El Matador Skrevet 7. september 2008 Del Skrevet 7. september 2008 (endret) Fikk noe antivirus2008 drit i går, som gjorde at hele PC-en hang seg titt og ofte. Tror jeg har fått fjernet det verste, men PC-en blir utrolig treg etter å ha stått på i en halvtimes tid. Da spesielt Firefox. Rart ettersom maskinen kun bruker 700MB RAM og normal CPU-bruk. Takk Klikk for å se/fjerne innholdet nedenfor Logfile of HijackThis v1.99.1 Scan saved at 13:36:56, on 07.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Creative\Shared Files\CTAudSvc.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programfiler\Bonjour\mDNSResponder.exe C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Programfiler\FolderSize\FolderSizeSvc.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\system32\nisvcloc.exe C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Windows Defender\MSASCui.exe C:\Programfiler\Razer\DeathAdder\razerhid.exe C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programfiler\Razer\DeathAdder\razertra.exe C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe C:\Programfiler\Razer\DeathAdder\razerofa.exe C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe C:\Programfiler\Globe Software\StatBar\StatBar.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Internet Download Manager\IDMan.exe C:\Programfiler\Launchy\Launchy.exe C:\Programfiler\Windows Live\Messenger\usnsvc.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Programfiler\Creative\Sound Blaster X-Fi\Console Launcher\ConsoLCu.exe C:\Programfiler\Creative\ShareDLL\CADI\NotiMan.exe C:\Documents and Settings\Administrator\Skrivebord\hijackthis\test23235.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Programfiler\Internet Download Manager\IDMIECC.dll O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Programfiler\NetConeal\Anonymity Shield\ProxyNew.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [DeathAdder] C:\Programfiler\Razer\DeathAdder\razerhid.exe O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programfiler\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [VolPanel] "C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [egui] "C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [statBar] C:\Programfiler\Globe Software\StatBar\StatBar.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programfiler\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [iDMan] C:\Programfiler\Internet Download Manager\IDMan.exe /onboot O4 - HKCU\..\Run: [nodenable] C:\Programfiler\eset\nodenable.exe O4 - Global Startup: Launchy.lnk = C:\Programfiler\Launchy\Launchy.exe O8 - Extra context menu item: Download all links with IDM - C:\Programfiler\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Programfiler\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - C:\Programfiler\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O10 - Unknown file in Winsock LSP: c:\programfiler\bonjour\mdnsnsp.dll O11 - Options group: [iNTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.google.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programfiler\Windows Live\Mail\mailcomm.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FELLES~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: __c005BF51 - C:\WINDOWS\system32\__c005BF51.dat (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Programfiler\Fellesfiler\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Programfiler\Creative\Shared Files\CTAudSvc.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Folder Size (FolderSize) - Brio - C:\Programfiler\FolderSize\FolderSizeSvc.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - C:\Programfiler\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Endret 7. september 2008 av Zevs. Lenke til kommentar
norbat Skrevet 7. september 2008 Del Skrevet 7. september 2008 Kjør pkt. 2 i veiledningen: https://www.diskusjon.no/index.php?showtopic=691246 Lenke til kommentar
El Matador Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 (endret) Takk, den guiden gikk meg helt hus forbi! Får ikke lastet ned Combofix. Noen som har en download link som fungerer? Her er resultatet fra MalwareBytes' Anti-Malware. Ikke akkurat oppløftende: Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.26 Database versjon: 1122 Windows 5.1.2600 Service Pack 2 07.09.2008 14:07:53 mbam-log-2008-09-07 (14-07-53).txt Skanntype: Rask Skann Objekter skannet: 44051 Tid tilbakelagt: 1 minute(s), 27 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 4 Registerverdier infisert: 2 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 9 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c005bf51 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\lphc3wdj0ep6r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Endret 7. september 2008 av Zevs. Lenke til kommentar
norbat Skrevet 7. september 2008 Del Skrevet 7. september 2008 (endret) Sjekket du at de filene MBAM fant, var merket før du klikket 'Fjern valgte'? Loggen sier at 'No action taken', så tydeligvis så ble ikke noe gjort. Edit: Se der ja, da virker det som om det ble riktig Combofix-linken i veiledningen fungerer, så prøv igjen. Endret 7. september 2008 av norbat Lenke til kommentar
