[LØST] Resultat etter å ha fulgt oppskrift om å fjerne malware

[Rikken1969]

Hei!

Takk for en glimrende oppskrift for å få fjernet malware på pc'n til kona. Legger ved loggene for å få videre veiledning på hva jeg bør gjøre:

 

ComboFix 08-09-26.01 - Heidi 2008-09-27 11:45:45.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium GMT 2:00]

Running from: C:\Users\Heidi\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\DRV\Tuner\Yuan\Resources\_desktop.ini

C:\Windows\system32\lsprst7.dll

C:\Windows\system32\ssprs.dll

C:\Windows\system32\x64

C:\Windows\system32\x64\csnp2uvc.dll

C:\Windows\system32\x64\rsnpvc64.dll

C:\Windows\system32\x64\sncduvc.sys

C:\Windows\system32\x64\snp2uvc.sys

C:\Windows\system32\x64\vsnpvc64.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))

.

 

2008-09-27 11:07 . 2008-09-27 11:07 <DIR> d-------- C:\Users\Heidi\AppData\Roaming\Malwarebytes

2008-09-27 11:07 . 2008-09-27 11:07 <DIR> d-------- C:\Users\All Users\Malwarebytes

2008-09-27 11:07 . 2008-09-27 11:07 <DIR> d-------- C:\ProgramData\Malwarebytes

2008-09-27 11:07 . 2008-09-27 11:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-09-27 11:07 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys

2008-09-27 11:07 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys

2008-09-27 10:58 . 2008-09-27 10:58 <DIR> d-------- C:\Program Files\CCleaner

2008-09-26 17:18 . 2008-09-26 17:22 <DIR> d-------- C:\Users\All Users\Lavasoft

2008-09-26 17:18 . 2008-09-26 17:22 <DIR> d-------- C:\ProgramData\Lavasoft

2008-09-26 17:18 . 2008-09-26 17:18 <DIR> d-------- C:\Program Files\Lavasoft

2008-09-18 18:30 . 2008-09-18 18:30 <DIR> d-------- C:\Users\Heidi\AppData\Roaming\SunODFPluginforMicrosoftOffice1

2008-09-18 18:15 . 2008-09-18 18:15 <DIR> d-------- C:\Program Files\Sun

2008-09-15 17:30 . 2008-09-15 17:30 <DIR> d-------- C:\Program Files\Microsoft Silverlight

2008-09-10 12:02 . 2008-07-31 01:47 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-09-10 12:02 . 2008-07-31 05:34 1,686,528 --a------ C:\Windows\System32\gameux.dll

2008-09-10 12:02 . 2008-06-26 05:22 303,616 --a------ C:\Windows\System32\wmpeffects.dll

2008-09-10 12:02 . 2008-07-31 05:34 28,160 --a------ C:\Windows\System32\Apphlpdm.dll

2008-09-09 18:07 . 2008-09-09 18:07 48 --ah----- C:\Users\All Users\ezsidmv.dat

2008-09-09 18:07 . 2008-09-09 18:07 48 --ah----- C:\ProgramData\ezsidmv.dat

2008-09-09 18:00 . 2008-09-27 11:49 <DIR> d-------- C:\Users\Heidi\AppData\Roaming\Skype

2008-09-09 17:59 . 2008-09-09 17:59 <DIR> d-------- C:\Program Files\Skype

2008-09-09 17:59 . 2008-09-26 18:40 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-09-09 17:00 . 2008-09-09 17:00 <DIR> d-------- C:\Users\All Users\Apple

2008-09-09 17:00 . 2008-09-09 17:00 <DIR> d-------- C:\ProgramData\Apple

2008-09-09 17:00 . 2008-09-09 17:00 <DIR> d-------- C:\Program Files\Apple Software Update

2008-09-09 16:59 . 2008-09-09 16:59 <DIR> d-------- C:\Users\All Users\Apple Computer

2008-09-09 16:59 . 2008-09-09 16:59 <DIR> d-------- C:\ProgramData\Apple Computer

2008-09-09 16:59 . 2008-09-09 16:59 <DIR> d-------- C:\Program Files\QuickTime

2008-09-09 16:57 . 2008-09-09 16:57 <DIR> d-------- C:\Users\All Users\Real

2008-09-09 16:57 . 2008-07-23 18:50 3,596,288 --a------ C:\Windows\System32\qt-dx331.dll

2008-09-09 16:57 . 2008-07-30 21:09 38 --a------ C:\Windows\avisplitter.ini

2008-09-09 16:50 . 2008-07-19 07:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll

2008-09-09 16:50 . 2008-07-19 05:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll

2008-09-09 16:50 . 2008-07-19 07:10 53,448 --a------ C:\Windows\System32\wuauclt.exe

2008-09-09 16:50 . 2008-07-19 07:10 45,768 --a------ C:\Windows\System32\wups2.dll

2008-09-09 16:49 . 2008-07-19 07:09 563,912 --a------ C:\Windows\System32\wuapi.dll

2008-09-09 16:49 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll

2008-09-09 16:49 . 2008-07-19 05:44 83,456 --a------ C:\Windows\System32\wudriver.dll

2008-09-09 16:49 . 2008-07-19 07:10 36,552 --a------ C:\Windows\System32\wups.dll

2008-09-09 16:49 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe

2008-09-08 23:33 . 2008-09-08 23:33 <DIR> d-------- C:\Program Files\K-Lite Codec Pack(99)

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-27 08:39 --------- d-----w C:\Program Files\Java

2008-09-27 08:27 27,335 ----a-w C:\Users\Heidi\AppData\Roaming\nvModes.dat

2008-09-27 08:16 --------- d-----w C:\Users\Heidi\AppData\Roaming\skypePM

2008-09-27 05:44 --------- d-----w C:\ProgramData\Symantec

2008-09-26 16:40 --------- d-----w C:\ProgramData\Microsoft Help

2008-09-26 16:40 --------- d-----w C:\Program Files\Microsoft Works

2008-09-26 15:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-09-15 15:23 --------- d-----w C:\Program Files\Opera

2008-09-12 18:35 --------- d-----w C:\Users\Heidi\AppData\Roaming\LimeWire

2008-09-11 19:47 382 ----a-w C:\Users\Heidi\AppData\Roaming\wklnhst.dat

2008-09-09 15:59 --------- d-----w C:\ProgramData\Skype

2008-09-09 14:57 --------- d-----w C:\Program Files\K-Lite Codec Pack

2008-08-15 01:13 --------- d-----w C:\Program Files\Windows Mail

2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-07-30 15:42 23,888 ----a-w C:\Windows\system32\drivers\COH_Mon.sys

2008-07-30 15:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf

2008-07-30 15:28 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat

2008-07-29 08:22 --------- d-----w C:\ProgramData\Telenor

2008-07-29 08:16 --------- d-----w C:\ProgramData\Emotum

2008-07-29 08:16 --------- d-----w C:\Program Files\Telenor

2008-07-25 08:34 81,920 ----a-w C:\Windows\System32\dpl100.dll

2008-07-25 08:34 683,520 ----a-w C:\Windows\System32\divx.dll

2008-07-22 13:31 15,610 ----a-w C:\Program Files\Furnish Lite uninstal.log

2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll

2008-07-10 01:09 174 --sha-w C:\Program Files\desktop.ini

2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2007-11-25 19:15 32 ----a-w C:\Users\All Users\ezsid.dat

2007-11-25 19:15 32 ----a-w C:\ProgramData\ezsid.dat

2008-02-17 15:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2008-02-17 15:52 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2008-02-17 15:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

"Telenorhjelpen"="C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-12 21741864]

"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 C:\Windows\System32\oobefldr.dll]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-25 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-25 8470528]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-25 81920]

"PLFSetL"="C:\Windows\PLFSetL.exe" [2007-07-05 94208]

"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]

"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-06-27 752136]

"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]

"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-06-06 159744]

"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-05-22 151552]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 51048]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]

"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-09-10 1253040]

"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 C:\Windows\RtHDVCpl.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-05-22 151552]

"Telenorhjelpen"="C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120]

 

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2007-08-10 535336]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=eNetHook.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UacDisableNotify"=dword:00000001

