Logger fra ComboFix, mbam og HJT

[Lurveleven]

Kunne noen ha tatt en titt på disse?

Jeg er usikker på hvordan maleware statusen på maskinen min er, men er redd jeg kan ha en ekkel keylogger.

 

ComboFix

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-10-14.07 - ............. 2008-10-15 18:46:37.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.202 [GMT 2:00]

Running from: C:\Documents and Settings\.............\Skrivebord\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))

.

 

2008-10-15 18:20 . 2008-10-15 18:37 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-10-15 18:20 . 2008-10-15 18:20 <DIR> d-------- C:\Documents and Settings\.........\Programdata\Malwarebytes

2008-10-15 18:20 . 2008-10-15 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-10-15 18:20 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-15 18:20 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-15 18:17 . 2008-10-15 18:37 <DIR> dr-h----- C:\Documents and Settings\...............\Siste

2008-10-15 17:44 . 2008-10-15 17:44 <DIR> d-------- C:\Programfiler\CCleaner

2008-10-13 23:15 . 2008-10-13 23:16 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy

2008-10-13 23:15 . 2008-10-15 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-09-22 18:42 . 2008-09-22 18:42 <DIR> d-------- C:\Programfiler\Camfrog

2008-09-22 18:42 . 2008-09-22 18:42 <DIR> d-------- C:\Documents and Settings\...............\Programdata\Camfrog

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-14 18:13 24 ----a-w C:\Documents and Settings\.................\jagex_runescape_preferences.dat

2008-10-04 09:58 --------- d-----w C:\Programfiler\SwiftKit

2008-09-17 12:34 --------- d-----w C:\Programfiler\PurgeIE

2008-08-18 22:24 --------- d-----w C:\Documents and Settings\...............\Programdata\uTorrent

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 68856]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-09-02 249856]

"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]

"F-Secure Manager"="C:\Programfiler\F-Secure\Common\FSM32.EXE" [2002-12-05 106571]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]

"PhiBtn"="C:\WINDOWS\System32\drivers\PhiBtn.exe" [2005-08-25 155648]

"Traymin900"="C:\WINDOWS\System32\drivers\Tray900.exe" [2005-08-25 266240]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"GNConfig"="C:\Programfiler\Gigabyte\Gigabyte GN-WM01GT Wireless CardBus Adapter\GNConfig.exe" [2005-11-16 348160]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-05-27 413696]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SiSPower"="SiSPower.dll" [2004-09-02 C:\WINDOWS\system32\SiSPower.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-09-15 331776]

WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2007-08-03 122880]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Programfiler\\BitTornado\\btdownloadgui.exe"=

"C:\\StubInstaller.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=

"C:\\Programfiler\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"12035:UDP"= 12035:UDP:*:Disabled:Second Life

"12036:UDP"= 12036:UDP:*:Disabled:Second Life

"12043:TCP"= 12043:TCP:*:Disabled:Second Life

"13000:TCP"= 13000:TCP:*:Disabled:Second Life

"13000:UDP"= 13000:UDP:*:Disabled:Second Life

"13050:UDP"= 13050:UDP:*:Disabled:Second Life

 

R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2005-01-20 16384]

R2 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2003-04-30 48336]

R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSgk.sys [2003-10-15 41488]

R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 16048]

R2 FSpm;F-Secure Policy Manager;C:\Programfiler\F-Secure\Common\FSPM.SYS [2002-12-05 65328]

R2 Fswsclds;F-Secure Windows Security Center Legacy Detection Service;C:\Programfiler\F-Secure\fswsclds.exe [2005-01-20 40960]

R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2004-02-12 191092]

R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2004-01-27 6100]

S3 camvid40;Philips SPC 900NC PC Camera;C:\WINDOWS\system32\DRIVERS\camdrv41.sys [2005-08-25 1240576]

 

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

 

2008-10-15 C:\WINDOWS\Tasks\MP Scheduled Scan.job

- C:\Programfiler\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-WinampAgent - E:\Winamp\winampa.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\...................\Programdata\Mozilla\Firefox\Profiles\bu1gddeg.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.dagbladet.no/

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-15 18:50:58

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

**************************************************************************

.

