GLN Skrevet 3. oktober 2008 Del Skrevet 3. oktober 2008 Sånn, postet visst litt feil: Nå har pcen til lillebror begynt å gå tregt å henge seg opp igjen. Mistenker noe virus av noen slag. HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:33:20, on 03.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Windows Live\Tryggere for familien\fssui.exe C:\Programfiler\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\TBPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programfiler\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\Java\jre1.6.0_06\bin\jucheck.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Programfiler\Trend Micro\teswt\tt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Programfiler\Windows Live\Tryggere for familien\fssbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programfiler\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programfiler\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [fssui] "C:\Programfiler\Windows Live\Tryggere for familien\fssui.exe" -autorun O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programfiler\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [bitTorrent] "C:\Programfiler\BitTorrent\bittorrent .exe" --force_start_minimized O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?849301a967d744fd993ffc51f0a86d90 O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?849301a967d744fd993ffc51f0a86d90 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programfiler\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programfiler\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Programfiler\Tall Emu\Online Armor\oasrv.exe -- End of file - 7509 bytes MBAM: Malwarebytes' Anti-Malware 1.28 Database versjon: 1226 Windows 5.1.2600 Service Pack 2 03.10.2008 18:25:53 mbam-log-2008-10-03 (18-25-53).txt Skanntype: Rask Skann Objekter skannet: 42682 Tid tilbakelagt: 11 minute(s), 21 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 25 Registerverdier infisert: 1 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 2 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_CLASSES_ROOT\gnucdna.core (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{2850bdc7-2330-4e31-9fa0-88268846539a} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a916af3c-976d-4358-8736-95bea0b5fd2c} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{be45f056-e005-437b-be88-23acf70b0b6a} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f02c0ae1-d796-42c9-81e1-084d88f79b8e} (Adware.WhenUSave) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\GnucDNA.dll (Adware.WhenUSave) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\WINDOWS\system32\GnucDNA.dll (Adware.WhenUSave) -> Quarantined and deleted successfully. C:\WINDOWS\BMcb4c0bea.txt (Trojan.Vundo) -> Quarantined and deleted successfully. Combofix: ComboFix 08-10-02.04 - Mats Nevland 2008-10-03 18:28:55.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.306 [GMT 2:00] Running from: C:\Documents and Settings\Mats Nevland\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 ))))))))))))))))))))))))))))))) . 2008-10-03 18:20 . 2008-10-03 18:20 <DIR> d-------- C:\WINDOWS\LastGood 2008-10-03 18:13 . 2008-10-03 18:13 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-10-03 18:13 . 2008-10-03 18:13 <DIR> d-------- C:\Documents and Settings\Mats Nevland\Programdata\Malwarebytes 2008-10-03 18:13 . 2008-10-03 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-03 18:13 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-03 18:13 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-03 18:11 . 2008-10-03 18:26 <DIR> dr-h----- C:\Documents and Settings\Mats Nevland\Siste 2008-10-01 15:01 . 2008-10-01 15:01 <DIR> d-------- C:\Programfiler\MSECache 2008-09-28 00:54 . 2008-09-28 00:54 <DIR> d-------- C:\Documents and Settings\Mats Nevland\Programdata\Nokia Multimedia Player 2008-09-24 22:43 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-09-24 22:43 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-03 16:24 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-10-03 16:23 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\MP3Rocket 2008-10-03 16:22 --------- d-----w C:\Programfiler\MP3 Music Search 2008-10-03 16:21 --------- d-----w C:\Programfiler\Frets on Fire 2008-10-02 15:23 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\BitTorrent 2008-09-01 13:12 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\Nokia 2008-09-01 13:06 --------- d-----w C:\Documents and Settings\All Users\Programdata\PC Suite 2008-09-01 13:02 --------- d-----w C:\Programfiler\Nokia 2008-09-01 13:02 --------- d-----w C:\Programfiler\Fellesfiler\PCSuite 2008-09-01 13:02 --------- d-----w C:\Programfiler\Fellesfiler\Nokia 2008-09-01 13:02 --------- d-----w C:\Programfiler\DIFX 2008-09-01 13:02 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\PC Suite 2008-09-01 13:01 --------- d-----w C:\Programfiler\PC Connectivity Solution 2008-09-01 12:59 --------- d-----w C:\Documents and Settings\All Users\Programdata\Installations 2008-08-13 20:30 230,432 ----a-w C:\StiImg.dat 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll . <pre> ----a-w 43,008 2008-03-13 11:34:54 C:\Programfiler\BitTorrent\bittorrent .exe ----a-w 68,856 2008-03-13 11:34:59 C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ----a-w 5,674,352 2008-03-13 11:35:28 C:\Programfiler\MSN Messenger\MsnMsgr .Exe ----a-w 286,720 2008-03-13 11:34:25 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-13 11:18:07 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-10 07:16:12 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-06 15:19:02 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-06 14:49:13 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-04 14:25:20 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-28 23:14:25 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-27 21:32:47 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-26 21:18:51 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-24 12:00:18 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-24 11:30:55 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-19 17:34:40 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-13 02:13:08 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-11 23:28:05 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-08 17:20:49 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-03 17:04:48 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-03 16:44:30 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-29 15:49:55 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-25 21:07:08 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-24 23:40:14 C:\Programfiler\QuickTime\QTTask .exe ----a-w 15,360 2008-03-10 07:16:44 C:\WINDOWS\system32\ctfmon .exe ----a-w 18,214,008 2008-02-13 02:15:02 C:\WINDOWS\system32\MRT .