Scannet maskin - logger i tråd

[Fredrik]

Heihei, en venninne lånte bort PCen sin til en i troppen i militæret, som har besøkt heller tvilsomme saker, med det resltatet at den ble infisert av litt av hvert.

 

HJT

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:46:39, on 21.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

c:\programfiler\fellesfiler\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Programfiler\Logitech\Video\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Programfiler\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Programfiler\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programfiler\Logitech\Video\CameraAssistant.exe

O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [JOY ERROR] C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programfiler\fellesfiler\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 7981 bytes

 

ComboFix

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-09-20.05 - Eier 2008-09-21 15:33:53.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.506 [GMT 2:00]

Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\__c0057387.dat

C:\WINDOWS\system32\WinNB89.dll

C:\xcrashdump.dat

 

.

((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))

.

 

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Malwarebytes

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-21 15:21 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-21 15:21 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-21 15:18 . 2008-09-21 15:30 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste

2008-09-21 15:14 . 2008-09-21 15:14 <DIR> d-------- C:\Programfiler\CCleaner

2008-09-21 10:19 . 2008-09-21 10:19 206 --a------ C:\WINDOWS\system32\MRT.INI

2008-09-02 21:22 . 2008-09-02 21:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2008-08-21 21:36 . 2007-07-16 16:59 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys

2008-08-21 21:36 . 2007-07-16 16:59 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys

2008-08-21 20:55 . 2008-08-21 20:55 <DIR> d-------- C:\Programfiler\Huawei technologies

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-17 04:13 --------- d-----w C:\Programfiler\Messenger Plus! Live

2008-08-21 19:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-08-20 19:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-08-20 19:16 1,079,345 ----a-w C:\Programfiler\WLinstaller.exe

2008-08-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec

2008-08-13 11:18 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2008-07-24 02:25 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2007-10-31 23:36 1,206,366 ----a-w C:\Programfiler\wrar371.exe

2007-08-17 16:47 374 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb6334.dat

2007-08-17 16:05 18,432 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb41.dat

2007-08-17 16:04 556 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb8467.dat

2007-04-28 16:11 19,994,184 ----a-w C:\Programfiler\QuickTimeInstaller.exe

2007-04-19 22:48 359,112 ----a-w C:\Programfiler\LimeWireWin.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"JOY ERROR"="C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe" [2007-12-19 408064]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

"AdobeUpdater"="C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe" [2007-07-26 2321600]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"osCheck"="C:\Programfiler\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280]

"LogitechCameraAssistant"="C:\Programfiler\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]

"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 262144]

"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-02-16 282624]

"Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"SMSERIAL"="sm56hlpr.exe" [2006-10-01 C:\WINDOWS\sm56hlpr.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-08-23 C:\WINDOWS\soundman.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib]

--a------ 2008-09-21 15:39 2880000 C:\Documents and Settings\All Users\Programdata\BONE ABOUT BOOK BOWS\Burn Seek.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR]

--a------ 2007-12-19 04:01 408064 C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]

--a------ 2005-12-07 10:33 73728 C:\Programfiler\Logitech\Video\InstallHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-02-16 10:54 282624 C:\Programfiler\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-10-04 10:57 36972 C:\Programfiler\Java\jre1.5.0\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-06-16 02:46 68856 C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-04-15 23:54 185896 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-02-13 20:29 35328 C:\Programfiler\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

 

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-13 198336]

R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768]

S3 AIDA32Driver;AIDA32Driver;C:\Documents and Settings\Eier\Skrivebord\Ny mappe\aida32.sys [ ]

S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536]

S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 9360]

S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 97088]

S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 88624]

S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 18704]

S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 86432]

S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 90800]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279ba24e-6d4b-11dd-8c36-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c38-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3b-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3c-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388450-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388452-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388453-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388454-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4cd5364-72bc-11dd-8c4a-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

Notify-809a3b5f382 - C:\WINDOWS\system32\__c0057387.dat

MSConfigStartUp-LClock - C:\Programfiler\LClock\LClock.exe

MSConfigStartUp-Sony Ericsson PC Suite - C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\jrsre844.default\

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava11.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava12.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava13.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava14.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava32.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJPI150.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPOJI610.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-21 15:38:10

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\2008-09-21-0e30.kc

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe

C:\Programfiler\Fellesfiler\Logitech\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Internet Explorer\iexplore.exe

.[b

**************************************************************************

.

Completion time: 2008-09-21 15:43:33 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-21 13:43:25

 

Pre-Run: 76 632 846 336 byte ledig

Post-Run: 76,664,188,928 byte ledig

 

196 --- E O F --- 2008-09-21 08:20:10

 

MBAM

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.28

Database versjon: 1184

Windows 5.1.2600 Service Pack 2

 

21.09.2008 15:30:41

mbam-log-2008-09-21 (15-30-41).txt

 

Skanntype: Rask Skann

Objekter skannet: 39558

Tid tilbakelagt: 4 minute(s), 28 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 5

Registerverdier infisert: 50

Registerfiler infisert: 0

Mapper infisert: 3

Filer infisert: 39

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\WINDOWS\system32\__c0057387.dat (Trojan.Agent) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\upmedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0077f8 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\809a3b5f382 (Trojan.Agent) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur116.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur117.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur118.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur119.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11b.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11c.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur18e.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1dd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1de.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1fb.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur212.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur14.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur19.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1b.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2e.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur116.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur117.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur118.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur119.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11b.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur11c.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur18e.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1dd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1de.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1fb.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur212.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur14.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur19.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1b.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2e.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

C:\Programfiler\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

C:\Programfiler\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

 

Filer infisert:

C:\Programfiler\PCHealthCenter.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Programfiler\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UpMedia\uninstallSE.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.

C:\Programfiler\MicroAV\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Programfiler\MicroAV\MicroAV.exe (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Programfiler\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Programfiler\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Programfiler\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YUR1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YUR4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YUR5.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\YUR14.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YUR19.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YUR1A.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YUR1B.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YUR2E.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c0056EBE.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c0057387.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\__c00C6165.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00610C9.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\Eier\Skrivebord\BEST ZOO PORN.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Eier\Skrivebord\QUALITY PORN.url (Rogue.Link) -> Quarantined and deleted successfully.

 

Ligger det noe igjen? Takk for at dere gidder å se over.

[norbat]

Se nesten helt bra ut

 

Du har Messenger Plus! Live, et program som har et medfølgende Sponsorprogram (les: Adware). Det skal være mulig å avinstallere kun sponsorprogrammet (fra legg til/fjern programmer). Anbefaler egentlig å fjerne Messenger Plus! om dette ikke er noe du MÅ ha.

 

Uansett, post en ny combofix-logg etter at du har fjernet sponsorprogrammet/Messenger Plus! Live, så ser vi om det ligger noe mer igjen etterpå.

[Fredrik]

La merke til at det sto sponsor i messenger plus live, så jeg fjernet hele programmet.

 

Her er ny combofix-logg:

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-09-20.05 - Eier 2008-09-21 16:13:08.2 - NTFSx86

Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))

.

 

2008-09-21 16:08 . 2008-09-21 16:08 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste

2008-09-21 15:46 . 2008-09-21 15:46 <DIR> d-------- C:\Programfiler\Trend Micro

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Malwarebytes

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-21 15:21 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-21 15:21 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-21 15:14 . 2008-09-21 15:14 <DIR> d-------- C:\Programfiler\CCleaner

2008-09-21 10:19 . 2008-09-21 10:19 206 --a------ C:\WINDOWS\system32\MRT.INI

2008-09-02 21:22 . 2008-09-02 21:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2008-08-21 21:36 . 2007-07-16 16:59 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys

2008-08-21 21:36 . 2007-07-16 16:59 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys

2008-08-21 20:55 . 2008-08-21 20:55 <DIR> d-------- C:\Programfiler\Huawei technologies

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-21 14:10 --------- d-----w C:\Programfiler\Google

2008-09-21 14:06 --------- d-----w C:\Programfiler\Messenger Plus! Live

2008-08-21 19:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-08-20 19:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-08-20 19:16 1,079,345 ----a-w C:\Programfiler\WLinstaller.exe

2008-08-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec

2008-08-13 11:18 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2008-07-24 02:25 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2007-10-31 23:36 1,206,366 ----a-w C:\Programfiler\wrar371.exe

2007-08-17 16:47 374 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb6334.dat

2007-08-17 16:05 18,432 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb41.dat

2007-08-17 16:04 556 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb8467.dat

2007-04-28 16:11 19,994,184 ----a-w C:\Programfiler\QuickTimeInstaller.exe

2007-04-19 22:48 359,112 ----a-w C:\Programfiler\LimeWireWin.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"JOY ERROR"="C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe" [2007-12-19 408064]

"AdobeUpdater"="C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe" [2007-07-26 2321600]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"osCheck"="C:\Programfiler\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280]

"LogitechCameraAssistant"="C:\Programfiler\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]

"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 262144]

"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-02-16 282624]

"Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"SMSERIAL"="sm56hlpr.exe" [2006-10-01 C:\WINDOWS\sm56hlpr.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-08-23 C:\WINDOWS\soundman.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib]

--a------ 2008-09-21 16:07 2880000 C:\Documents and Settings\All Users\Programdata\BONE ABOUT BOOK BOWS\Burn Seek.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR]

--a------ 2007-12-19 04:01 408064 C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]

--a------ 2005-12-07 10:33 73728 C:\Programfiler\Logitech\Video\InstallHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-02-16 10:54 282624 C:\Programfiler\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-10-04 10:57 36972 C:\Programfiler\Java\jre1.5.0\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-04-15 23:54 185896 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-02-13 20:29 35328 C:\Programfiler\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

 

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-13 198336]

R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768]

S3 AIDA32Driver;AIDA32Driver;C:\Documents and Settings\Eier\Skrivebord\Ny mappe\aida32.sys [ ]

S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536]

S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 9360]

S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 97088]

S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 88624]

S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 18704]

S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 86432]

S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 90800]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279ba24e-6d4b-11dd-8c36-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c38-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3b-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3c-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388450-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388452-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388453-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388454-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4cd5364-72bc-11dd-8c4a-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-swg - C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\jrsre844.default\

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava11.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava12.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava13.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava14.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava32.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJPI150.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPOJI610.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-21 16:15:49

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-09-21 16:17:34

ComboFix-quarantined-files.txt 2008-09-21 14:16:43

ComboFix2.txt 2008-09-21 13:43:34

 

Pre-Run: 76 615 036 928 byte ledig

Post-Run: 76,605,886,464 byte ledig

 

174 --- E O F --- 2008-09-21 08:20:10

 

EDIT: Hadde ikke restartet maskin etter jeg avinstallerte.

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-09-20.05 - Eier 2008-09-21 16:24:07.3 - NTFSx86

Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))

.

 

2008-09-21 16:08 . 2008-09-21 16:08 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste

2008-09-21 15:46 . 2008-09-21 15:46 <DIR> d-------- C:\Programfiler\Trend Micro

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Malwarebytes

2008-09-21 15:21 . 2008-09-21 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-21 15:21 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-21 15:21 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-21 15:14 . 2008-09-21 15:14 <DIR> d-------- C:\Programfiler\CCleaner

2008-09-21 10:19 . 2008-09-21 10:19 206 --a------ C:\WINDOWS\system32\MRT.INI

2008-09-02 21:22 . 2008-09-02 21:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2008-08-21 21:36 . 2007-07-16 16:59 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys

2008-08-21 21:36 . 2007-07-16 16:59 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys

2008-08-21 20:55 . 2008-08-21 20:55 <DIR> d-------- C:\Programfiler\Huawei technologies

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-21 14:10 --------- d-----w C:\Programfiler\Google

2008-09-21 14:06 --------- d-----w C:\Programfiler\Messenger Plus! Live

2008-08-21 19:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-08-20 19:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-08-20 19:16 1,079,345 ----a-w C:\Programfiler\WLinstaller.exe

2008-08-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec

2008-08-13 11:18 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2008-07-24 02:25 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2007-10-31 23:36 1,206,366 ----a-w C:\Programfiler\wrar371.exe

2007-08-17 16:47 374 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb6334.dat

2007-08-17 16:05 18,432 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb41.dat

2007-08-17 16:04 556 ----a-w C:\Documents and Settings\Eier\Programdata\internaldb8467.dat

2007-04-28 16:11 19,994,184 ----a-w C:\Programfiler\QuickTimeInstaller.exe

2007-04-19 22:48 359,112 ----a-w C:\Programfiler\LimeWireWin.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"JOY ERROR"="C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe" [2007-12-19 408064]

"AdobeUpdater"="C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe" [2007-07-26 2321600]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"osCheck"="C:\Programfiler\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280]

"LogitechCameraAssistant"="C:\Programfiler\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]

"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 262144]

"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-02-16 282624]

"Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"SMSERIAL"="sm56hlpr.exe" [2006-10-01 C:\WINDOWS\sm56hlpr.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-08-23 C:\WINDOWS\soundman.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib]

--a------ 2008-09-21 16:22 2880000 C:\Documents and Settings\All Users\Programdata\BONE ABOUT BOOK BOWS\Burn Seek.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR]

--a------ 2007-12-19 04:01 408064 C:\DOCUME~1\Eier\PROGRA~1\PROGRA~1\gram okay.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]

--a------ 2005-12-07 10:33 73728 C:\Programfiler\Logitech\Video\InstallHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-02-16 10:54 282624 C:\Programfiler\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-10-04 10:57 36972 C:\Programfiler\Java\jre1.5.0\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-04-15 23:54 185896 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-02-13 20:29 35328 C:\Programfiler\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

 

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-13 198336]

R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768]

S3 AIDA32Driver;AIDA32Driver;C:\Documents and Settings\Eier\Skrivebord\Ny mappe\aida32.sys [ ]

S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536]

S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 9360]

S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 97088]

S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 88624]

S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 18704]

S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 86432]

S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 90800]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279ba24e-6d4b-11dd-8c36-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c38-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3b-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621f6c3c-6fb8-11dd-8c43-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388450-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388452-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388453-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88388454-6fb2-11dd-8c42-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4cd5364-72bc-11dd-8c4a-00c0a8bb2a9b}]

\Shell\AutoRun\command - E:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\jrsre844.default\

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava11.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava12.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava13.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava14.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJava32.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPJPI150.dll

FF -: plugin - C:\Programfiler\Java\jre1.5.0\bin\NPOJI610.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-21 16:27:17

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-09-21 16:28:57

ComboFix-quarantined-files.txt 2008-09-21 14:28:01

ComboFix2.txt 2008-09-21 14:17:35

ComboFix3.txt 2008-09-21 13:43:34

 

Pre-Run: 76 640 157 696 byte ledig

Post-Run: 76,628,955,136 byte ledig

 

173 --- E O F --- 2008-09-21 08:20:10

 

Ser Messenger Plus Live! fortsatt er der, men kan det ha noe med at jeg beholdt brukerinnstillinger?

Endret 21. september 2008 av fredrik

[norbat]

Da rydder vi til slutt:

 

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

 

Folder::

C:\Programfiler\Messenger Plus! Live

 

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"JOY ERROR"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\book bows bolt bib]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOY ERROR]

 

Trenger ikke å se noen ny logg.

 

Oppdater Java: http://java.com/en/download/index.jsp og Flash Player: http://www.adobe.com/shockwave/download/do...=ShockwaveFlash

 

Avintaller deretter Combofix ved å skrive combofix /u i kjør-feltet (start->kjør).

Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisret ved en evt. gjenoppretting senere.

 

Surft trygt!

[Fredrik]

Da var alt det gjort, og forhåpentligvis holder maskinen seg ordentlig. Hun er egentlig ganske flink, bruker Opera, er ikke dum (veldig viktig) osv. Men her var det noen som hadde lånt PCen og surfet litt innom stygge saker. ;p

 

Tusen hjertelig takk for hjelpen! Utrolig positivt at det finnes folk som er så behjelpelige.