Completion time: 2008-10-15 18:56:01

ComboFix-quarantined-files.txt 2008-10-15 16:54:52

 

Pre-Run: 19 054 133 248 byte ledig

Post-Run: 19,052,855,296 byte ledig

 

126 --- E O F --- 2008-10-10 16:05:01

 

mbam

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.28

Database versjon: 1274

Windows 5.1.2600 Service Pack 2

 

15.10.2008 18:37:36

mbam-log-2008-10-15 (18-37-36).txt

 

Skanntype: Rask Skann

Objekter skannet: 47913

Tid tilbakelagt: 12 minute(s), 22 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 1

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

 

HJT

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:37:06, on 15.10.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe

C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE

C:\Programfiler\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe

C:\Programfiler\F-Secure\fswsclds.exe

C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\F-Secure\Common\FSMA32.EXE

C:\Programfiler\F-Secure\Common\FSMB32.EXE

C:\Programfiler\F-Secure\Common\FCH32.EXE

C:\Programfiler\F-Secure\Common\FAMEH32.EXE

C:\Programfiler\F-Secure\Common\FNRB32.EXE

C:\Programfiler\F-Secure\Common\FIH32.EXE

C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\System32\keyhook.exe

C:\Programfiler\F-Secure\Common\FSM32.EXE

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\drivers\PhiBtn.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

C:\Programfiler\QuickTime\QTTask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\sistray.exe

C:\Programfiler\WinZip\WZQKPICK.EXE

C:\WINDOWS\explorer.exe

C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

C:\Programfiler\internet explorer\iexplore.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: MSN-verktøylinje - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar1.01.2607.0\no\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar3.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe

O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [GNConfig] "C:\Programfiler\Gigabyte\Gigabyte GN-WM01GT Wireless CardBus Adapter\GNConfig.exe" -nogui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106222668031

O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Programfiler\F-Secure\BackWeb\7681197\Program\fsbwlan.exe

O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE

O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Programfiler\F-Secure\Common\FSAA.EXE

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE

O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Programfiler\F-Secure\fswsclds.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O24 - Desktop Component 0: (no name) - http://global.msads.net/ads/1/0000000001_0...00000136857.gif

 

--

End of file - 8959 bytes

Endret 15. oktober 2008 av Lurveleven

[r2d290]

Legg merke til at alle instruksjonene som blir gitt i denne tråden er skreddersydd for denne maskinen, og at verktøyene som blir brukt her, kan forårsake skade på en annen maskin med andre typer infeksjoner.

 

Hvis du tror du har det samme problemet, bør du følge veiledningen til norbat, og poste loggene i en ny tråd.

 

Hallo

 

Mitt navn er r2d290, og jeg skal være med på å hjelpe deg med å fjerne alle infeksjoner du måtte ha på PC-en.

• Det kommer til å bli gitt en rekke instruksjoner som må bli fulgt i den rekkefølgen vi skriver dem i.
   
  
• Hvis det er en instruksjon du ikke forstår, du er usikker på noe, eller det skjer noe uventet, må du ikke gjette/gå videre, men skrive en post på forumet der du spør om det du lurer på.
   
  
• Ikke start flere tråder (hverken her på diskusjon.no eller på andre forum). Dette vil bare forvirre oss som driver support.
   
  
• Det kan hende at opperasjonen vil gå i flere ledd, og det kan hende det tar litt tid før du får svar, men vi gir oss ikke hvis ikke du gjør det.
   
  
• I noen tilfeller hender det at tråder går oss hus forbi, så hvis du ikke har fått svar innen 24 timer kan det være lurt å skrive en liten "purre-post" så tråden din havner øverst på lista.
  

Hvis du følger disse instruksjonene, skal vi nok få fikset problemet med maskinen.

Jeg analyserer loggene dine nå, og vil komme tilbake med respons så snart jeg kan...

 

PS: Det kan hende at sikkerhetsprogrammene dine gir advarsler på noen av verktøyene vi ber deg om å bruke.

sikkerhetsprogrammene kan ikke vite om verktøyene har gode eller dårlige hensikter. Verktøyene blir brukt av profesjonelle rundt om i hele værden, så du kan stole på at programmene er trygge.

[r2d290]

Går ut ifra at "............." er en form for sensurering av en bruker? I såfall må du forandre punktummene til det orginale navnet når du lager CFScriptet nedenfor...

 

 

 

 

Trykk Start - Alle Programmer - Tilbehør - Notisblokk

 

Kopier og Lim inn teksten i kodeboksen nedenfor, inn i Notisblokken:

 

DirLook:: 
C:\Programfiler\Camfrog
C:\Documents and Settings\...............\Programdata\Camfrog

 

Lagre det som CFScript på Skrivebordet

 

Dra CFScript over ComboFix.exe som ligger på Skrivebordet, slik animasjonen nedenfor viser.

 

 

Dette vil starte ComboFix igjen. Hvis maskinen ber om en omstart, lar du den gjøre det med én gang.

 

Post innholdet til ComboFix.txt inn i ditt neste svar på forumet.

[Lurveleven]

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-10-14.07 - ......... 2008-10-15 21:10:52.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.143 [GMT 2:00]

Running from: C:\Documents and Settings\........\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\..........\Skrivebord\CFScript.txt

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))

.

 

2008-10-15 20:02 . 2008-10-15 20:07 1,393 --a------ C:\WINDOWS\imsins.BAK

2008-10-15 19:36 . 2008-10-15 19:36 <DIR> d-------- C:\Programfiler\Trend Micro

2008-10-15 18:20 . 2008-10-15 18:37 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-10-15 18:20 . 2008-10-15 18:20 <DIR> d-------- C:\Documents and Settings\........\Programdata\Malwarebytes

2008-10-15 18:20 . 2008-10-15 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-10-15 18:20 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-15 18:20 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-15 18:17 . 2008-10-15 21:08 <DIR> dr-h----- C:\Documents and Settings\........\Siste

2008-10-15 17:44 . 2008-10-15 17:44 <DIR> d-------- C:\Programfiler\CCleaner

2008-10-13 23:15 . 2008-10-13 23:16 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy

2008-10-13 23:15 . 2008-10-15 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-09-22 18:42 . 2008-09-22 18:42 <DIR> d-------- C:\Programfiler\Camfrog

2008-09-22 18:42 . 2008-09-22 18:42 <DIR> d-------- C:\Documents and Settings\........\Programdata\Camfrog

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-14 18:13 24 ----a-w C:\Documents and Settings\.............\jagex_runescape_preferences.dat

2008-10-04 09:58 --------- d-----w C:\Programfiler\SwiftKit

2008-09-17 12:34 --------- d-----w C:\Programfiler\PurgeIE

2008-09-15 15:42 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys

2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-08-20 05:38 658,944 ----a-w C:\WINDOWS\system32\wininet.dll

2008-08-18 22:24 --------- d-----w C:\Documents and Settings\..........\Programdata\uTorrent

2008-08-14 13:48 2,182,144 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 13:48 2,059,520 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

---- Directory of C:\Documents and Settings\.......\Programdata\Camfrog ----

 

2008-10-10 19:44 651 --a------ C:\Documents and Settings\.......\Programdata\Camfrog\adv4.htm

2008-10-10 19:36 22148 --a------ C:\Documents and Settings\.......\Programdata\Camfrog\immessagesu.dat

 

---- Directory of C:\Programfiler\Camfrog ----

 

2008-09-22 18:42 647168 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\imdlg.dll

2008-09-22 18:42 643072 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\mdlg.dll

2008-09-22 18:42 62747 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\uninstall.exe

2008-09-22 18:42 421888 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\room_dlg.dll

2008-09-22 18:42 1306624 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\Camfrog Video Chat.exe

2008-08-26 10:53 454656 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\vwdlg.dll

2008-08-26 10:53 438272 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\medlg.dll

2008-08-26 10:53 421888 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\setlg.dll

2008-08-26 10:53 368640 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\cfhistlg.dll

2008-08-26 10:53 258048 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\smplelg.dll

2008-08-26 10:53 204800 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\addnotifylg.dll

2008-08-26 10:53 1310720 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\ctrlelem_pack.dll

2008-08-26 10:53 1265664 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\controls.dll

2008-08-26 10:52 397312 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\language.dll

2008-08-26 10:52 163840 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\SendSnapshotAX_ATL.dll

2008-08-26 10:52 159744 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\SendFileAX_ATL.dll

2008-08-26 10:52 114688 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\AnimationEmoteAX_ATL.dll

2008-08-04 05:14 528384 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\chrl_ul_dlg.dll

2008-08-04 05:13 40960 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\usability.dll

2008-08-04 05:13 147456 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\modules\wizdlg.dll

2008-08-04 05:12 86016 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\FileExch.dll

2008-08-04 05:11 311296 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\net\cmfrgnet.dll

2008-08-04 05:09 135168 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\AnimationEmote.dll

2008-08-04 05:08 1683456 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\cfresource.dll

2008-08-01 04:28 94208 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\cm_capture.ax

2008-08-01 04:28 81920 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\videosource.dll

2008-08-01 04:28 77824 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\cm_render.ax

2008-08-01 04:28 69632 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\nwlayer.dll

2008-08-01 04:28 552960 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\media.dll

2008-08-01 04:28 5412 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\smiles.sae

2008-08-01 04:28 49152 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\cm_arender.ax

2008-08-01 04:28 45056 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\audiosource.dll

2008-08-01 04:28 36864 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\cm_acapture.ax

2008-08-01 04:28 36864 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\audiocodec.dll

2008-08-01 04:28 1645056 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\avcodec.dll

2008-08-01 04:28 14848 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\videocodec.dll

2008-07-16 11:13 180996 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\russian.lang

2008-06-26 12:10 226628 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\Thai.lang

2008-06-26 12:10 173124 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\turkish.lang

2008-06-26 12:10 163588 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\portugues_br.lang

2008-06-26 12:10 162884 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\spanish.lang

2008-06-26 12:09 179908 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\french.lang

2008-06-26 12:09 170500 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\germany.lang

2008-06-26 12:09 168260 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\dutch.lang

2008-06-26 12:09 166788 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\DataLanguagePack\italian.lang

2008-02-08 10:21 20940 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\help\camfrogclient.html

2007-12-17 11:32 69632 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\ImageLayer.dll

2007-02-17 16:44 57344 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\CamfrogHandler.exe

2007-01-26 07:45 929792 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\cxcore099.dll

2007-01-26 07:41 679936 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\cv099.dll

2005-11-01 14:00 343040 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\msvcrt.dll

2005-05-28 16:10 655917 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\ILdata\eye_8.xml

2005-05-02 22:26 348160 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\msvcr71.dll

2005-03-16 14:18 946032 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\ILdata\haarcascade_frontalface_alt.xml

2004-02-18 07:39 65 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\help\greenline.gif

2004-02-18 07:39 43 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\help\spacer.gif

2004-02-18 07:39 2964 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\help\logo.gif

2004-02-18 07:39 166 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\help\yellow.gif

2003-09-29 08:22 36352 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\CamfrogNET.exe

2003-08-13 04:17 499712 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\msvcp71.dll

2002-06-14 07:00 26932 --a------ C:\Programfiler\Camfrog\Camfrog Video Chat\copying.txt

 

 

((((((((((((((((((((((((((((( snapshot@2008-10-15_18.54.03,84 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-02-28 16:05:16 2,138,112 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe

+ 2008-08-14 13:48:09 2,138,112 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe

- 2007-02-28 16:05:26 2,059,392 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe

+ 2008-08-14 13:48:14 2,059,520 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe

- 2007-02-28 16:05:16 2,017,792 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe

+ 2008-08-14 13:48:08 2,017,792 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe

- 2007-02-28 16:05:27 2,182,144 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe

+ 2008-08-14 13:48:14 2,182,144 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe

- 2008-10-15 15:40:30 5,718 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{BA368BC1-2D0A-4038-927F-56080C097545}.bin

+ 2008-10-15 15:40:30 10,562 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{BA368BC1-2D0A-4038-927F-56080C097545}.bin