El Matador Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 Fungerte nå, ja. Her er Combofix loggen: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-05.02 - Administrator 2008-09-07 14:16:42.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1522 [GMT 2:00] Running from: C:\Documents and Settings\Administrator\Skrivebord\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008.lnk C:\xcrashdump.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV -------\Service_TDSSserv ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 14:10 . 2008-09-07 14:10 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste 2008-09-07 13:59 . 2008-09-07 13:59 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-07 13:59 . 2008-09-07 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-07 13:59 . 2008-09-07 13:59 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Malwarebytes 2008-09-07 13:59 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-07 13:59 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-06 23:09 . 2008-09-06 23:09 <DIR> d-------- C:\Programfiler\Lavasoft 2008-09-06 23:09 . 2008-09-06 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-09-06 13:25 . 2008-09-06 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ESET 2008-09-06 13:08 . 2008-09-06 13:08 395 --a------ C:\WINDOWS\wininit.ini 2008-09-06 12:50 . 2008-09-06 12:50 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy 2008-09-06 12:50 . 2008-09-06 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy 2008-09-05 20:30 . 2008-09-07 01:12 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-09-05 20:29 . 2008-09-05 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Ahead 2008-09-05 20:28 . 2008-09-05 20:28 <DIR> d-------- C:\Programfiler\Fellesfiler\LightScribe 2008-09-05 20:27 . 2008-09-05 20:27 <DIR> d-------- C:\Programfiler\Nero 2008-09-05 20:27 . 2008-09-05 20:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-08-26 00:17 . 2008-08-26 00:17 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm 2008-08-26 00:17 . 2008-08-26 00:17 1,080 --a------ C:\WINDOWS\system32\settings.sfm 2008-08-25 15:56 . 2008-08-25 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Creative Labs 2008-08-11 18:16 . 2008-08-11 18:16 <DIR> d-------- C:\NVIDIA . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-07 12:17 --------- d-----w C:\Documents and Settings\Administrator\Programdata\DMCache 2008-09-06 21:32 --------- d-----w C:\Documents and Settings\Administrator\Programdata\uTorrent 2008-09-06 21:08 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-09-06 11:59 --------- d-----w C:\Programfiler\ESET 2008-08-31 16:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-08-30 22:55 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-08-30 22:48 --------- d-----w C:\Programfiler\Steam 2008-08-20 16:38 --------- d-----w C:\Programfiler\mIRC 2008-08-07 20:10 --------- d-----w C:\Programfiler\Java 2008-08-03 12:39 --------- d-----w C:\Documents and Settings\All Users\Programdata\Creative 2008-08-03 12:33 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-08-03 12:33 --------- d-----w C:\Programfiler\Fellesfiler\Creative Labs Shared 2008-08-03 12:33 --------- d-----w C:\Programfiler\Creative 2008-07-15 16:13 15,896 ----a-w C:\WINDOWS\system32\drivers\pfmodnt.sys 2008-07-15 16:12 1,173,016 ----a-w C:\WINDOWS\system32\drivers\ha20x2k.sys 2008-07-15 16:11 92,696 ----a-w C:\WINDOWS\system32\drivers\emupia2k.sys 2008-07-15 16:10 157,208 ----a-w C:\WINDOWS\system32\drivers\ctsfm2k.sys 2008-07-15 16:09 14,360 ----a-w C:\WINDOWS\system32\drivers\ctprxy2k.sys 2008-07-15 16:08 347,080 ----a-w C:\WINDOWS\system32\drivers\ctdvda2k.sys 2008-07-15 16:08 127,000 ----a-w C:\WINDOWS\system32\drivers\ctoss2k.sys 2008-07-15 16:07 527,384 ----a-w C:\WINDOWS\system32\drivers\ctaud2k.sys 2008-07-15 16:06 511,000 ----a-w C:\WINDOWS\system32\drivers\ctac32k.sys 2008-07-11 13:53 11,776 ----a-w C:\WINDOWS\INRES.DLL 2008-07-11 13:50 3,072 ----a-w C:\WINDOWS\CTXFIRES.DLL 2008-01-01 20:20 769,536 ----a-w C:\Documents and Settings\Administrator\Programdata\sfdnwin.dll 2007-11-14 17:32 22,328 ----a-w C:\Documents and Settings\Administrator\Programdata\PnkBstrK.sys 2006-01-23 09:32 131,072 ----a-w C:\Programfiler\internet explorer\plugins\LV80ActiveXControl.dll 2006-06-07 13:40 132,848 ----a-w C:\Programfiler\internet explorer\plugins\LV82ActiveXControl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "StatBar"="C:\Programfiler\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "NVIDIA nTune"="C:\Programfiler\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920] "IDMan"="C:\Programfiler\Internet Download Manager\IDMan.exe" [2007-12-21 2573744] "nodenable"="C:\Programfiler\eset\nodenable.exe" [2008-08-05 359463] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeathAdder"="C:\Programfiler\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "AudioDrvEmulator"="C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112] "VolPanel"="C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088] "egui"="C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168] "CTHelper"="CTHELPER.EXE" [2008-02-20 C:\WINDOWS\system32\CtHelper.exe] "CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 C:\WINDOWS\system32\Ctxfihlp.exe] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Launchy.lnk - C:\Programfiler\Launchy\Launchy.exe [2007-07-21 274432] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoFavoritesMenu"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoStartMenuMyMusic"= 1 (0x1) "NoSMHelp"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoFavoritesMenu"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoStartMenuMyMusic"= 1 (0x1) "NoSMHelp"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll "msacm.ac3filter"= ac3filter.acm "msacm.divxa32"= msaud32_divx.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Hurtigstart for Adobe Reader.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Hurtigstart for Adobe Reader.lnk backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-02-28 23:06 2321600 C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2006-11-16 19:04 139264 C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-04-04 00:29 165784 C:\Programfiler\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App] --a------ 2007-04-05 16:29 684118 C:\Programfiler\SAMSUNG\FW LiveUpdate\FWManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2006-01-12 15:40 155648 C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2008-05-16 14:01 86016 C:\WINDOWS\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch] --a------ 2007-10-22 13:52 75584 C:\Programfiler\SanDisk\Sansa Updater\SansaDispatch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-07-07 09:42 2156368 C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-03-29 22:22 1271032 c:\Programfiler\Steam\steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia] --a------ 2007-06-02 05:27 12112384 C:\Programfiler\Vidalia Bundle\Vidalia\vidalia.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "WMPNSCFG"=C:\Programfiler\Windows Media Player\WMPNSCFG.exe "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe "mIRC"=C:\Programfiler\mIRC\mirc.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "LanguageShortcut"=C:\Programfiler\CyberLink\PowerDVD\Language\Language.exe "\\ROLF\EPSON Stylus DX4800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P33 "\\ROLF\EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800" "RemoteControl"=C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe "SansaDispatch"=C:\Programfiler\SanDisk\Sansa Updater\SansaDispatch.exe "Automatisk EPSON Stylus DX4800 Series på GUDBRANDSEN"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P52 "Automatisk EPSON Stylus DX4800 Series på GUDBRANDSEN" /O21 "\\GUDBRANDSEN\Skriver" /M "Stylus DX4800" "CTxfiHlp"=CTXFIHLP.EXE "NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "nwiz"=nwiz.exe /install "EPSON Stylus DX4800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800" "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" -atboottime [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\CyberLink\\PowerDVD\\PowerDVD.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\mIRC\\mirc.exe"= "C:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"= "C:\\Programfiler\\VideoLAN\\VLC\\vlc.exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "C:\\Programfiler\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"= R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programfiler\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560] R2 CTAudSvcService;Creative Audio Service;C:\Programfiler\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 4096] R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336] R3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys [2007-08-02 22784] R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Programfiler\Fellesfiler\Creative Labs Shared\Service\CTAELicensing.exe [2008-08-03 79360] S3 CyUsb;Cypress Generic USB Driver;C:\WINDOWS\system32\Drivers\CyUsb.sys [2005-03-03 31104] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064] S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2008-02-18 30464] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{473fd1fe-72b7-11dc-8dfa-0015588ab231}] \Shell\AutoRun\command - G:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5015d10-37ed-11dc-8505-806d6172696f}] \Shell\AutoRun\command - Z:\Setup.exe . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-lphc3wdj0ep6r - C:\WINDOWS\system32\lphc3wdj0ep6r.exe MSConfigStartUp-nod32kui - C:\Programfiler\Eset\nod32kui.exe MSConfigStartUp-SMrhc7wdj0ep6r - C:\Programfiler\rhc7wdj0ep6r\rhc7wdj0ep6r.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrator\Programdata\Mozilla\Firefox\Profiles\p6nflnzc.default\ FF -: plugin - C:\Programfiler\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - C:\Programfiler\iTunes\Mozilla Plugins\npitunes.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 14:25:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Documents and Settings\Administrator\Lokale innstillinger\Programdata\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_C74_5CAE_745C_9BF0\fsr011D3.log 131072 bytes C:\Documents and Settings\Administrator\Lokale innstillinger\Programdata\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_C74_5CAE_745C_9BF0\fsr011D4.log C:\Documents and Settings\Administrator\Lokale innstillinger\Programdata\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_C74_5CAE_745C_9BF0\fsr011D5.log scan completed successfully hidden files: 3 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}] "ImagePath"="\??\C:\Programfiler\CyberLink\PowerDVD\000.fcl" . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Windows Defender\MsMpEng.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programfiler\Bonjour\mDNSResponder.exe C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Programfiler\FolderSize\FolderSizeSvc.exe C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\system32\nisvcloc.exe C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\CyberLink\Shared files\RichVideo.exe C:\Programfiler\Windows Media Player\wmpnetwk.exe C:\WINDOWS\system32\CTxfispi.exe C:\Programfiler\Razer\DeathAdder\razertra.exe C:\Programfiler\Razer\DeathAdder\razerofa.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Programfiler\Windows Live\Messenger\usnsvc.exe . ************************************************************************** . Completion time: 2008-09-07 14:29:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-07 12:29:43 Pre-Run: 17,174,970,368 byte ledig Post-Run: 17,099,452,416 byte ledig 252 --- E O F --- 2008-09-05 16:34:26 Lenke til kommentar
norbat Skrevet 7. september 2008 Del Skrevet 7. september 2008 Hvordan fungerer pc'n nå? Lenke til kommentar
El Matador Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 Virker som om den fungerer en del bedre. Skal gi den en time og se hvordan den oppfører seg Lenke til kommentar
norbat Skrevet 7. september 2008 Del Skrevet 7. september 2008 Det du kan gjøre avslutningsvis er å kjøre en ny scan med MBAM og se om den plukker om noe av interesse. Fjern deretter combofix ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Surf trygt! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå