Se gjennom HJT, MBAM, og Combofix loggene mine?

[El Matador]

Fikk noe antivirus2008 drit i går, som gjorde at hele PC-en hang seg titt og ofte.

Tror jeg har fått fjernet det verste, men PC-en blir utrolig treg etter å ha stått på i en halvtimes tid. Da spesielt Firefox. Rart ettersom maskinen kun bruker 700MB RAM og normal CPU-bruk.

 

Takk

 

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 13:36:56, on 07.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Creative\Shared Files\CTAudSvc.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Programfiler\FolderSize\FolderSizeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Programfiler\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Razer\DeathAdder\razerhid.exe

C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe

C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Programfiler\Razer\DeathAdder\razertra.exe

C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe

C:\Programfiler\Razer\DeathAdder\razerofa.exe

C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe

C:\Programfiler\Globe Software\StatBar\StatBar.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Internet Download Manager\IDMan.exe

C:\Programfiler\Launchy\Launchy.exe

C:\Programfiler\Windows Live\Messenger\usnsvc.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Creative\Sound Blaster X-Fi\Console Launcher\ConsoLCu.exe

C:\Programfiler\Creative\ShareDLL\CADI\NotiMan.exe

C:\Documents and Settings\Administrator\Skrivebord\hijackthis\test23235.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Programfiler\Internet Download Manager\IDMIECC.dll

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Programfiler\NetConeal\Anonymity Shield\ProxyNew.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [DeathAdder] C:\Programfiler\Razer\DeathAdder\razerhid.exe

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programfiler\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [VolPanel] "C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [egui] "C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [statBar] C:\Programfiler\Globe Software\StatBar\StatBar.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programfiler\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [iDMan] C:\Programfiler\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [nodenable] C:\Programfiler\eset\nodenable.exe

O4 - Global Startup: Launchy.lnk = C:\Programfiler\Launchy\Launchy.exe

O8 - Extra context menu item: Download all links with IDM - C:\Programfiler\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Programfiler\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Programfiler\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O10 - Unknown file in Winsock LSP: c:\programfiler\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.google.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programfiler\Windows Live\Mail\mailcomm.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FELLES~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: __c005BF51 - C:\WINDOWS\system32\__c005BF51.dat (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Programfiler\Fellesfiler\Creative Labs Shared\Service\CTAELicensing.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Programfiler\Creative\Shared Files\CTAudSvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Programfiler\FolderSize\FolderSizeSvc.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - C:\Programfiler\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared files\RichVideo.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Endret 7. september 2008 av Zevs.

[norbat]

Kjør pkt. 2 i veiledningen: https://www.diskusjon.no/index.php?showtopic=691246

[El Matador]

Takk, den guiden gikk meg helt hus forbi!

 

Får ikke lastet ned Combofix. Noen som har en download link som fungerer?

 

Her er resultatet fra MalwareBytes' Anti-Malware. Ikke akkurat oppløftende:

 

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.26

Database versjon: 1122

Windows 5.1.2600 Service Pack 2

 

07.09.2008 14:07:53

mbam-log-2008-09-07 (14-07-53).txt

 

Skanntype: Rask Skann

Objekter skannet: 44051

Tid tilbakelagt: 1 minute(s), 27 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 4

Registerverdier infisert: 2

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 9

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c005bf51 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\lphc3wdj0ep6r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Endret 7. september 2008 av Zevs.

[norbat]

Sjekket du at de filene MBAM fant, var merket før du klikket 'Fjern valgte'?

Loggen sier at 'No action taken', så tydeligvis så ble ikke noe gjort.

 

Edit: Se der ja, da virker det som om det ble riktig

 

Combofix-linken i veiledningen fungerer, så prøv igjen.

Endret 7. september 2008 av norbat

[El Matador]

Fungerte nå, ja. Her er Combofix loggen:

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-09-05.02 - Administrator 2008-09-07 14:16:42.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1522 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator\Skrivebord\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008.lnk

C:\xcrashdump.dat

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_TDSSSERV

-------\Service_TDSSserv

 

 

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))

.

 

2008-09-07 14:10 . 2008-09-07 14:10 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste

2008-09-07 13:59 . 2008-09-07 13:59 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-07 13:59 . 2008-09-07 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-07 13:59 . 2008-09-07 13:59 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Malwarebytes

2008-09-07 13:59 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-07 13:59 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-06 23:09 . 2008-09-06 23:09 <DIR> d-------- C:\Programfiler\Lavasoft

2008-09-06 23:09 . 2008-09-06 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-09-06 13:25 . 2008-09-06 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ESET

2008-09-06 13:08 . 2008-09-06 13:08 395 --a------ C:\WINDOWS\wininit.ini

2008-09-06 12:50 . 2008-09-06 12:50 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy

2008-09-06 12:50 . 2008-09-06 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-09-05 20:30 . 2008-09-07 01:12 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-09-05 20:29 . 2008-09-05 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Ahead

2008-09-05 20:28 . 2008-09-05 20:28 <DIR> d-------- C:\Programfiler\Fellesfiler\LightScribe

2008-09-05 20:27 . 2008-09-05 20:27 <DIR> d-------- C:\Programfiler\Nero

2008-09-05 20:27 . 2008-09-05 20:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead

2008-08-26 00:17 . 2008-08-26 00:17 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm

2008-08-26 00:17 . 2008-08-26 00:17 1,080 --a------ C:\WINDOWS\system32\settings.sfm

2008-08-25 15:56 . 2008-08-25 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Creative Labs

2008-08-11 18:16 . 2008-08-11 18:16 <DIR> d-------- C:\NVIDIA

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-07 12:17 --------- d-----w C:\Documents and Settings\Administrator\Programdata\DMCache

2008-09-06 21:32 --------- d-----w C:\Documents and Settings\Administrator\Programdata\uTorrent

2008-09-06 21:08 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-09-06 11:59 --------- d-----w C:\Programfiler\ESET

2008-08-31 16:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-08-30 22:55 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-08-30 22:48 --------- d-----w C:\Programfiler\Steam

2008-08-20 16:38 --------- d-----w C:\Programfiler\mIRC

2008-08-07 20:10 --------- d-----w C:\Programfiler\Java

2008-08-03 12:39 --------- d-----w C:\Documents and Settings\All Users\Programdata\Creative

2008-08-03 12:33 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-08-03 12:33 --------- d-----w C:\Programfiler\Fellesfiler\Creative Labs Shared

2008-08-03 12:33 --------- d-----w C:\Programfiler\Creative

2008-07-15 16:13 15,896 ----a-w C:\WINDOWS\system32\drivers\pfmodnt.sys

2008-07-15 16:12 1,173,016 ----a-w C:\WINDOWS\system32\drivers\ha20x2k.sys

2008-07-15 16:11 92,696 ----a-w C:\WINDOWS\system32\drivers\emupia2k.sys

2008-07-15 16:10 157,208 ----a-w C:\WINDOWS\system32\drivers\ctsfm2k.sys

2008-07-15 16:09 14,360 ----a-w C:\WINDOWS\system32\drivers\ctprxy2k.sys

2008-07-15 16:08 347,080 ----a-w C:\WINDOWS\system32\drivers\ctdvda2k.sys

2008-07-15 16:08 127,000 ----a-w C:\WINDOWS\system32\drivers\ctoss2k.sys

2008-07-15 16:07 527,384 ----a-w C:\WINDOWS\system32\drivers\ctaud2k.sys

2008-07-15 16:06 511,000 ----a-w C:\WINDOWS\system32\drivers\ctac32k.sys

2008-07-11 13:53 11,776 ----a-w C:\WINDOWS\INRES.DLL

2008-07-11 13:50 3,072 ----a-w C:\WINDOWS\CTXFIRES.DLL

2008-01-01 20:20 769,536 ----a-w C:\Documents and Settings\Administrator\Programdata\sfdnwin.dll

2007-11-14 17:32 22,328 ----a-w C:\Documents and Settings\Administrator\Programdata\PnkBstrK.sys

2006-01-23 09:32 131,072 ----a-w C:\Programfiler\internet explorer\plugins\LV80ActiveXControl.dll

2006-06-07 13:40 132,848 ----a-w C:\Programfiler\internet explorer\plugins\LV82ActiveXControl.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"StatBar"="C:\Programfiler\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"NVIDIA nTune"="C:\Programfiler\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

"IDMan"="C:\Programfiler\Internet Download Manager\IDMan.exe" [2007-12-21 2573744]

"nodenable"="C:\Programfiler\eset\nodenable.exe" [2008-08-05 359463]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeathAdder"="C:\Programfiler\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"AudioDrvEmulator"="C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]

"VolPanel"="C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]

"egui"="C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

"CTHelper"="CTHELPER.EXE" [2008-02-20 C:\WINDOWS\system32\CtHelper.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 C:\WINDOWS\system32\Ctxfihlp.exe]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Launchy.lnk - C:\Programfiler\Launchy\Launchy.exe [2007-07-21 274432]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuMyMusic"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuMyMusic"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

"msacm.ac3filter"= ac3filter.acm

"msacm.divxa32"= msaud32_divx.acm

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Hurtigstart for Adobe Reader.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Hurtigstart for Adobe Reader.lnk

backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

--a------ 2007-02-28 23:06 2321600 C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2006-11-16 19:04 139264 C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-04-04 00:29 165784 C:\Programfiler\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]

--a------ 2007-04-05 16:29 684118 C:\Programfiler\SAMSUNG\FW LiveUpdate\FWManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 15:40 155648 C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2008-05-16 14:01 86016 C:\WINDOWS\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]

--a------ 2007-10-22 13:52 75584 C:\Programfiler\SanDisk\Sansa Updater\SansaDispatch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-07-07 09:42 2156368 C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-03-29 22:22 1271032 c:\Programfiler\Steam\steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]

--a------ 2007-06-02 05:27 12112384 C:\Programfiler\Vidalia Bundle\Vidalia\vidalia.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"WMPNSCFG"=C:\Programfiler\Windows Media Player\WMPNSCFG.exe

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

"mIRC"=C:\Programfiler\mIRC\mirc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"LanguageShortcut"=C:\Programfiler\CyberLink\PowerDVD\Language\Language.exe

"\\ROLF\EPSON Stylus DX4800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P33 "\\ROLF\EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"

"RemoteControl"=C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

"SansaDispatch"=C:\Programfiler\SanDisk\Sansa Updater\SansaDispatch.exe

"Automatisk EPSON Stylus DX4800 Series på GUDBRANDSEN"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P52 "Automatisk EPSON Stylus DX4800 Series på GUDBRANDSEN" /O21 "\\GUDBRANDSEN\Skriver" /M "Stylus DX4800"

"CTxfiHlp"=CTXFIHLP.EXE

"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

"nwiz"=nwiz.exe /install

"EPSON Stylus DX4800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe"

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" -atboottime

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=

"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

"C:\\Programfiler\\VideoLAN\\VLC\\vlc.exe"=

"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\Programfiler\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=

 

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programfiler\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]

R2 CTAudSvcService;Creative Audio Service;C:\Programfiler\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792]

R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 4096]

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

R3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys [2007-08-02 22784]

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Programfiler\Fellesfiler\Creative Labs Shared\Service\CTAELicensing.exe [2008-08-03 79360]

S3 CyUsb;Cypress Generic USB Driver;C:\WINDOWS\system32\Drivers\CyUsb.sys [2005-03-03 31104]

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2008-02-18 30464]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{473fd1fe-72b7-11dc-8dfa-0015588ab231}]

\Shell\AutoRun\command - G:\autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5015d10-37ed-11dc-8505-806d6172696f}]

\Shell\AutoRun\command - Z:\Setup.exe

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-lphc3wdj0ep6r - C:\WINDOWS\system32\lphc3wdj0ep6r.exe

MSConfigStartUp-nod32kui - C:\Programfiler\Eset\nod32kui.exe

MSConfigStartUp-SMrhc7wdj0ep6r - C:\Programfiler\rhc7wdj0ep6r\rhc7wdj0ep6r.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Administrator\Programdata\Mozilla\Firefox\Profiles\p6nflnzc.default\

FF -: plugin - C:\Programfiler\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - C:\Programfiler\iTunes\Mozilla Plugins\npitunes.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-07 14:25:25

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\Documents and Settings\Administrator\Lokale innstillinger\Programdata\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_C74_5CAE_745C_9BF0\fsr011D3.log 131072 bytes

C:\Documents and Settings\Administrator\Lokale innstillinger\Programdata\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_C74_5CAE_745C_9BF0\fsr011D4.log

C:\Documents and Settings\Administrator\Lokale innstillinger\Programdata\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_C74_5CAE_745C_9BF0\fsr011D5.log

 

scan completed successfully

hidden files: 3

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Programfiler\CyberLink\PowerDVD\000.fcl"

.

------------------------ Other Running Processes ------------------------

.

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Programfiler\FolderSize\FolderSizeSvc.exe

C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Programfiler\CyberLink\Shared files\RichVideo.exe

C:\Programfiler\Windows Media Player\wmpnetwk.exe

C:\WINDOWS\system32\CTxfispi.exe

C:\Programfiler\Razer\DeathAdder\razertra.exe

C:\Programfiler\Razer\DeathAdder\razerofa.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Programfiler\Windows Live\Messenger\usnsvc.exe

.

**************************************************************************

.

Completion time: 2008-09-07 14:29:46 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-07 12:29:43

 

Pre-Run: 17,174,970,368 byte ledig

Post-Run: 17,099,452,416 byte ledig

 

252 --- E O F --- 2008-09-05 16:34:26

[norbat]

Hvordan fungerer pc'n nå?

[El Matador]

Virker som om den fungerer en del bedre. Skal gi den en time og se hvordan den oppfører seg

[norbat]

Det du kan gjøre avslutningsvis er å kjøre en ny scan med MBAM og se om den plukker om noe av interesse.

Fjern deretter combofix ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

 

Surf trygt!