- 2008-06-23 15:41:43 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll

+ 2008-08-20 05:38:50 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll

- 2008-06-23 15:41:43 151,552 ----a-w C:\WINDOWS\system32\cdfview.dll

+ 2008-08-20 05:38:48 151,552 ----a-w C:\WINDOWS\system32\cdfview.dll

- 2008-06-23 15:41:43 1,054,720 ----a-w C:\WINDOWS\system32\danim.dll

+ 2008-08-20 05:38:49 1,054,720 ----a-w C:\WINDOWS\system32\danim.dll

- 2008-06-20 10:44:38 138,368 -c----w C:\WINDOWS\system32\dllcache\afd.sys

+ 2008-08-14 09:51:43 138,368 -c----w C:\WINDOWS\system32\dllcache\afd.sys

- 2008-06-23 15:41:43 1,023,488 -c----w C:\WINDOWS\system32\dllcache\browseui.dll

+ 2008-08-20 05:38:50 1,023,488 -c----w C:\WINDOWS\system32\dllcache\browseui.dll

- 2008-06-23 15:41:43 151,552 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll

+ 2008-08-20 05:38:48 151,552 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll

- 2008-06-23 15:41:43 1,054,720 -c----w C:\WINDOWS\system32\dllcache\danim.dll

+ 2008-08-20 05:38:49 1,054,720 -c----w C:\WINDOWS\system32\dllcache\danim.dll

- 2008-06-23 15:41:43 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll

+ 2008-08-20 05:38:49 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll

- 2008-06-23 15:41:43 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll

+ 2008-08-20 05:38:49 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll

- 2008-06-23 15:41:43 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll

+ 2008-08-20 05:38:49 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll

- 2008-06-23 09:49:29 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe

+ 2008-08-19 09:30:39 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe

- 2008-06-23 15:41:43 251,392 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll

+ 2008-08-20 05:38:49 251,392 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll

- 2008-06-23 15:41:43 96,768 -c----w C:\WINDOWS\system32\dllcache\inseng.dll

+ 2008-08-20 05:38:49 96,768 -c----w C:\WINDOWS\system32\dllcache\inseng.dll

- 2008-06-23 15:41:43 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll

+ 2008-08-20 05:38:49 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll

- 2008-06-23 15:41:44 3,080,704 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll

+ 2008-08-20 05:38:50 3,081,216 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll

- 2008-06-23 15:41:44 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll

+ 2008-08-20 05:38:49 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll

- 2008-06-23 15:41:44 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll

+ 2008-08-20 05:38:49 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll

- 2008-06-23 15:41:44 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll

+ 2008-08-20 05:38:49 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll

- 2007-02-28 16:05:16 2,138,112 -c----w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

+ 2008-08-14 13:48:09 2,138,112 -c----w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

- 2007-02-28 16:05:26 2,059,392 -c----w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

+ 2008-08-14 13:48:14 2,059,520 -c----w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

- 2007-02-28 16:05:16 2,017,792 -c----w C:\WINDOWS\system32\dllcache\ntkrpamp.exe

+ 2008-08-14 13:48:08 2,017,792 -c----w C:\WINDOWS\system32\dllcache\ntkrpamp.exe

- 2007-02-28 16:05:27 2,182,144 -c----w C:\WINDOWS\system32\dllcache\ntoskrnl.exe

+ 2008-08-14 13:48:14 2,182,144 -c----w C:\WINDOWS\system32\dllcache\ntoskrnl.exe

- 2008-06-23 15:41:44 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll

+ 2008-08-20 05:38:49 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll

- 2008-06-23 15:41:44 1,494,528 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll

+ 2008-08-20 05:38:49 1,494,528 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll

- 2008-06-23 15:41:44 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll

+ 2008-08-20 05:38:50 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll

- 2006-08-14 10:34:41 332,928 -c----w C:\WINDOWS\system32\dllcache\srv.sys

+ 2008-08-28 10:04:17 333,056 -c----w C:\WINDOWS\system32\dllcache\srv.sys

- 2008-06-23 15:41:44 615,936 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll

+ 2008-08-20 05:38:50 615,936 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll

- 2008-03-20 08:11:33 1,845,248 -c----w C:\WINDOWS\system32\dllcache\win32k.sys

+ 2008-09-15 15:42:12 1,846,016 -c----w C:\WINDOWS\system32\dllcache\win32k.sys

- 2008-06-23 15:41:45 658,944 -c----w C:\WINDOWS\system32\dllcache\wininet.dll

+ 2008-08-20 05:38:49 658,944 -c----w C:\WINDOWS\system32\dllcache\wininet.dll

- 2008-06-20 10:44:38 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

+ 2008-08-14 09:51:43 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

- 2008-06-23 15:41:43 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll

+ 2008-08-20 05:38:49 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll

- 2008-06-23 15:41:43 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll

+ 2008-08-20 05:38:49 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll

- 2008-06-23 15:41:43 55,808 ------w C:\WINDOWS\system32\extmgr.dll

+ 2008-08-20 05:38:49 55,808 ------w C:\WINDOWS\system32\extmgr.dll

- 2008-04-09 18:17:35 148,400 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-10-15 18:52:50 148,400 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

- 2008-06-23 15:41:43 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll

+ 2008-08-20 05:38:49 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll

- 2008-06-23 15:41:43 96,768 ----a-w C:\WINDOWS\system32\inseng.dll

+ 2008-08-20 05:38:49 96,768 ----a-w C:\WINDOWS\system32\inseng.dll

- 2008-06-23 15:41:43 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll

+ 2008-08-20 05:38:49 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll

- 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe

+ 2008-10-07 19:19:40 16,721,856 ----a-w C:\WINDOWS\system32\MRT.exe

- 2008-06-23 15:41:44 3,080,704 ----a-w C:\WINDOWS\system32\mshtml.dll

+ 2008-08-20 05:38:50 3,081,216 ----a-w C:\WINDOWS\system32\mshtml.dll

- 2008-06-23 15:41:44 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll

+ 2008-08-20 05:38:49 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll

- 2008-06-23 15:41:44 146,432 ----a-w C:\WINDOWS\system32\msrating.dll

+ 2008-08-20 05:38:49 146,432 ----a-w C:\WINDOWS\system32\msrating.dll

- 2008-06-23 15:41:44 532,480 ----a-w C:\WINDOWS\system32\mstime.dll

+ 2008-08-20 05:38:49 532,480 ----a-w C:\WINDOWS\system32\mstime.dll

- 2008-06-23 15:41:44 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll

+ 2008-08-20 05:38:49 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll

- 2008-06-23 15:41:44 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll

+ 2008-08-20 05:38:49 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll

- 2008-06-23 15:41:44 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll

+ 2008-08-20 05:38:50 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll

- 2007-07-27 08:41:40 16,760 ------w C:\WINDOWS\system32\spmsg.dll

+ 2007-11-30 11:19:51 17,784 ------w C:\WINDOWS\system32\spmsg.dll

- 2008-06-23 15:41:44 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll

+ 2008-08-20 05:38:50 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll

- 2008-07-03 09:42:46 354,304 ----a-w C:\WINDOWS\system32\xpsp3res.dll

+ 2008-08-19 09:51:52 354,304 ----a-w C:\WINDOWS\system32\xpsp3res.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 68856]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-09-02 249856]

"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]

"F-Secure Manager"="C:\Programfiler\F-Secure\Common\FSM32.EXE" [2002-12-05 106571]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]

"PhiBtn"="C:\WINDOWS\System32\drivers\PhiBtn.exe" [2005-08-25 155648]

"Traymin900"="C:\WINDOWS\System32\drivers\Tray900.exe" [2005-08-25 266240]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"GNConfig"="C:\Programfiler\Gigabyte\Gigabyte GN-WM01GT Wireless CardBus Adapter\GNConfig.exe" [2005-11-16 348160]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-05-27 413696]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SiSPower"="SiSPower.dll" [2004-09-02 C:\WINDOWS\system32\SiSPower.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-09-15 331776]

WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2007-08-03 122880]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Programfiler\\BitTornado\\btdownloadgui.exe"=

"C:\\StubInstaller.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=

"C:\\Programfiler\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"12035:UDP"= 12035:UDP:*:Disabled:Second Life

"12036:UDP"= 12036:UDP:*:Disabled:Second Life

"12043:TCP"= 12043:TCP:*:Disabled:Second Life

"13000:TCP"= 13000:TCP:*:Disabled:Second Life

"13000:UDP"= 13000:UDP:*:Disabled:Second Life

"13050:UDP"= 13050:UDP:*:Disabled:Second Life

 

R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2005-01-20 16384]

R2 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2003-04-30 48336]

R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSgk.sys [2003-10-15 41488]

R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 16048]

R2 FSpm;F-Secure Policy Manager;C:\Programfiler\F-Secure\Common\FSPM.SYS [2002-12-05 65328]

R2 Fswsclds;F-Secure Windows Security Center Legacy Detection Service;C:\Programfiler\F-Secure\fswsclds.exe [2005-01-20 40960]

R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2004-02-12 191092]

R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2004-01-27 6100]

S3 camvid40;Philips SPC 900NC PC Camera;C:\WINDOWS\system32\DRIVERS\camdrv41.sys [2005-08-25 1240576]

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

 

2008-10-15 C:\WINDOWS\Tasks\MP Scheduled Scan.job

- C:\Programfiler\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-15 21:16:29

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

**************************************************************************

.

Completion time: 2008-10-15 21:21:14

ComboFix-quarantined-files.txt 2008-10-15 19:20:08

ComboFix2.txt 2008-10-15 16:56:04

 

Pre-Run: 18 868 080 640 byte ledig

Post-Run: 18,855,600,128 byte ledig

 

303 --- E O F --- 2008-10-15 18:07:57

 

Ja, ......... Er et forsøk iallefall på en smule sensurering

Takk for at du ser på dette.

[r2d290]

Går ut ifra at du kjenner til "Camfrog Video Chat"?

 

Jeg klarer ikke å se noe galt med loggene dine. Er det noe spesielt som gir deg misstanke om keylogger?

 

Hvordan fungerer PC-en?

[Lurveleven]

Går ut ifra at du kjenner til "Camfrog Video Chat"?

 

Jeg klarer ikke å se noe galt med loggene dine. Er det noe spesielt som gir deg misstanke om keylogger?

 

Hvordan fungerer PC-en?

 

Ja, camFrog er kjent.

 

Jeg spiller et online spill der kontoen min ble ribbet, og eneste mulighet er keylogger.

Mulig jeg fikk fjernet den med SpyBot søket jeg kjørte etterpå, og at den derfor ikke dukker opp på noen av loggene. Og det er jo fint.

 

Pcèn fungerer helt ok, til gammel laptop å være. Den er raskere nå, etter CCleaner rensket grundig opp.

 

Om det ikke ser ut som noe er galt så satser jeg på at alt er helt ok, og begynner å bygge opp spillekontoen igjen

 

Tusen takk for sjekken!

[r2d290]

Lager SpyBot noen logg, ville det vært interessant å se den...

[Lurveleven]

Lager SpyBot noen logg, ville det vært interessant å se den...

 

Ja, skulle gjerne ha postet den loggen fra spybot, problemet er bare at jeg ikke kopierte og lagret resultatet av skannen. Men om noen vet om spybot autolagrer noe, så tips meg gjerne. Jeg har lett og kan ikke finne noen log.

[r2d290]

Tror hvertfall at det burde gå greit å avinstallere combofix nå:

 

Gå til Start > Kjør

Skriv følgende i boksen:

• combofix /u
  

PS: legg merke til mellomrommet mellom X og /u

 

Trykk Enter.

 

Denne kommandoen vil:

• Fjerne følgende:
  • ComboFix og dets tilhørende filer og mapper.
    VundoFix backups, hvis de eksisterer.
    Mappen C:\Deckard, hvis den eksisterer
    Mappen C:\OtMoveIt, hvis den eksisterer
    

  [*] Nullstille klokke-instillingene.

   

  [*] Skjule filetternavn hvis det er nødvendig.

   

  [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig.

   

  [*] Nullstille systemgjennoprettingspunkter.

 

Kan du bekrefte at SpyBot fjernet noen filer? Isåfall tror jeg bare vi må gå ut ifra at dersom det stemmer at du har hatt en keylogger, så er den borte nå.

 

(om ingen andre har noen innvendinger?)