"InternetSettingsDisableNotify"=dword:00000001

"AutoUpdateDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{729B66D6-00F1-416B-A5E9-9A8255A47FBB}"= C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe

"{C01F176F-41CC-4DF0-9FC0-E40B94DF7765}"= C:\Program Files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician

"{E47AD20F-63D3-4F9A-A7F7-4BAE53E638CB}"= C:\Program Files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia

"{AAE65792-0A60-4482-A603-4647BA443C9E}"= C:\Program Files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard

"{C28D3D9E-3619-474C-9BB7-65473D255C5C}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{F97C3EAC-DB0F-40C2-BCD5-E319311C9D13}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{84A3DDA4-C771-4CC2-A62C-A8863BD91C31}"= C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine

"{EA66B9E0-4536-44F4-B980-18C7EA7F8D19}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie

"{375A5AD5-B879-4AA2-8080-C3CB1A131D27}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program

"{900BD267-A2B3-4CA8-9BB9-85AA720576D6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{FF32D07C-A52A-44E1-8AF5-8579BE4BA46E}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"TCP Query User{562C4EC4-B346-4A6B-94BB-B768189757F6}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire

"UDP Query User{FCDB29CF-F101-47B0-9E8C-61114F5A6440}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire

"TCP Query User{CF90F17E-C53C-4BC0-AF46-5008580C6EA1}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord

"UDP Query User{B458A3E6-92BE-4C5A-8FDF-81D510658529}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord

"TCP Query User{68BAFA72-96DE-4928-BB43-6B98871B9330}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire

"UDP Query User{AFA31976-113B-40E6-AABA-53819A4EF17C}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire

"TCP Query User{73DB33F5-5B46-4574-AC5F-1AA82098F0A3}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{DDA9AE31-1190-4F48-8DA6-8690A89E332F}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"TCP Query User{5E081AA1-F9C1-4AAC-AB92-6B0571851E89}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord

"UDP Query User{2B76DF19-1C80-4089-97D7-F69A382F2911}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord

"TCP Query User{9E22E494-A7A7-4FA1-BBEC-0179635300C7}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"UDP Query User{586BF611-6C27-4BDA-A281-2CC075207442}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"{BD22883F-BF5A-4B0D-B6A3-6B4612144DB7}"= UDP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0

"{72D49565-DC32-49DE-A9B5-D4193DE23095}"= TCP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0

"{6D9F6D9F-3323-48F0-92EE-B9A981CC062D}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{B8D6FF31-DBBB-4B0F-8220-3D4EFA4579E0}"= %ProgramFiles%\Telenor\Online Start\Telenor.exe:Online Start

"{B1AF8534-6C63-4D5B-A1F8-0CF333753755}"= %ProgramFiles%\Telenor\Telenorhjelpen\Telenor.exe:Telenorhjelpen

"{998C296E-ECF3-4760-A080-73540D96CCD3}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

 

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080923.001\IDSvix86.sys [2008-09-12 270384]

R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 17:51 13560]

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 149864]

R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]

R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]

S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c693034-6248-11dd-a0da-b3ed90f1cce1}]

\shell\AutoRun\command - F:\InstallTomTomHOME.exe

 

*Newly Created Service* - CATCHME

*Newly Created Service* - COMHOST

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-Acer Tour Reminder - (no file)

HKLM-Run-IgfxTray - C:\Windows\system32\igfxtray.exe

HKLM-Run-HotKeysCmds - C:\Windows\system32\hkcmd.exe

HKLM-Run-Persistence - C:\Windows\system32\igfxpers.exe

HKLM-Run-SetPanel - C:\Acer\APanel\APanel.cmd

HKLM-Run-Telenor Online Start - C:\Program Files\Telenor\Online Start\Telenor.exe

HKLM-Run-Acer Tour - (no file)

HKLM-Run-eRecoveryService - (no file)

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.startsiden.no/

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

R0 -: HKLM-Main,Start Page = hxxp://no.intl.acer.yahoo.com

R1 -: HKCU-SearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com

O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-27 11:49:22

Windows 6.0.6000 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

**************************************************************************

.

Completion time: 2008-09-27 11:52:19

ComboFix-quarantined-files.txt 2008-09-27 09:51:15

 

Pre-Run: 30 354 644 992 byte ledig

Post-Run: 30,106,173,440 byte ledig

 

239 --- E O F --- 2008-09-11 01:06:18

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:03:12, on 27.09.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16711)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\RtHDVCpl.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe

C:\Acer\Empowering Technology\eAudio\eAudio.exe

C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehmsas.exe

C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE

C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE

C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Windows\Explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Users\Heidi\AppData\Local\Temp\Rar$EX02.977\test.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.intl.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Telenor Telenorhjelpen Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program Files\Telenor\Telenorhjelpen\IEFixItNowPlugin.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe

O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [Telenorhjelpen] "C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Telenorhjelpen] "C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: eNetHook.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Automatisk LiveUpdate-planlegging (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 10010 bytes

 

 

Malwarebytes' Anti-Malware 1.28

Database versjon: 1211

Windows 6.0.6000

 

27.09.2008 11:32:48

mbam-log-2008-09-27 (11-32-48).txt

 

Skanntype: Rask Skann

Objekter skannet: 43720

Tid tilbakelagt: 4 minute(s), 28 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 2

Registerverdier infisert: 3

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\Users\Heidi\AppData\Local\Temp\urqQhIya.dll (Trojan.Vundo) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instbndlkeyldr (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run814524f (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Users\Heidi\AppData\Local\Temp\urqQhIya.dll (Trojan.Vundo) -> Delete on reboot.

 

 

Beklager at jeg måtte klippe og lime inn i forumet. Fikk feilmelding når jeg prøvde å laste opp et vedlegg fra notisblokk. Håper dette får pc'n "frisk".

 

På forhånd takk!!

 

Hilsen

Erik

Endret 27. september 2008 av Rikken1969

[r2d290]

Hallo Erik

 

Det ser ut til at Malwarebytes og Combofix fjernet det som var av rusk.

Hvordan kjører PC-en?

 

Husk at ukritisk bruk av LimeWire og BitLord lett kan føre til nye infeksjoner. Hvis du ikke bruker disse, bør du vurdere å avinstaller programmene...

[Rikken1969]

Heisan!

Pc'n kjører veldig bra. Ser ut til at alt er OK. Nok en gang: Takk for en flott side med god og seriøs hjelp!!

Kona skal nok bli klar over ukritisk bruk av visse programmer ja...

Hilsen

 

Erik

[r2d290]

Fint å høre

 

Litt opprydding:

Adaware kan du fjerne fra legg til/fjern programmer, da Malwarebytes gjør en mye bedre jobb.

 

Combofix må avinstalleres.

 

Gå til Start > Kjør

Skriv følgende i boksen:

• combofix /u
  

PS: legg merke til mellomrommet mellom X og /u

 

Trykk Enter.

 

Denne kommandoen vil:

• Fjerne følgende:
  • ComboFix og dets tilhørende filer og mapper.
    VundoFix backups, hvis de eksisterer.
    Mappen C:\Deckard, hvis den eksisterer
    Mappen C:\OtMoveIt, hvis den eksisterer
    

  [*] Nullstille klokke-instillingene.

   

  [*] Skjule filetternavn hvis det er nødvendig.

   

  [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig.

   

  [*] Nullstille systemgjennoprettingspunkter.

Du kan avinstallere HijackThis hvis du ønsker:

Start HijackThis, velg None of the above, just start the program.

Så trykker du på Config>>Misc Tools>>Uninstall HijackThis & exit>>Ja/Yes. Programmet er nå avinstallert.

 

 

Malwarebytes anbefaler jeg deg at du beholder, men hvis du ønsker å fjerne det kan du gjøre det fra legg til/fjern programmer.

 

 

 

 

Dersom du mener at problemet med maskinen din er løst, kan du endre emnetittelen din, ved å trykke på i førsteposten din, og velge full endring. Øverst der emnetittelen din er, skriver du:

[LØST]

foran emnetittelen din.

 

Eks: [LØST] Har fått virus på maskinen

 

Dette vil være med på å holde forumet mer oversiktlig for supporterne, samt at nye folk som får samme problemet lettere vil finne en passende tråd å se i.

 

-Surf trygt-