamApps\\alice94\\counter-strike\\hl.exe"=

"F:\\Spill\\FlatOut2\\FlatOut2.exe"=

 

 

*Newly Created Service* - MBAMSWISSARMY

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\xxx\Application Data\Mozilla\Firefox\Profiles\69v8e6bd.default\

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-31 17:44:10

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-08-31 17:44:54

ComboFix-quarantined-files.txt 2008-08-31 15:44:50

ComboFix2.txt 2008-08-31 14:43:56

 

Pre-Run: 4,740,608,000 bytes free

Post-Run: 4,739,883,008 bytes free

 

117 --- E O F --- 2008-08-06 12:31:12

Malware

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.25

Database versjon: 1062

Windows 5.1.2600 Service Pack 2

 

17:31:50 31.08.2008

mbam-log-08-31-2008 (17-31-50).txt

 

Skanntype: Rask Skann

Objekter skannet: 39282

Tid tilbakelagt: 2 minute(s), 11 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.

 

Tusen takk for hjelpen forresten, setter stor pris på det!

[norbat]

MBAM tok den siste, så da slipper vi noe manuelt styr

Siste combofix-logg ser fin ut. Pc'n skulle være fri for malware så da skulle det bare være å rydde litt etter seg:

 

Avinstaller Combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Dette vil fjerne backupfiler inkl. gamle gjenopprettingspunkt.

 

Sørg for å oppdatere Java: http://java.com/en/download/index.jsp og Flashplayeren

 

Gå til Windowus Update (start->alle programmer->windows update) og hent manglende oppdateringer.

[ilpostino]

Emnetittelen i denne tråden er lite beskrivende for trådens innhold og det er derfor ingen god emnetittel. Jo bedre og mer beskrivende emnetittelen er, jo lettere er det for andre å skjønne trådens innhold og det vil være lettere å treffe den riktige forumbrukeren med det rette svaret. Ber deg derfor om å endre emnetittel. Vennligst forsøk å tenk på dette neste gang du starter en tråd, og orienter deg om hva vår nettikette sier om dårlig bruk av emnetitler.

Bruk -knappen i første post for å endre emnetittelen.

 

Tråden bryter også med tre-ords-regelen.

 

(Dette innlegget vil bli fjernet ved endring av emnetittel. Ikke kommenter dette innlegget, men ta gjerne og dette innlegget når tittelen er endret, så vil det bli fjernet.)