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "msnmsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "BitTorrent"="C:\Programfiler\BitTorrent\bittorrent .exe" [2008-03-13 43008] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "fssui"="C:\Programfiler\Windows Live\Tryggere for familien\fssui.exe" [2007-12-17 243240] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016] "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-05-27 413696] "AppleSyncNotifier"="C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "PCSuiteTrayApplication"="C:\Programfiler\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360] "SoundMan"="SOUNDMAN.EXE" [2005-09-22 C:\WINDOWS\soundman.exe] "nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] "Nokia.PCSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Programfiler\\MSN Messenger\\MsnMsgr .Exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\BitTorrent\\bittorrent .exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-17 80584] R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-17 32456] R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 28872] R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 43816] R2 fsssvc;Windows Live OneCare Tryggere for familien;C:\Programfiler\Windows Live\Tryggere for familien\fsssvc.exe [2007-12-17 523816] R3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 162176] S3 SvcOnlineArmor;Online Armor;C:\Programfiler\Tall Emu\Online Armor\oasrv.exe [2008-04-17 5449280] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Mats Nevland\Programdata\Mozilla\Firefox\Profiles\fhnjvhp6.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.finn.no/ FF -: plugin - C:\Programfiler\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Programfiler\Mozilla Firefox\plugins\NPAskSBr.dll FF -: plugin - C:\Programfiler\Mozilla Firefox\plugins\npbittorrent.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-03 18:30:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-03 18:32:18 ComboFix-quarantined-files.txt 2008-10-03 16:31:59 ComboFix2.txt 2008-06-10 17:56:15 ComboFix3.txt 2008-06-10 16:46:05 Pre-Run: 84ÿ649ÿ332ÿ736 byte ledig Post-Run: 84,641,169,408 byte ledig 153 --- E O F --- 2008-10-03 15:58:50 Noen kjappe tips som kan gjøres for at den skal gå raskere? Lenke til kommentar
r2d290 Skrevet 3. oktober 2008 Del Skrevet 3. oktober 2008 For meg ser det ut til at MBAM tok med seg det som var. Har du merket noen forbedring etter at du kjerte dette? Husk at ukritisk bruk av LimeWire lett kan føre til nye infeksjoner... Lenke til kommentar
GLN Skrevet 3. oktober 2008 Forfatter Del Skrevet 3. oktober 2008 Nå kjørte jeg bare gjennom dette rett før vi skulle ut, men for sjekke imorgen. Skal avinstallere en hel haug å rense opp litt. Lenke til kommentar
norbat Skrevet 4. oktober 2008 Del Skrevet 4. oktober 2008 Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. RenV:: ----a-w 43,008 2008-03-13 11:34:54 C:\Programfiler\BitTorrent\bittorrent .exe ----a-w 68,856 2008-03-13 11:34:59 C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ----a-w 5,674,352 2008-03-13 11:35:28 C:\Programfiler\MSN Messenger\MsnMsgr .Exe ----a-w 286,720 2008-03-13 11:34:25 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-13 11:18:07 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-10 07:16:12 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-06 15:19:02 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-06 14:49:13 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-04 14:25:20 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-28 23:14:25 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-27 21:32:47 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-26 21:18:51 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-24 12:00:18 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-24 11:30:55 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-19 17:34:40 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-13 02:13:08 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-11 23:28:05 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-08 17:20:49 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-03 17:04:48 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-03 16:44:30 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-29 15:49:55 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-25 21:07:08 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-24 23:40:14 C:\Programfiler\QuickTime\QTTask .exe ----a-w 15,360 2008-03-10 07:16:44 C:\WINDOWS\system32\ctfmon .exe ----a-w 18,214,008 2008-02-13 02:15:02 C:\WINDOWS\system32\MRT .exe Post loggen. Lenke til kommentar
GLN Skrevet 4. oktober 2008 Forfatter Del Skrevet 4. oktober 2008 ComboFix 08-10-02.04 - Mats Nevland 2008-10-04 12:53:39.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.291 [GMT 2:00] Running from: C:\Documents and Settings\Mats Nevland\Skrivebord\ComboFix.exe Command switches used :: C:\Documents and Settings\Mats Nevland\Skrivebord\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 ))))))))))))))))))))))))))))))) . 2008-10-03 18:20 . 2008-10-03 18:20 <DIR> d-------- C:\WINDOWS\LastGood 2008-10-03 18:13 . 2008-10-03 18:13 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-10-03 18:13 . 2008-10-03 18:13 <DIR> d-------- C:\Documents and Settings\Mats Nevland\Programdata\Malwarebytes 2008-10-03 18:13 . 2008-10-03 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-03 18:13 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-03 18:13 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-03 18:11 . 2008-10-04 12:52 <DIR> dr-h----- C:\Documents and Settings\Mats Nevland\Siste 2008-10-01 15:01 . 2008-10-01 15:01 <DIR> d-------- C:\Programfiler\MSECache 2008-09-28 00:54 . 2008-09-28 00:54 <DIR> d-------- C:\Documents and Settings\Mats Nevland\Programdata\Nokia Multimedia Player 2008-09-24 22:43 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-09-24 22:43 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-04 10:53 --------- d-----w C:\Programfiler\QuickTime 2008-10-04 10:53 --------- d-----w C:\Programfiler\MSN Messenger 2008-10-03 16:24 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-10-03 16:23 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\MP3Rocket 2008-10-03 16:22 --------- d-----w C:\Programfiler\MP3 Music Search 2008-10-03 16:21 --------- d-----w C:\Programfiler\Frets on Fire 2008-10-02 15:23 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\BitTorrent 2008-09-01 13:12 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\Nokia 2008-09-01 13:06 --------- d-----w C:\Documents and Settings\All Users\Programdata\PC Suite 2008-09-01 13:02 --------- d-----w C:\Programfiler\Nokia 2008-09-01 13:02 --------- d-----w C:\Programfiler\Fellesfiler\PCSuite 2008-09-01 13:02 --------- d-----w C:\Programfiler\Fellesfiler\Nokia 2008-09-01 13:02 --------- d-----w C:\Programfiler\DIFX 2008-09-01 13:02 --------- d-----w C:\Documents and Settings\Mats Nevland\Programdata\PC Suite 2008-09-01 13:01 --------- d-----w C:\Programfiler\PC Connectivity Solution 2008-09-01 12:59 --------- d-----w C:\Documents and Settings\All Users\Programdata\Installations 2008-08-13 20:30 230,432 ----a-w C:\StiImg.dat 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll . <pre> ----a-w 43,008 2008-03-13 11:34:54 C:\Programfiler\BitTorrent\bittorrent .exe ----a-w 286,720 2008-03-13 11:34:25 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-13 11:18:07 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-10 07:16:12 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-06 15:19:02 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-06 14:49:13 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-03-04 14:25:20 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-28 23:14:25 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-27 21:32:47 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-26 21:18:51 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-24 12:00:18 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-24 11:30:55 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-19 17:34:40 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-13 02:13:08 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-11 23:28:05 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-08 17:20:49 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-03 17:04:48 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-02-03 16:44:30 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-29 15:49:55 C:\Programfiler\QuickTime\QTTask .exe ----a-w 652,288 2008-01-25 21:07:08 C:\Programfiler\QuickTime\QTTask .exe </pre> ((((((((((((((((((((((((((((( snapshot@2008-10-03_18.31.41.71 ))))))))))))))))))))))))))))))))))))))))) . - 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe + 2008-03-10 07:16:44 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe - 2004-08-04 12:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe + 2008-03-10 07:16:44 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe - 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe + 2008-02-13 02:15:02 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-10 15360] "msnmsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "BitTorrent"="C:\Programfiler\BitTorrent\bittorrent .exe" [2008-03-13 43008] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "fssui"="C:\Programfiler\Windows Live\Tryggere for familien\fssui.exe" [2007-12-17 243240] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016] "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-01-25 652288] "AppleSyncNotifier"="C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "PCSuiteTrayApplication"="C:\Programfiler\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360] "SoundMan"="SOUNDMAN.EXE" [2005-09-22 C:\WINDOWS\soundman.exe] "nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-03-10 15360] "Nokia.PCSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\BitTorrent\\bittorrent .exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-17 80584] R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-17 32456] R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 28872] R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 43816] R2 fsssvc;Windows Live OneCare Tryggere for familien;C:\Programfiler\Windows Live\Tryggere for familien\fsssvc.exe [2007-12-17 523816] R3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 162176] S3 SvcOnlineArmor;Online Armor;C:\Programfiler\Tall Emu\Online Armor\oasrv.exe [2008-04-17 5449280] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-04 12:55:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-04 12:56:54 ComboFix-quarantined-files.txt 2008-10-04 10:56:28 ComboFix2.txt 2008-10-03 16:32:19 ComboFix3.txt 2008-06-10 17:56:15 ComboFix4.txt 2008-06-10 16:46:05 Pre-Run: 84ÿ749ÿ996ÿ032 byte ledig Post-Run: 84,740,571,136 byte ledig 152 --- E O F --- 2008-10-03 15:58:50 Lenke til kommentar
norbat Skrevet 4. oktober 2008 Del Skrevet 4. oktober 2008 (endret) Last ned CFScript.txt-fila og dra det over Combofix-iconet. Post loggen igjen etterpå CFScript.txt Endret 4. oktober 2008 av norbat Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå