Fredrik Skrevet 21. september 2008 Del Skrevet 21. september 2008 Heihei, en venninne lånte bort PCen sin til en i troppen i militæret, som har besøkt heller tvilsomme saker, med det resltatet at den ble infisert av litt av hvert. HJT Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:46:39, on 21.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe c:\programfiler\fellesfiler\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\rundll32.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Programfiler\Logitech\Video\CameraAssistant.exe C:\WINDOWS\system32\ElkCtrl.exe C:\WINDOWS\system32\VTTimer.exe C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Programfiler\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programfiler\Internet Explorer\IEXPLORE.EXE C:\Programfiler\Internet Explorer\IEXPLORE.EXE C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Opera\Opera.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Programfiler\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programfiler\Logitech\Video\CameraAssistant.exe O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [JOY ERROR] C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [AdobeUpdater] C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programfiler\fellesfiler\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 7981 bytes ComboFix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-20.05 - Eier 2008-09-21 15:33:53.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.506 [GMT 2:00] Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\__c0057387.dat C:\WINDOWS\system32\WinNB89.dll C:\xcrashdump.dat . ((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 ))))))))))))))))))))))))))))))) . 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Malwarebytes 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-21 15:21 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-21 15:21 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-21 15:18 . 2008-09-21 15:30 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste 2008-09-21 15:14 . 2008-09-21 15:14 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-21 10:19 . 2008-09-21 10:19 206 --a------ C:\WINDOWS\system32\MRT.INI 2008-09-02 21:22 . 2008-09-02 21:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-08-21 21:36 . 2007-07-16 16:59 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys 2008-08-21 21:36 . 2007-07-16 16:59 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys 2008-08-21 20:55 . 2008-08-21 20:55 <DIR> d-------- C:\Programfiler\Huawei technologies . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-17 04:13 --------- d-----w C:\Programfiler\Messenger Plus! Live 2008-08-21 19:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-08-20 19:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller 2008-08-20 19:16 1,079,345 ----a-w C:\Programfiler\WLinstaller.exe 2008-08-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec 2008-08-13 11:18 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2008-07-24 02:25 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2007-10-31 23:36 1,206,366 ----a-w C:\Programfiler\wrar371.exe 2007-08-17 16:47 374 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb6334.dat 2007-08-17 16:05 18,432 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb41.dat 2007-08-17 16:04 556 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb8467.dat 2007-04-28 16:11 19,994,184 ----a-w C:\Programfiler\QuickTimeInstaller.exe 2007-04-19 22:48 359,112 ----a-w C:\Programfiler\LimeWireWin.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "JOY ERROR"="C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe" [2007-12-19 408064] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856] "AdobeUpdater"="C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe" [2007-07-26 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-01-09 115816] "osCheck"="C:\Programfiler\Norton AntiVirus\osCheck.exe" [2006-09-05 26248] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280] "LogitechCameraAssistant"="C:\Programfiler\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472] "LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 262144] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-02-16 282624] "Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SMSERIAL"="sm56hlpr.exe" [2006-10-01 C:\WINDOWS\sm56hlpr.exe] "SoundMan"="SOUNDMAN.EXE" [2006-08-23 C:\WINDOWS\soundman.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl] "VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib] --a------ 2008-09-21 15:39 2880000 C:\Documents and Settings\All Users\Programdata\BONE ABOUT BOOK BOWS\Burn Seek.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR] --a------ 2007-12-19 04:01 408064 C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]] --a------ 2005-12-07 10:33 73728 C:\Programfiler\Logitech\Video\InstallHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-02-16 10:54 282624 C:\Programfiler\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2006-10-04 10:57 36972 C:\Programfiler\Java\jre1.5.0\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-16 02:46 68856 C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-04-15 23:54 185896 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-02-13 20:29 35328 C:\Programfiler\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-13 198336] R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768] S3 AIDA32Driver;AIDA32Driver;C:\Documents and Settings\Eier\Skrivebord\Ny mappe\aida32.sys [ ] S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536] S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 9360] S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 97088] S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 88624] S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 18704] S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 86432] S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 90800] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279ba24e-6d4b-11dd-8c36-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c38-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3b-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3c-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388450-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388452-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388453-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388454-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4cd5364-72bc-11dd-8c4a-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - Notify-809a3b5f382 - C:\WINDOWS\system32\__c0057387.dat MSConfigStartUp-LClock - C:\Programfiler\LClock\LClock.exe MSConfigStartUp-Sony Ericsson PC Suite - C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\jrsre844.default\ FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava11.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava12.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava13.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava14.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava32.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJPI150.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-21 15:38:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\2008-09-21-0e30.kc scan completed successfully hidden files: 1 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe C:\Programfiler\Fellesfiler\Logitech\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Internet Explorer\iexplore.exe .[b ************************************************************************** . Completion time: 2008-09-21 15:43:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-21 13:43:25 Pre-Run: 76 632 846 336 byte ledig Post-Run: 76,664,188,928 byte ledig 196 --- E O F --- 2008-09-21 08:20:10 MBAM Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.28 Database versjon: 1184 Windows 5.1.2600 Service Pack 2 21.09.2008 15:30:41 mbam-log-2008-09-21 (15-30-41).txt Skanntype: Rask Skann Objekter skannet: 39558 Tid tilbakelagt: 4 minute(s), 28 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 5 Registerverdier infisert: 50 Registerfiler infisert: 0 Mapper infisert: 3 Filer infisert: 39 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: C:\WINDOWS\system32\__c0057387.dat (Trojan.Agent) -> Delete on reboot. Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\upmedia (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0077f8 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\809a3b5f382 (Trojan.Agent) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur116.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur117.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur118.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur119.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11a.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11b.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11c.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur18e.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1dd.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1de.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1fb.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur212.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur14.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur19.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1a.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1b.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2e.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur116.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur117.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur118.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur119.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11a.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11b.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11c.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur18e.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1dd.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1de.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1fb.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur212.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur14.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur19.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1a.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1b.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2e.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: C:\Programfiler\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully. C:\Programfiler\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. Filer infisert: C:\Programfiler\PCHealthCenter.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Programfiler\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UpMedia\uninstallSE.exe (Adware.SmartShopper) -> Quarantined and deleted successfully. C:\Programfiler\MicroAV\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Programfiler\MicroAV\MicroAV.exe (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Programfiler\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Programfiler\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Programfiler\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR4.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR5.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\YUR14.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR19.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR1A.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR1B.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR2E.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c0056EBE.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c0057387.dat (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\__c00C6165.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c00610C9.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Documents and Settings\Eier\Skrivebord\BEST ZOO PORN.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\Eier\Skrivebord\QUALITY PORN.url (Rogue.Link) -> Quarantined and deleted successfully. Ligger det noe igjen? Takk for at dere gidder å se over. Lenke til kommentar
norbat Skrevet 21. september 2008 Del Skrevet 21. september 2008 Se nesten helt bra ut Du har Messenger Plus! Live, et program som har et medfølgende Sponsorprogram (les: Adware). Det skal være mulig å avinstallere kun sponsorprogrammet (fra legg til/fjern programmer). Anbefaler egentlig å fjerne Messenger Plus! om dette ikke er noe du MÅ ha. Uansett, post en ny combofix-logg etter at du har fjernet sponsorprogrammet/Messenger Plus! Live, så ser vi om det ligger noe mer igjen etterpå. Lenke til kommentar
