kan noen se på loggene

[MathiasN1]

MBAM logg

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.26

Database versjon: 1119

Windows 5.1.2600 Service Pack 2

 

06.09.2008 12:31:42

mbam-log-2008-09-06 (12-31-42).txt

 

Skanntype: Rask Skann

Objekter skannet: 42717

Tid tilbakelagt: 22 minute(s), 25 second(s)

 

Minneprosesser infisert: 1

Minnemoduler infisert: 2

Registernøkler infisert: 5

Registerverdier infisert: 9

Registerfiler infisert: 2

Mapper infisert: 13

Filer infisert: 18

 

Minneprosesser infisert:

C:\WINDOWS\system32\lphcc18j0e1fj.exe (Trojan.FakeAlert) -> Unloaded process successfully.

 

Minnemoduler infisert:

C:\WINDOWS\system32\blphcc18j0e1fj.scr (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmv54 (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winmv54 (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmv54 (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buritos (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcc18j0e1fj (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc918j0e1fj (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Mapper infisert:

C:\Documents and Settings\Thao Phuong Tran\Programdata\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\DriveCleaner 2006 Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\rhc918j0e1fj\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Filer infisert:

C:\WINDOWS\system32\blphcc18j0e1fj.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Drivers\Winmv54.sys (Rootkit.Agent) -> Delete on reboot.

C:\autoex.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\DriveCleaner 2006 Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\buritos.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.

C:\kl.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\buritos.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lphcc18j0e1fj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\phcc18j0e1fj.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Thao Phuong Tran\Programdata\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

 

Combofix

Klikk for å se/fjerne innholdet nedenfor

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\smp.bat

 

.

((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))

.

 

2008-09-06 12:06 . 2008-09-06 12:06 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-06 12:06 . 2008-09-06 12:06 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\Programdata\Malwarebytes

2008-09-06 12:06 . 2008-09-06 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-06 12:06 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-06 12:06 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-06 12:00 . 2008-09-06 12:00 <DIR> dr-h----- C:\Documents and Settings\Thao Phuong Tran\Siste

2008-09-06 11:56 . 2008-09-06 11:56 <DIR> d-------- C:\Programfiler\CCleaner

2008-09-06 11:13 . 2008-09-06 11:13 83,960 --a------ C:\WINDOWS\system32\drivers\132.exe

2008-08-28 17:28 . 2008-08-28 17:28 <DIR> d-------- C:\Programfiler\TeaTimer (Spybot - Search & Destroy)

2008-08-28 17:26 . 2008-08-28 17:26 61,440 --a------ C:\WINDOWS\system32\drivers\89.exe

2008-08-28 16:42 . 2008-08-28 16:42 61,440 --a------ C:\WINDOWS\system32\drivers\982.exe

2008-08-28 11:45 . 2008-08-28 11:56 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-08-28 11:42 . 2008-08-28 11:42 203,776 --a------ C:\WINDOWS\system32\drivers\541.exe

2008-08-28 07:07 . 2008-08-28 07:07 203,776 --a------ C:\WINDOWS\system32\drivers\813.exe

2008-08-27 15:07 . 2008-08-27 15:07 203,776 --a------ C:\WINDOWS\system32\drivers\996.exe

2008-08-09 17:14 . 2008-09-02 15:38 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\Programdata\gtk-2.0

2008-08-09 17:14 . 2008-08-09 17:14 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\.thumbnails

2008-08-09 16:40 . 2008-09-02 15:57 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\.gimp-2.4

2008-08-09 16:38 . 2008-08-09 16:39 <DIR> d-------- C:\Programfiler\GIMP-2.0

2008-08-06 22:14 . 2008-08-06 22:14 <DIR> d-------- C:\Programfiler\Avira

2008-08-06 22:14 . 2008-08-06 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avira

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-06 10:51 --------- d-----w C:\Documents and Settings\All Users\Programdata\Skype

2008-09-06 10:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-09-04 21:25 33,072 ----a-w C:\Documents and Settings\Thao Phuong Tran\Programdata\wklnhst.dat

2008-08-06 19:36 --------- d-----w C:\Documents and Settings\All Users\Programdata\avg7

2008-08-02 17:58 --------- d-----w C:\Programfiler\Windows Live Safety Center

2008-07-18 22:36 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-07-18 22:36 --------- d-----w C:\Programfiler\Realtek

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-17 16:57 --------- d-----w C:\Programfiler\Microsoft Silverlight

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 20:33 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll

2008-07-03 14:51 16,876,032 ----a-w C:\WINDOWS\RTHDCPL.exe

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-23 09:49 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:43 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:43 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-19 14:42 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe

2008-06-19 14:27 9,715,200 ----a-w C:\WINDOWS\RTLCPL.exe

2008-06-19 14:20 57,344 ----a-w C:\WINDOWS\Alcmtr.exe

2008-06-18 16:01 77,824 ----a-w C:\WINDOWS\SoundMan.exe

2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2006-08-01 05:32 18,362 -c--a-w C:\Documents and Settings\DRIVERS\snapsys.dat

2006-06-26 12:38 276 -c--a-w C:\Documents and Settings\DRIVERS\REGCUST.REG

2005-12-08 14:51 151,552 -c--a-w C:\Documents and Settings\DRIVERS\INFSCAN.EXE

2005-03-22 07:44 44,483 -c----w C:\Documents and Settings\DRIVERS\SHELLHS.DLL

2004-04-19 16:08 98 -c--a-w C:\Documents and Settings\DRIVERS\MKBPBOOT.BAT

2002-09-13 09:34 334 -c--a-w C:\Documents and Settings\DRIVERS\SPOWRUN.REG

2002-08-29 13:36 103,930 -c--a-w C:\Documents and Settings\DRIVERS\EXTHS.EXE

2001-06-15 09:08 184 -c--a-w C:\Documents and Settings\DRIVERS\OEM_INFO.REG

2000-09-12 15:16 227 -c--a-w C:\Documents and Settings\DRIVERS\PBN.BAT

2000-08-02 16:11 42,260 -c--a-w C:\Documents and Settings\DRIVERS\FRMTINFO.EXE

2000-06-27 04:27 79,422 -c--a-w C:\Documents and Settings\DRIVERS\TATTOO.EXE

1998-04-16 11:21 74,736 -c--a-w C:\Documents and Settings\DRIVERS\PARSINI.EXE

.

 

------- Sigcheck -------

 

2004-08-04 14:00 17408 74d8b9192e4e06cfbf5a0667ebfd4cf4 C:\WINDOWS\system32\svchost.exe

 

2004-08-04 14:00 502272 ea6dab49e562388091588faafcc844a5 C:\WINDOWS\system32\winlogon.exe

 

2007-06-13 15:24 1035776 318c4e561831eab811f4099d7d60c878 C:\WINDOWS\explorer.exe

2007-06-13 15:12 1033216 1a8e8cace017e1b143de91e11987ed39 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-04 14:00 1032192 0b4a898de1aa20d133c91ba260e7a8a1 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

 

2004-08-04 14:00 110592 2f9bc53fb44f97589011730cde80195a C:\WINDOWS\system32\services.exe

 

2004-08-04 14:00 14848 37dd1150983eaa954aaf7059962bb3d8 C:\WINDOWS\system32\lsass.exe

 

2005-06-11 02:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 14:00 57856 1efb05d36736d2b6df8fd81c76fa0be6 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

2005-06-11 01:53 58880 9a5fc78c8f30194a8676590ae10a8ccc C:\WINDOWS\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="C:\Programfiler\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Skype"="C:\APPS\skype\phone\Skype.exe" [2005-06-29 17605160]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 729178]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2005-04-14 58992]

"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 127118]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-08-01 100056]

"NeroFilterCheck"="C:\WINDOWS\system32\NEROCH~1.EXE" [2001-07-09 155648]

"F-Secure Manager"="C:\Programfiler\F-Secure\Common\FSM32.EXE" [2005-09-19 106571]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 98304]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 118784]

"avgnt"="C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"Snarvei til egenskapsside for High Definition Audio"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 C:\WINDOWS\RTHDCPL.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2005-05-11 C:\WINDOWS\AGRSMMSG.exe]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispScrSavPage"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmv54.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SPBBCSvc"=2 (0x2)

"SNDSrvc"=3 (0x3)

"ccSetMgr"=2 (0x2)

"ccPwdSvc"=3 (0x3)

"ccProxy"=2 (0x2)

"ccEvtMgr"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\APPS\\skype\\phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

R2 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure\Common\FSfilter.sys [2005-09-19 14640]

R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure\Common\fsgk.sys [2005-09-19 79600]

R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure\Common\FSrec.sys [2005-09-19 12944]

R2 FSpm;F-Secure Policy Manager;C:\Programfiler\F-Secure\Common\FSPM.SYS [2005-09-19 65328]

S3 cpuz129;cpuz129;C:\DOCUME~1\THAOPH~1\LOKALE~1\Temp\cpuz_x32.sys [ ]

S3 ctlsb16;Creative SB16/AWE32/AWE64-driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 96256]

S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]

S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]

S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-WhenUSave - C:\Programfiler\Save\Save.exe

SSODL-HnBiUIvM-{64F00E08-CE5A-A4A2-2DB7-92907C0E09D6} - C:\WINDOWS\system32\igvo.dll

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Thao Phuong Tran\Programdata\Mozilla\Firefox\Profiles\4o091mta.default\

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-06 12:49:48

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

C:\Programfiler\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

C:\Programfiler\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

C:\APPS\HIDSERVICE\HidService.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\wdfmgr.exe

C:\Programfiler\F-Secure\Common\FSMA32.exe

C:\Programfiler\F-Secure\Common\FSMB32.exe

C:\Programfiler\F-Secure\Common\fch32.exe

C:\Programfiler\F-Secure\Common\FAMEH32.exe

C:\APPS\Powercinema\Kernel\TV\CLSched.exe

C:\Programfiler\F-Secure\Common\FNRB32.exe

C:\Programfiler\F-Secure\Common\FIH32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Programfiler\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-09-06 12:53:32 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-06 10:53:27

 

Pre-Run: 30,127,656,960 byte ledig

Post-Run: 30,044,467,200 byte ledig

 

220 --- E O F --- 2008-08-15 07:06:36

 

HJT

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:58:04, on 06.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

C:\Programfiler\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

C:\Programfiler\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

c:\APPS\HIDSERVICE\HIDSERVICE.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\F-Secure\Common\FSMA32.EXE

C:\Programfiler\F-Secure\Common\FSMB32.EXE

C:\Programfiler\F-Secure\Common\FCH32.EXE

C:\Programfiler\F-Secure\Common\FAMEH32.EXE

c:\APPS\Powercinema\Kernel\TV\CLSched.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Apps\Powercinema\PCMService.exe

C:\Programfiler\F-Secure\Common\FSM32.EXE

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Programfiler\F-Secure\Common\FNRB32.EXE

C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\F-Secure\Common\FIH32.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\APPS\skype\phone\Skype.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [snarvei til egenskapsside for High Definition Audio] HDAShCut.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NEROCH~1.EXE

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [avgnt] "C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [NBJ] "C:\Programfiler\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [skype] "C:\APPS\skype\phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\nor.htm

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154414070725

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programfiler\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE

O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Programfiler\F-Secure\Common\FSAA.EXE

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE

O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Unknown owner - C:\Programfiler\Norton Internet Security\ISSVC.exe (file missing)

O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Unknown owner - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: SAVScan - Unknown owner - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programfiler\Windows Live\installer\WLSetupSvc.exe

 

--

End of file - 8350 bytes

[norbat]

Gå til nettstedet http://virusscan.jotti.org/ og last opp følgende filer for sjekk:

C:\WINDOWS\system32\drivers\132.exe

C:\WINDOWS\system32\drivers\541.exe

Gi tilbakemelding på om det ble funnet noe på de

 

Det kan virke som om du har 3 antivirusprogrammer kjørende (F-secure, Norton og Avira). Bestem deg for hvilket du vil beholde og fjern de to andre.

[MathiasN1]

Gå til nettstedet http://virusscan.jotti.org/ og last opp følgende filer for sjekk:

C:\WINDOWS\system32\drivers\132.exe

C:\WINDOWS\system32\drivers\541.exe

Gi tilbakemelding på om det ble funnet noe på de

 

Det kan virke som om du har 3 antivirusprogrammer kjørende (F-secure, Norton og Avira). Bestem deg for hvilket du vil beholde og fjern de to andre.

 

C:\WINDOWS\system32\drivers\132.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

C:\WINDOWS\system32\drivers\541.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

 

hvordan fjerner jeg norton og f-secure ?

en ting til skal jeg fjerne noen av programmene i veiledningen ?

[norbat]

Punkt 1:

Norton fjerner du ved å bruke Norton Removal Tool.

 

F-secure kan du se om du får fjernet via Legg til / fjern programmer

 

Punkt 2:

Deretter gjør du følgende:

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen.

 

File::

C:\WINDOWS\system32\drivers\132.exe

C:\WINDOWS\system32\drivers\89.exe

C:\WINDOWS\system32\drivers\982.exe

C:\WINDOWS\system32\drivers\541.exe

C:\WINDOWS\system32\drivers\813.exe

C:\WINDOWS\system32\drivers\996.exe

 

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmv54.sys]

 

Punkt 3:

Gå til Windows update og installer oppdateringer (bla. SP3) (start->alle programmer->windows update)

 

Punkt 4:

Oppdater MBAM og kjør en rask skann + ny runde med combofix. Post loggene.

[MathiasN1]

Endret 6. september 2008 av ct93

[MathiasN1]

combofix ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\drivers\132.exe

C:\WINDOWS\system32\drivers\541.exe

C:\WINDOWS\system32\drivers\813.exe

C:\WINDOWS\system32\drivers\89.exe

C:\WINDOWS\system32\drivers\982.exe

C:\WINDOWS\system32\drivers\996.exe

 

.

((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))

.

 

2008-09-06 12:56 . 2008-09-06 12:56 <DIR> d-------- C:\Programfiler\Trend Micro

2008-09-06 12:06 . 2008-09-06 12:06 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-06 12:06 . 2008-09-06 12:06 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\Programdata\Malwarebytes

2008-09-06 12:06 . 2008-09-06 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-06 12:06 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-06 12:06 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-06 12:00 . 2008-09-06 14:30 <DIR> dr-h----- C:\Documents and Settings\Thao Phuong Tran\Siste

2008-09-06 11:56 . 2008-09-06 11:56 <DIR> d-------- C:\Programfiler\CCleaner

2008-08-28 17:28 . 2008-08-28 17:28 <DIR> d-------- C:\Programfiler\TeaTimer (Spybot - Search & Destroy)

2008-08-28 11:45 . 2008-08-28 11:56 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-08-09 17:14 . 2008-09-02 15:38 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\Programdata\gtk-2.0

2008-08-09 17:14 . 2008-08-09 17:14 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\.thumbnails

2008-08-09 16:40 . 2008-09-02 15:57 <DIR> d-------- C:\Documents and Settings\Thao Phuong Tran\.gimp-2.4

2008-08-09 16:38 . 2008-08-09 16:39 <DIR> d-------- C:\Programfiler\GIMP-2.0

2008-08-06 22:14 . 2008-08-06 22:14 <DIR> d-------- C:\Programfiler\Avira

2008-08-06 22:14 . 2008-08-06 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avira

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-06 12:25 --------- d-----w C:\Programfiler\F-Secure

2008-09-06 12:09 --------- d-----w C:\Documents and Settings\All Users\Programdata\Skype

2008-09-06 11:32 33,068 ----a-w C:\Documents and Settings\Thao Phuong Tran\Programdata\wklnhst.dat

2008-09-06 11:32 --------- d-----w C:\Programfiler\iPod

2008-09-06 10:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-08-06 19:36 --------- d-----w C:\Documents and Settings\All Users\Programdata\avg7

2008-08-02 17:58 --------- d-----w C:\Programfiler\Windows Live Safety Center

2008-07-18 22:36 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-07-18 22:36 --------- d-----w C:\Programfiler\Realtek

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-17 16:57 --------- d-----w C:\Programfiler\Microsoft Silverlight

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 20:33 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll

2008-07-03 14:51 16,876,032 ----a-w C:\WINDOWS\RTHDCPL.exe

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-23 09:49 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:43 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:43 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-19 14:42 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe

2008-06-19 14:27 9,715,200 ----a-w C:\WINDOWS\RTLCPL.exe

2008-06-19 14:20 57,344 ----a-w C:\WINDOWS\Alcmtr.exe

2008-06-18 16:01 77,824 ----a-w C:\WINDOWS\SoundMan.exe

2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2006-08-01 05:32 18,362 -c--a-w C:\Documents and Settings\DRIVERS\snapsys.dat

2006-06-26 12:38 276 -c--a-w C:\Documents and Settings\DRIVERS\REGCUST.REG

2005-12-08 14:51 151,552 -c--a-w C:\Documents and Settings\DRIVERS\INFSCAN.EXE

2005-03-22 07:44 44,483 -c----w C:\Documents and Settings\DRIVERS\SHELLHS.DLL

2004-04-19 16:08 98 -c--a-w C:\Documents and Settings\DRIVERS\MKBPBOOT.BAT

2002-09-13 09:34 334 -c--a-w C:\Documents and Settings\DRIVERS\SPOWRUN.REG

2002-08-29 13:36 103,930 -c--a-w C:\Documents and Settings\DRIVERS\EXTHS.EXE

2001-06-15 09:08 184 -c--a-w C:\Documents and Settings\DRIVERS\OEM_INFO.REG

2000-09-12 15:16 227 -c--a-w C:\Documents and Settings\DRIVERS\PBN.BAT

2000-08-02 16:11 42,260 -c--a-w C:\Documents and Settings\DRIVERS\FRMTINFO.EXE

2000-06-27 04:27 79,422 -c--a-w C:\Documents and Settings\DRIVERS\TATTOO.EXE

1998-04-16 11:21 74,736 -c--a-w C:\Documents and Settings\DRIVERS\PARSINI.EXE

.

 

------- Sigcheck -------

 

2004-08-04 14:00 17408 74d8b9192e4e06cfbf5a0667ebfd4cf4 C:\WINDOWS\system32\svchost.exe

 

2004-08-04 14:00 502272 ea6dab49e562388091588faafcc844a5 C:\WINDOWS\system32\winlogon.exe

 

2007-06-13 15:24 1035776 318c4e561831eab811f4099d7d60c878 C:\WINDOWS\explorer.exe

2007-06-13 15:12 1033216 1a8e8cace017e1b143de91e11987ed39 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-04 14:00 1032192 0b4a898de1aa20d133c91ba260e7a8a1 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

 

2004-08-04 14:00 110592 2f9bc53fb44f97589011730cde80195a C:\WINDOWS\system32\services.exe

 

2004-08-04 14:00 14848 37dd1150983eaa954aaf7059962bb3d8 C:\WINDOWS\system32\lsass.exe

 

2005-06-11 02:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 14:00 57856 1efb05d36736d2b6df8fd81c76fa0be6 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

2005-06-11 01:53 58880 9a5fc78c8f30194a8676590ae10a8ccc C:\WINDOWS\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="C:\Programfiler\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Skype"="C:\APPS\skype\phone\Skype.exe" [2005-06-29 17605160]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 729178]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2005-04-14 58992]

"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 127118]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-08-01 100056]

"NeroFilterCheck"="C:\WINDOWS\system32\NEROCH~1.EXE" [2001-07-09 155648]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 98304]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 118784]

"avgnt"="C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"Snarvei til egenskapsside for High Definition Audio"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 C:\WINDOWS\RTHDCPL.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2005-05-11 C:\WINDOWS\AGRSMMSG.exe]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispScrSavPage"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SPBBCSvc"=2 (0x2)

"SNDSrvc"=3 (0x3)

"ccSetMgr"=2 (0x2)

"ccPwdSvc"=3 (0x3)

"ccProxy"=2 (0x2)

"ccEvtMgr"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\APPS\\skype\\phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

R4 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure\Common\FSfilter.sys [ ]

R4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure\Common\FSrec.sys [ ]

S3 cpuz129;cpuz129;C:\DOCUME~1\THAOPH~1\LOKALE~1\Temp\cpuz_x32.sys [ ]

S3 ctlsb16;Creative SB16/AWE32/AWE64-driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 96256]

S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]

S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]

S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-06 14:32:56

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-09-06 14:34:17

ComboFix-quarantined-files.txt 2008-09-06 12:33:53

ComboFix2.txt 2008-09-06 10:53:33

 

Pre-Run: 30,020,280,320 byte ledig

Post-Run: 30,004,662,272 byte ledig

 

189 --- E O F --- 2008-08-15 07:06:36

Endret 6. september 2008 av ct93

[MathiasN1]

MBAM

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.26

Database versjon: 1119

Windows 5.1.2600 Service Pack 3

 

06.09.2008 15:33:51

mbam-log-2008-09-06 (15-33-51).txt

 

Skanntype: Rask Skann

Objekter skannet: 42996

Tid tilbakelagt: 4 minute(s), 31 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

[norbat]

Bruk utforsker til å finne og slett følgende to mapper

C:\Programfiler\F-Secure

C:\Documents and Settings\All Users\Programdata\avg7 <- Du må slå på "Vis skjulte filer og mapper for å finne avg7-mappa

 

Ut over dette ser det riktig så fint ut.

Kjører pc'n ok?

 

Hvis, så avinstallerer du combofix. Det gjør du ved å skrive combofix /u i kjør-feltet (start->kjør)

Behold gjerne MBAM.

[MathiasN1]

[MathiasN1]

1.hvordan slår jeg på "vis skjulte mapper og filer" ?

2. må jeg ha product key for å innstalere norton removal tool ?

3. skal jeg fjerne HJT ?

og jeg klarer ikke å oppdatere ad aware. når jeg trykker på connect stopper den bare.

 

nå har jeg : ad aware, spybot SD , avira, MBAM , CCleaner. skal jeg fjerne noen av disse ?

 

pc'n kjører ganske bra nå ja.

[norbat]

Vis skjulte filer og mapper:

Kontrollpanel->Mappealternativer->Vis->'Vis skjulte filer og mapper'

 

Du trenger ikke noe product key for å kjøre Norton Removal Tool

 

HJT kan du fjerne: Avinstaller fra legg til/fjern programmer. Slett evt. hjt-mappa.

 

Behold Avira, MBAM og CCleaner. Ad-aware og spybot kan du avinstallere.

[MathiasN1]

ved oppstart står det at brannmuren er slått av , skal jeg slå den på ?

hvordan fjerner jeg spybot og ad aware ?

 

tusen takk

[norbat]

Brannmuren slå du på (antar det er windows sin brannmur)

 

Programmer avinstallerer normalt via Kontrollpanel->legg til / fjern programmer

[MathiasN1]

Brannmuren slå du på (antar det er windows sin brannmur)

 

Programmer avinstallerer normalt via Kontrollpanel->legg til / fjern programmer

 

siste ting , nå klarer jeg ikke å stare avira, det står at den ha blitt flyttet eller slettet

[norbat]

Da reinstallerer du den bare.