Virus - hva mer kjører jeg?

[salvi]

Først: jeg har ikke mulighet å få postet logger akkurat nå, kanskje får jeg hevet de inn senere. Håper på noen råd likevel.

 

Jeg pådro meg ms antivirus/msa security center, og maskinen ble rabiat med en gang, med pop ups, falsk antivirus varsel og skitt. Etter en stund ville den ikke respondere i det hele tatt, så jeg fikk ikke installert de anbefalte programmer fra veiledningstråden. Etter å ha slettet de mest opplagte filer jeg fant når jeg var i sikker modus "roet" det seg, jeg fikk en pop up som la seg fremst og ikke lot seg klikke vekk når jeg logget inn som vanlig, men fikk installert og kjørt programmer. (ccleaner, superantispyware). Nå er jeg på det punkt at superantispyware ikke finner noe, men når jeg åpner kontrollpanelet ligger det et ikon identisk med sikkerhetssenteret men med navn MS AV.

 

Så, hva annet bør jeg kjøre på dette tidspunkt? Det er jo tydeligvis mer grums der..

[Svenni212000]

Har du forsøkt denne?

http://free-av.com/en/tools/12/avira_antiv...cue_system.html

[r2d290]

Post Combofix-logg og HijackThis-logg (se veiledningen til norbat), så ser vi hva som må gjøres...

[salvi]

Da var jeg tilbake, med tilgang på loggene igjen..

 

Forøvrig: Maskinen er nettopp tilkoblet nett igjen, jeg hadde lastet ned sas og ccleaner til minnepenn på en annen maskin, og skulle nå laste ned hijackthis og combofix direkte på denne, da får jeg "siden er ikke tigjengelig". På den andre maskinen gikk det greit..

 

SAS, etter første skann:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 09/03/2008 at 03:51 AM

 

Application Version : 4.20.1046

 

Core Rules Database Version : 3541

Trace Rules Database Version: 1530

 

Scan type : Quick Scan

Total Scan Time : 00:06:47

 

Memory items scanned : 347

Memory threats detected : 0

Registry items scanned : 309

Registry threats detected : 5

File items scanned : 4015

File threats detected : 35

 

Trojan.Dropper/Gen

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CEEB7BA1-38DD-4344-9E02-44B57E30F910}

HKCR\CLSID\{CEEB7BA1-38DD-4344-9E02-44B57E30F910}

HKCR\CLSID\{CEEB7BA1-38DD-4344-9E02-44B57E30F910}\InprocServer32

HKCR\CLSID\{CEEB7BA1-38DD-4344-9E02-44B57E30F910}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\CFGBKEN.DLL

 

Trojan.Media-Codec

C:\Programfiler\PCHealthCenter.exe

C:\Programfiler\PCHealthCenter.gif

C:\Programfiler\PCHealthCenter\1.exe

C:\Programfiler\PCHealthCenter\1.gif

C:\Programfiler\PCHealthCenter\1.ico

C:\Programfiler\PCHealthCenter\2.exe

C:\Programfiler\PCHealthCenter\2.gif

C:\Programfiler\PCHealthCenter\2.ico

C:\Programfiler\PCHealthCenter\3.exe

C:\Programfiler\PCHealthCenter\3.gif

C:\Programfiler\PCHealthCenter\4.exe

C:\Programfiler\PCHealthCenter\5.exe

C:\Programfiler\PCHealthCenter\7.exe

C:\Programfiler\PCHealthCenter\sc.html

C:\Programfiler\PCHealthCenter

C:\WINDOWS\Prefetch.EXE-05A20F3D.pf

C:\WINDOWS\Prefetch\1.EXE-07714B04.pf

C:\WINDOWS\Prefetch\2.EXE-325A433C.pf

C:\WINDOWS\Prefetch\3.EXE-1CA49A76.pf

C:\WINDOWS\Prefetch\4.EXE-1D26F3CA.pf

C:\WINDOWS\Prefetch\5.EXE-31D7E9E8.pf

C:\WINDOWS\Prefetch\7.EXE-0B706F53.pf

 

Rogue.AntiVirus 2008

HKU\S-1-5-21-3647438065-233596972-4149112721-1007\Software\Microsoft\Windows\CurrentVersion\Run#Antivirus [ C:\Programfiler\MSA\MSA.exe ]

 

Adware.Tracking Cookie

C:\Documents and Settings\Stephan\Cookies\stephan@2o7[2].txt

C:\Documents and Settings\Stephan\Cookies\stephan@advertising[1].txt

C:\Documents and Settings\Stephan\Cookies\stephan@atdmt[2].txt

C:\Documents and Settings\Stephan\Cookies\[email protected][2].txt

C:\Documents and Settings\Stephan\Cookies\[email protected][1].txt

C:\Documents and Settings\Stephan\Cookies\stephan@questionmarket[2].txt

C:\Documents and Settings\Stephan\Cookies\stephan@serving-sys[1].txt

C:\Documents and Settings\Stephan\Cookies\[email protected][2].txt

C:\Documents and Settings\Stephan\Cookies\stephan@tradedoubler[1].txt

C:\Documents and Settings\Stephan\Cookies\stephan@windowsmedia[1].txt

 

Trojan.Unknown Origin

C:\WINDOWS\SYSTEM32\1.ICO

C:\WINDOWS\SYSTEM32\2.ICO

 

Logg etter at programmet hadde pakket vekk endel styggedom:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 09/03/2008 at 04:17 AM

 

Application Version : 4.20.1046

 

Core Rules Database Version : 3541

Trace Rules Database Version: 1530

 

Scan type : Quick Scan

Total Scan Time : 00:06:22

 

Memory items scanned : 341

Memory threats detected : 0

Registry items scanned : 309

Registry threats detected : 0

File items scanned : 4036

File threats detected : 0

 

Etter at jeg kjørte combofix fant jeg en textfil ved navn "bug" på C-stasjonen:

Klikk for å se/fjerne innholdet nedenfor

 

PUSHD "C:\327882R2FWJFW\"

 

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

 

VER 1>temp00

 

C:\WINDOWS\system32\FIND.exe "Microsoft Windows [Version 5.2.3790]" temp00 1>NULL

 

IF NOT ERRORLEVEL 1 GOTO Not_NT

 

C:\WINDOWS\system32\FIND.exe "Windows XP" temp00 1>NULL

 

PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat

 

CALL temp00.bat

 

DEL temp00.bat temp00 2>NULL

 

=============================================

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\salvi\Programdata

CFLDR=327882R2FWJFW

CommonProgramFiles=C:\Programfiler\Fellesfiler

COMPUTERNAME=MYSTIQUE

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\salvi

KMD=CF24403.exe

LOGONSERVER=\\MYSTIQUE

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Programfiler\Microsoft SQL Server\90\Tools\binn\

PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0f0d

ProgramFiles=C:\Programfiler

PROMPT=$

SESSIONNAME=Console

sfxname=C:\Documents and Settings\salvi\Skrivebord\ComboFix.exe

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\salvi\LOKALE~1\Temp

TMP=C:\DOCUME~1\salvi\LOKALE~1\Temp

USERDOMAIN=MYSTIQUE

USERNAME=salvi

USERPROFILE=C:\Documents and Settings\salvi

windir=C:\WINDOWS

 

=============================================

 

 

IF NOT DEFINED sfxname GOTO END

 

 

Og da til slutt Hijack this:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:24:04, on 03.09.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Java\jre1.6.0_04\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\Java\jre1.6.0_04\bin\jucheck.exe

C:\Program Files\Trend Micro\sjekkern\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [\VIE8BB.exe] C:\Windows\System32\VIE8BB.exe

O4 - HKLM\..\Run: [\VIE8BC.exe] C:\Windows\System32\VIE8BC.exe

O4 - HKLM\..\Run: [\VIE8BD.exe] C:\Windows\System32\VIE8BD.exe

O4 - HKLM\..\Run: [\VIE8BE.exe] C:\Windows\System32\VIE8BE.exe

O4 - HKLM\..\Run: [Antivirus] C:\Programfiler\MSA\MSA.exe

O4 - HKLM\..\Run: [\VIE1.exe] C:\Windows\System32\VIE1.exe

O4 - HKLM\..\Run: [\VIE2.exe] C:\Windows\System32\VIE2.exe

O4 - HKLM\..\Run: [\VIE3.exe] C:\Windows\System32\VIE3.exe

O4 - HKLM\..\Run: [\VIE4.exe] C:\Windows\System32\VIE4.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [\VIE8BB.exe] C:\Windows\System32\VIE8BB.exe

O4 - HKCU\..\Run: [\VIE8BC.exe] C:\Windows\System32\VIE8BC.exe

O4 - HKCU\..\Run: [\VIE8BD.exe] C:\Windows\System32\VIE8BD.exe

O4 - HKCU\..\Run: [\VIE8BE.exe] C:\Windows\System32\VIE8BE.exe

O4 - HKCU\..\Run: [\VIE1.exe] C:\Windows\System32\VIE1.exe

O4 - HKCU\..\Run: [\VIE2.exe] C:\Windows\System32\VIE2.exe

O4 - HKCU\..\Run: [\VIE3.exe] C:\Windows\System32\VIE3.exe

O4 - HKCU\..\Run: [\VIE4.exe] C:\Windows\System32\VIE4.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 5832 bytes

[norbat]

Klikk: Start->Kjør

Skriv: netsh winsock reset catalog

 

Restart pc'n i sikker modus m/nettverk (tapp F8 under oppstart)

 

Se om du får kjørt Combofix (evt. last ned ny versjon)

 

Prøv også å installere MBAM:

Last ned Malwarebytes Anti-Malware til skrivebordet.

Kjør og installer programmet. Velg Norsk-språk

La programmet oppdatere seg og velg å kjør en 'hurtig systemscan', klikk Skann.

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

 

Klikk på 'Vis resultat'-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

 

Post om mulig loggene.

 

Hvis det er vanskelig å få gjort det som står, gi tilbakemelding.

[salvi]

Ok, kjørte combofix på ny i sikker modus, her er tekstfilen:

Klikk for å se/fjerne innholdet nedenfor

PUSHD "C:\327882R2FWJFW\"

 

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

 

VER 1>temp00

 

C:\WINDOWS\system32\FIND.exe "Microsoft Windows [Version 5.2.3790]" temp00 1>NULL

 

IF NOT ERRORLEVEL 1 GOTO Not_NT

 

C:\WINDOWS\system32\FIND.exe "Windows XP" temp00 1>NULL

 

PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat

 

CALL temp00.bat

 

DEL temp00.bat temp00 2>NULL

 

=============================================

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\salvi\Programdata

CFLDR=327882R2FWJFW

CLIENTNAME=Console

CommonProgramFiles=C:\Programfiler\Fellesfiler

COMPUTERNAME=MYSTIQUE

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\salvi

KMD=CF83.exe

LOGONSERVER=\\MYSTIQUE

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Programfiler\Microsoft SQL Server\90\Tools\binn\

PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0f0d

ProgramFiles=C:\Programfiler

PROMPT=$

SAFEBOOT_OPTION=NETWORK

SESSIONNAME=Console

sfxname=C:\Documents and Settings\salvi\Skrivebord\ComboFix.exe

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\salvi\LOKALE~1\Temp

TMP=C:\DOCUME~1\salvi\LOKALE~1\Temp

USERDOMAIN=MYSTIQUE

USERNAME=salvi

USERPROFILE=C:\Documents and Settings\salvi

windir=C:\WINDOWS

 

=============================================

 

 

IF NOT DEFINED sfxname GOTO END

Gyver løs på MBAM nå.

[r2d290]

Tror du har misforstått hvilken fil du skal legge ut... Loggen for combofix ligger som c:/combofix.txt

 

Den skal se ut omtrent som denne: https://www.diskusjon.no/index.php?showtopic=1000506

[salvi]

Akkurat det som er snodig, det ligger ingen slik fil der, kun denne som har dato/klokkeslett fra når jeg "kjørte" combofix. Gløttet på andre logger nå og ser at de ser annerledes ut. Så, jeg skulle akkurat soørre om noen kunne poste en ny link for nedlasting av programmet, jeg brukte opprinnelig den i veiledningstråden her på forumet.

[r2d290]

Her er veiledningen jeg pleier å gi (ser ikke bort ifra at det er samme link)... Men den tråden som norbat har, blir brukt mange ganger hver dag, så det er igrunn litt rart at ingen andre har rapportert... Du passer på at combofix ligger på skrivebordet, sant?

 

Last ned Combofix (av sUBs), og legg det på Skrivebordet.

 

Kjør combofix.exe, og følg veiledningen. Du får et spørsmål om at "Roughly 1/100 machines failed to make it through the disinfection process!! Are you sure you want to do this??" - Svar Yes

Du må ikke klikke på vinduet mens programmet kjører. Dette kan føre til at programmet fryser.

 

Post loggfilen fra Combofix (c:\combofix.txt)

Endret 3. september 2008 av r2d290

[salvi]

Den ligger på skrivebordet, men det kommer ikke opp noen meldinger når jeg "kjører" programmet, så noe er definitivt muffens.. laster ned atter en gang og prøver.

 

Kan legge til: Jeg fikk ikke lastet ned combofix direkte til maskinen tidligere, fikk gjort det nå med linken over (og i sikkermodus), og NÅ kjører programmet som det skal der borte...

Endret 3. september 2008 av salvi

[norbat]

Kjør først en scan med en oppdatert MBAM...

 

Post loggen den lager.

[salvi]

Har kjørt begge nå.

 

MBAM:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.26

Database versjon: 1110

Windows 5.1.2600 Service Pack 3

 

03.09.2008 21:33:26

mbam-log-2008-09-03 (21-33-26).txt

 

Skanntype: Rask Skann

Objekter skannet: 45636

Tid tilbakelagt: 5 minute(s), 14 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 2

Registerverdier infisert: 21

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 11

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8bb.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8bc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8bd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8be.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8bb.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8bc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8bd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie8be.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\WINDOWS\system32\MSA.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\oembios.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

 

ComboFix:

Klikk for å se/fjerne innholdet nedenfor

 

ComboFix 08-09-01.05 - Ann 2008-09-03 21:40:35.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1044.18.1798 [GMT 2:00]

Running from: C:\Documents and Settings\Ann\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_TDSSSERV

-------\Service_TDSSserv

 

 

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))

.

 

2008-09-03 21:21 . 2008-09-03 21:21 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-03 21:21 . 2008-09-03 21:21 <DIR> d-------- C:\Documents and Settings\Ann\Programdata\Malwarebytes

2008-09-03 21:21 . 2008-09-03 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-03 21:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-03 21:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-03 20:23 . 2008-09-03 20:23 <DIR> d-------- C:\Program Files

2008-09-03 20:21 . 2008-09-03 20:21 <DIR> d-------- C:\Programfiler\Trend Micro

2008-09-03 03:44 . 2008-09-03 03:44 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-09-03 03:44 . 2008-09-03 03:44 <DIR> d-------- C:\Documents and Settings\Ann\Programdata\SUPERAntiSpyware.com

2008-09-03 03:44 . 2008-09-03 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-09-03 03:43 . 2008-09-03 03:59 <DIR> dr-h----- C:\Documents and Settings\Ann\Siste

2008-09-03 03:41 . 2008-09-03 03:41 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-09-03 03:40 . 2008-09-03 03:40 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste

2008-09-03 03:38 . 2008-09-03 03:38 <DIR> d-------- C:\Programfiler\CCleaner

2008-09-02 18:58 . 2008-09-02 18:58 <DIR> d-------- C:\Programfiler\Jasc Software Inc

2008-09-02 18:58 . 2008-09-02 18:58 <DIR> d-------- C:\Programfiler\Fellesfiler\Jasc Software Inc

2008-09-02 18:58 . 2008-09-02 18:58 <DIR> d-------- C:\Documents and Settings\Ann\Programdata\Jasc Software Inc

2008-09-02 18:58 . 2008-09-02 18:58 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\InstallShield

2008-09-02 11:45 . 2008-09-03 15:47 <DIR> d-------- C:\Programfiler\Steam

2008-09-02 04:29 . 2008-09-02 04:29 <DIR> d-------- C:\WINDOWS\Sun

2008-09-01 07:30 . 2008-04-15 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-08-31 23:24 . 2008-09-03 02:35 <DIR> d-------- C:\Documents and Settings\Ann\Programdata\LimeWire

2008-08-31 23:09 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-31 23:08 . 2008-09-02 18:22 <DIR> d-------- C:\Programfiler\LimeWire

2008-08-31 23:08 . 2008-08-31 23:09 <DIR> d-------- C:\Programfiler\Java

2008-08-31 23:08 . 2008-08-31 23:08 <DIR> d-------- C:\Programfiler\Fellesfiler\Java

2008-08-31 20:14 . 2008-08-31 20:14 <DIR> d-------- C:\Programfiler\Windows Media Connect 2

2008-08-31 20:13 . 2008-08-31 20:13 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-08-31 20:13 . 2008-08-31 20:13 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

2008-08-31 16:36 . 2008-08-31 16:36 94,208 --a------ C:\WINDOWS\DIIUnin.exe

2008-08-31 16:36 . 2008-08-31 16:45 33,944 --a------ C:\WINDOWS\DIIUnin.dat

2008-08-31 16:36 . 2008-08-31 16:36 2,829 --a------ C:\WINDOWS\DIIUnin.pif

2008-08-31 16:23 . 2008-08-31 16:45 <DIR> d-------- C:\Programfiler\Diablo II

2008-08-30 19:37 . 2008-08-30 19:37 <DIR> d-------- C:\Documents and Settings\Stephan\Programdata\Ubisoft

2008-08-30 19:33 . 2008-04-13 11:45 60,032 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2008-08-30 19:33 . 2008-04-13 11:45 60,032 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys

2008-08-30 19:33 . 2008-04-14 09:22 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-08-30 19:33 . 2008-04-14 09:22 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

2008-08-30 18:27 . 2008-09-02 19:47 <DIR> d-------- C:\Programfiler\Winamp

2008-08-30 18:27 . 2008-08-30 19:07 <DIR> d-------- C:\Documents and Settings\Ann\Programdata\Winamp

2008-08-30 15:49 . 2008-08-30 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ubisoft

2008-08-30 15:48 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2008-08-30 15:43 . 2008-08-30 15:43 <DIR> d-------- C:\Programfiler\Ubisoft

2008-08-30 15:42 . 2008-08-30 15:42 <DIR> d-------- C:\Documents and Settings\Stephan\Programdata\InstallShield

2008-08-30 15:35 . 2008-08-30 15:35 <DIR> d-------- C:\Programfiler\DAEMON Tools Lite

2008-08-30 15:35 . 2008-08-30 15:35 <DIR> d-------- C:\Documents and Settings\Stephan\Programdata\DAEMON Tools

2008-08-30 15:30 . 2008-08-30 15:30 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-08-30 15:26 . 2008-08-30 15:26 <DIR> d-------- C:\Programfiler\uTorrent

2008-08-30 15:26 . 2008-08-31 18:01 <DIR> d-------- C:\Documents and Settings\Stephan\Programdata\uTorrent

2008-08-30 12:40 . 2008-09-03 16:23 23 --a------ C:\WINDOWS\BlendSettings.ini

2008-08-30 12:28 . 2008-08-30 13:19 <DIR> d-------- C:\Documents and Settings\Stephan\Contacts

2008-08-30 12:27 . 2008-08-30 12:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2008-08-30 12:27 . 2008-08-30 12:27 <DIR> d-------- C:\Programfiler\MSN Messenger

2008-08-30 12:21 . 2008-08-30 12:21 <DIR> d-------- C:\Programfiler\Bethesda Softworks

2008-08-30 12:19 . 2008-09-02 18:58 <DIR> d-------- C:\Programfiler\Fellesfiler\InstallShield

2008-08-30 12:19 . 2008-08-30 12:19 <DIR> dr-h----- C:\Documents and Settings\Stephan\Programdata\SecuROM

2008-08-30 12:19 . 2008-08-30 12:19 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2008-08-30 12:17 . 2008-08-30 15:26 <DIR> dr------- C:\Documents and Settings\Stephan\Start-meny

2008-08-30 12:17 . 2008-08-20 05:36 <DIR> d--h----- C:\Documents and Settings\Stephan\Skrivere

2008-08-30 12:17 . 2008-09-02 11:45 <DIR> d-------- C:\Documents and Settings\Stephan\Skrivebord

2008-08-30 12:17 . 2008-09-02 13:30 <DIR> dr-h----- C:\Documents and Settings\Stephan\Siste

2008-08-30 12:17 . 2008-08-20 14:09 <DIR> d-------- C:\Documents and Settings\Stephan\Programdata\Symantec

2008-08-30 12:17 . 2008-08-30 19:37 <DIR> dr-h----- C:\Documents and Settings\Stephan\Programdata

2008-08-30 12:17 . 2008-08-31 20:14 <DIR> dr------- C:\Documents and Settings\Stephan\Mine dokumenter

2008-08-30 12:17 . 2008-08-20 03:41 <DIR> d--h----- C:\Documents and Settings\Stephan\Maler

2008-08-30 12:17 . 2008-09-03 21:42 <DIR> d--h----- C:\Documents and Settings\Stephan\Lokale innstillinger

2008-08-30 12:17 . 2008-08-30 12:17 <DIR> dr------- C:\Documents and Settings\Stephan\Favoritter

2008-08-30 12:17 . 2008-08-20 05:36 <DIR> d--h----- C:\Documents and Settings\Stephan\AndrMask

2008-08-30 12:17 . 2008-09-02 17:53 <DIR> d-------- C:\Documents and Settings\Stephan

2008-08-29 18:20 . 2008-08-30 23:38 <DIR> d-------- C:\Documents and Settings\Ann\Programdata\SecondLife

2008-08-29 18:19 . 2008-08-29 18:21 <DIR> d-------- C:\Programfiler\SecondLife

2008-08-29 18:14 . 2008-08-29 18:14 0 --a------ C:\WINDOWS\nsreg.dat

2008-08-29 18:03 . 2008-08-29 18:03 <DIR> d-------- C:\Programfiler\Alwil Software

2008-08-29 17:59 . 2008-08-20 14:09 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Programdata\Symantec

2008-08-29 17:59 . 2008-08-20 05:36 <DIR> dr------- C:\Documents and Settings\Ann\Start-meny

2008-08-29 17:59 . 2008-08-20 05:36 <DIR> d--h----- C:\Documents and Settings\Ann\Skrivere

2008-08-29 17:59 . 2008-09-03 21:40 <DIR> d-------- C:\Documents and Settings\Ann\Skrivebord

2008-08-29 17:59 . 2008-08-20 14:09 <DIR> d-------- C:\Documents and Settings\Ann\Programdata\Symantec

2008-08-29 17:59 . 2008-09-03 21:21 <DIR> d--h----- C:\Documents and Settings\Ann\Programdata

2008-08-29 17:59 . 2008-09-03 20:22 <DIR> dr------- C:\Documents and Settings\Ann\Mine dokumenter

2008-08-29 17:59 . 2008-08-20 03:41 <DIR> d--h----- C:\Documents and Settings\Ann\Maler

2008-08-29 17:59 . 2008-09-03 15:32 <DIR> d--h----- C:\Documents and Settings\Ann\Lokale innstillinger

2008-08-29 17:59 . 2008-08-29 17:59 <DIR> dr------- C:\Documents and Settings\Ann\Favoritter

2008-08-29 17:59 . 2008-08-20 05:36 <DIR> d--h----- C:\Documents and Settings\Ann\AndrMask

2008-08-29 17:59 . 2008-09-03 03:43 <DIR> d-------- C:\Documents and Settings\Ann

2008-08-29 17:59 . 2008-06-14 19:36 272,256 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-08-29 17:59 . 2008-06-14 19:36 272,256 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-08-29 17:58 . 2008-06-23 18:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-08-29 17:58 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-08-29 17:58 . 2007-03-08 07:11 1,007,616 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-08-29 17:58 . 2008-06-23 18:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-08-29 17:58 . 2008-06-23 18:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-08-29 17:58 . 2008-06-23 18:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-08-29 17:58 . 2008-06-23 18:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-08-29 17:58 . 2008-06-23 18:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-08-29 17:58 . 2008-06-23 11:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-08-29 17:58 . 2008-08-29 17:58 12,540 --a------ C:\WINDOWS\system32\wpa.bak

2008-08-20 16:35 . 2008-08-20 16:35 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-08-20 16:22 . 2008-08-20 16:22 333 --a------ C:\WINDOWS\system32\$ncsp$.inf

2008-08-20 16:22 . 2008-08-20 16:22 61 --a------ C:\WINDOWS\smscfg.ini

2008-08-20 15:11 . 2008-08-20 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\TEMP

2008-08-20 15:11 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll

2008-08-20 14:19 . 2008-08-20 14:19 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll

2008-08-20 14:19 . 2008-08-20 14:19 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll

2008-08-20 14:18 . 2008-08-20 14:18 <DIR> d-------- C:\WINDOWS\system32\Futuremark

2008-08-20 14:18 . 2004-10-25 20:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys

2008-08-20 14:18 . 1999-11-02 10:01 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd

2008-08-20 14:18 . 2004-06-22 15:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys

2008-08-20 14:18 . 2001-11-19 19:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys

2008-08-20 14:17 . 2008-08-30 15:43 <DIR> d--h----- C:\Programfiler\InstallShield Installation Information

2008-08-20 14:17 . 2008-08-20 14:17 <DIR> d-------- C:\Programfiler\Futuremark

2008-08-20 14:09 . 2008-08-20 14:09 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Symantec

2008-08-20 14:06 . 2008-08-20 14:06 <DIR> d-------- C:\WINDOWS\system32\Lang

2008-08-20 14:06 . 2008-08-29 18:08 <DIR> d-------- C:\Programfiler\Fellesfiler\Symantec Shared

2008-08-20 14:06 . 2008-08-29 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Symantec

2008-08-20 14:06 . 2008-08-20 14:06 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav

2008-08-20 14:06 . 2008-08-20 14:06 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav

2008-08-20 13:29 . 2008-05-16 14:01 13,529,088 --a------ C:\WINDOWS\system32\nvcpl.dll

2008-08-20 13:28 . 2008-04-15 14:00 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin

2008-08-20 13:27 . 2008-04-15 14:00 2,091,520 --a--c--- C:\WINDOWS\system32\dllcache\cdosys.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-20 01:59 --------- d-----w C:\Programfiler\Activation Assistant for the 2007 Microsoft Office suites

2008-08-20 01:59 --------- d-----w C:\Documents and Settings\All Users\Programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}

2008-08-20 01:58 --------- d-----w C:\Programfiler\Microsoft Small Business

2008-08-20 01:57 --------- d-----w C:\Programfiler\Microsoft SQL Server

2008-08-20 01:54 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-08-20 01:53 --------- d-----w C:\Programfiler\Microsoft.NET

2008-08-20 01:53 --------- d-----w C:\Programfiler\Microsoft Works

2008-08-20 01:50 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-08-20 01:44 --------- d-----w C:\Programfiler\microsoft frontpage

2008-08-20 01:43 --------- d-----w C:\Programfiler\Elektroniske tjenester

2008-08-20 01:42 --------- d-----w C:\Programfiler\Fellesfiler\Tjenester

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 15360]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]

"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 C:\WINDOWS\RTHDCPL.EXE]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-15 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 16:28 352256 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\SecondLife\\SLVoice.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"C:\\Programfiler\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=

"C:\\Programfiler\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=

"C:\\Programfiler\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Programfiler\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]

S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\OblivionLauncher.exe

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Ann\Programdata\Mozilla\Firefox\Profiles\cgwu8l4m.default\

.

.

------- File Associations (Beta) -------

.

regfile=regedit.exe "%1" %*

scrfile="%1" %*

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-03 21:46:37

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

.

**************************************************************************

.

Completion time: 2008-09-03 21:50:38 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-03 19:49:35

 

Pre-Run: 405,822,545,920 byte ledig

Post-Run: 403,699,609,600 byte ledig

 

225 --- E O F --- 2008-08-30 01:03:22

 

Henge meg litt opp i denne:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

[r2d290]

Den console-beskjeden er normal, ikke noe å bry seg om

 

Satser på at du har restart maskinen etter at du kjørte MBAM. Ser ut til at MBAM tok med seg alt av infeksjoner. Merker du noe mer til problemene?

[salvi]

MBAM restartet, ja. Ser også at det falske sikkerhetssenter-ikonet i kontrollpanelet er borte!

 

Merker ikke noe spesifikt akkurat nå, nei. Friskmeldt? *krysser fingre*

[snippsat]

Ja combofix loggen ser fin ut.

Du er ren

 

Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc.

 

Ny runde med CCleaner husk kjør register-renser og.

 

Sjekk Java.

 

Surf trygt.

Endret 3. september 2008 av SNIPPSAT

[salvi]

Supert! Takker for all hjelp!