Fredrik Skrevet 21. september 2008 Forfatter Del Skrevet 21. september 2008 (endret) La merke til at det sto sponsor i messenger plus live, så jeg fjernet hele programmet. Her er ny combofix-logg: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-20.05 - Eier 2008-09-21 16:13:08.2 - NTFSx86 Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 ))))))))))))))))))))))))))))))) . 2008-09-21 16:08 . 2008-09-21 16:08 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste 2008-09-21 15:46 . 2008-09-21 15:46 <DIR> d-------- C:\Programfiler\Trend Micro 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Malwarebytes 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-21 15:21 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-21 15:21 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-21 15:14 . 2008-09-21 15:14 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-21 10:19 . 2008-09-21 10:19 206 --a------ C:\WINDOWS\system32\MRT.INI 2008-09-02 21:22 . 2008-09-02 21:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-08-21 21:36 . 2007-07-16 16:59 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys 2008-08-21 21:36 . 2007-07-16 16:59 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys 2008-08-21 20:55 . 2008-08-21 20:55 <DIR> d-------- C:\Programfiler\Huawei technologies . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-21 14:10 --------- d-----w C:\Programfiler\Google 2008-09-21 14:06 --------- d-----w C:\Programfiler\Messenger Plus! Live 2008-08-21 19:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-08-20 19:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller 2008-08-20 19:16 1,079,345 ----a-w C:\Programfiler\WLinstaller.exe 2008-08-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec 2008-08-13 11:18 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2008-07-24 02:25 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2007-10-31 23:36 1,206,366 ----a-w C:\Programfiler\wrar371.exe 2007-08-17 16:47 374 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb6334.dat 2007-08-17 16:05 18,432 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb41.dat 2007-08-17 16:04 556 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb8467.dat 2007-04-28 16:11 19,994,184 ----a-w C:\Programfiler\QuickTimeInstaller.exe 2007-04-19 22:48 359,112 ----a-w C:\Programfiler\LimeWireWin.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "JOY ERROR"="C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe" [2007-12-19 408064] "AdobeUpdater"="C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe" [2007-07-26 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-01-09 115816] "osCheck"="C:\Programfiler\Norton AntiVirus\osCheck.exe" [2006-09-05 26248] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280] "LogitechCameraAssistant"="C:\Programfiler\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472] "LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 262144] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-02-16 282624] "Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SMSERIAL"="sm56hlpr.exe" [2006-10-01 C:\WINDOWS\sm56hlpr.exe] "SoundMan"="SOUNDMAN.EXE" [2006-08-23 C:\WINDOWS\soundman.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl] "VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib] --a------ 2008-09-21 16:07 2880000 C:\Documents and Settings\All Users\Programdata\BONE ABOUT BOOK BOWS\Burn Seek.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR] --a------ 2007-12-19 04:01 408064 C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]] --a------ 2005-12-07 10:33 73728 C:\Programfiler\Logitech\Video\InstallHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-02-16 10:54 282624 C:\Programfiler\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2006-10-04 10:57 36972 C:\Programfiler\Java\jre1.5.0\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-04-15 23:54 185896 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-02-13 20:29 35328 C:\Programfiler\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-13 198336] R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768] S3 AIDA32Driver;AIDA32Driver;C:\Documents and Settings\Eier\Skrivebord\Ny mappe\aida32.sys [ ] S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536] S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 9360] S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 97088] S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 88624] S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 18704] S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 86432] S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 90800] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279ba24e-6d4b-11dd-8c36-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c38-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3b-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3c-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388450-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388452-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388453-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388454-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4cd5364-72bc-11dd-8c4a-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-swg - C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\jrsre844.default\ FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava11.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava12.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava13.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava14.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava32.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJPI150.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-21 16:15:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-21 16:17:34 ComboFix-quarantined-files.txt 2008-09-21 14:16:43 ComboFix2.txt 2008-09-21 13:43:34 Pre-Run: 76 615 036 928 byte ledig Post-Run: 76,605,886,464 byte ledig 174 --- E O F --- 2008-09-21 08:20:10 EDIT: Hadde ikke restartet maskin etter jeg avinstallerte. Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-20.05 - Eier 2008-09-21 16:24:07.3 - NTFSx86 Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 ))))))))))))))))))))))))))))))) . 2008-09-21 16:08 . 2008-09-21 16:08 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste 2008-09-21 15:46 . 2008-09-21 15:46 <DIR> d-------- C:\Programfiler\Trend Micro 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Malwarebytes 2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-21 15:21 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-21 15:21 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-21 15:14 . 2008-09-21 15:14 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-21 10:19 . 2008-09-21 10:19 206 --a------ C:\WINDOWS\system32\MRT.INI 2008-09-02 21:22 . 2008-09-02 21:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-08-21 21:36 . 2007-07-16 16:59 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys 2008-08-21 21:36 . 2007-07-16 16:59 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys 2008-08-21 20:55 . 2008-08-21 20:55 <DIR> d-------- C:\Programfiler\Huawei technologies . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-21 14:10 --------- d-----w C:\Programfiler\Google 2008-09-21 14:06 --------- d-----w C:\Programfiler\Messenger Plus! Live 2008-08-21 19:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-08-20 19:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller 2008-08-20 19:16 1,079,345 ----a-w C:\Programfiler\WLinstaller.exe 2008-08-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec 2008-08-13 11:18 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2008-07-24 02:25 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2007-10-31 23:36 1,206,366 ----a-w C:\Programfiler\wrar371.exe 2007-08-17 16:47 374 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb6334.dat 2007-08-17 16:05 18,432 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb41.dat 2007-08-17 16:04 556 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb8467.dat 2007-04-28 16:11 19,994,184 ----a-w C:\Programfiler\QuickTimeInstaller.exe 2007-04-19 22:48 359,112 ----a-w C:\Programfiler\LimeWireWin.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "JOY ERROR"="C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe" [2007-12-19 408064] "AdobeUpdater"="C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe" [2007-07-26 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-01-09 115816] "osCheck"="C:\Programfiler\Norton AntiVirus\osCheck.exe" [2006-09-05 26248] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280] "LogitechCameraAssistant"="C:\Programfiler\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472] "LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 262144] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-02-16 282624] "Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SMSERIAL"="sm56hlpr.exe" [2006-10-01 C:\WINDOWS\sm56hlpr.exe] "SoundMan"="SOUNDMAN.EXE" [2006-08-23 C:\WINDOWS\soundman.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl] "VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib] --a------ 2008-09-21 16:22 2880000 C:\Documents and Settings\All Users\Programdata\BONE ABOUT BOOK BOWS\Burn Seek.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR] --a------ 2007-12-19 04:01 408064 C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]] --a------ 2005-12-07 10:33 73728 C:\Programfiler\Logitech\Video\InstallHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-02-16 10:54 282624 C:\Programfiler\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2006-10-04 10:57 36972 C:\Programfiler\Java\jre1.5.0\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-04-15 23:54 185896 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-02-13 20:29 35328 C:\Programfiler\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-13 198336] R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768] S3 AIDA32Driver;AIDA32Driver;C:\Documents and Settings\Eier\Skrivebord\Ny mappe\aida32.sys [ ] S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536] S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 9360] S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 97088] S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 88624] S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 18704] S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 86432] S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 90800] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279ba24e-6d4b-11dd-8c36-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c38-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3b-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3c-6fb8-11dd-8c43-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388450-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388452-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388453-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388454-6fb2-11dd-8c42-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4cd5364-72bc-11dd-8c4a-00c0a8bb2a9b}] \Shell\AutoRun\command - E:\AutoRun.exe . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\jrsre844.default\ FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava11.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava12.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava13.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava14.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava32.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJPI150.dll FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-21 16:27:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-21 16:28:57 ComboFix-quarantined-files.txt 2008-09-21 14:28:01 ComboFix2.txt 2008-09-21 14:17:35 ComboFix3.txt 2008-09-21 13:43:34 Pre-Run: 76 640 157 696 byte ledig Post-Run: 76,628,955,136 byte ledig 173 --- E O F --- 2008-09-21 08:20:10 Ser Messenger Plus Live! fortsatt er der, men kan det ha noe med at jeg beholdt brukerinnstillinger? Endret 21. september 2008 av fredrik Lenke til kommentar
norbat Skrevet 21. september 2008 Del Skrevet 21. september 2008 Da rydder vi til slutt: Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Folder:: C:\Programfiler\Messenger Plus! Live Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JOY ERROR"=- [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR] Trenger ikke å se noen ny logg. Oppdater Java: http://java.com/en/download/index.jsp og Flash Player: http://www.adobe.com/shockwave/download/do...=ShockwaveFlash Avintaller deretter Combofix ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisret ved en evt. gjenoppretting senere. Surft trygt! Lenke til kommentar
Fredrik Skrevet 21. september 2008 Forfatter Del Skrevet 21. september 2008 Da var alt det gjort, og forhåpentligvis holder maskinen seg ordentlig. Hun er egentlig ganske flink, bruker Opera, er ikke dum (veldig viktig) osv. Men her var det noen som hadde lånt PCen og surfet litt innom stygge saker. ;p Tusen hjertelig takk for hjelpen! Utrolig positivt at det finnes folk som er så behjelpelige. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå