Valkyria Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 (endret) Jeg oppdaget plutselig at PCen min restartet seg, og da jeg skrudde den på igjen fikk jeg melding av en rød ring med et kryss i i høyre hjørne om at "Your computer is infected! Windows has detected spyware infection! It is recomended to use special antispyware tools to prevent data loss. windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!" jeg kuttet nettet, så programmet får ikke lastet ned ny verisjon, men jeg har tanker om at dette er et lureprogram, fordi når jeg ctrl-alt-del får jeg opp at programmet AntiSpywareXP 2009 kjører, men det har bare ikonet til en .exe fil. altså ikke noen logo eller noe slikt. er dette et virkelig XP-program, eller er forsøker PCen å laste ned nye virus eller noe slikt? at jeg har fått noe bøget inpå maskinen er sikkert, men jeg aner ikke hva. det kan være trojaner som gir seg ut for å være windows-spywarefjerner (som jeg tror). håper noen kan hjelpe Endret 23. oktober 2008 av Valkyria Lenke til kommentar
ungkar1 Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 hei. du kan kjøre gjennom denne veiledningen her: https://www.diskusjon.no/index.php?showtopic=691246 så poster du loggene i denne posten, så kommer det noen og ser på loggene. Lenke til kommentar
Valkyria Skrevet 23. oktober 2008 Forfatter Del Skrevet 23. oktober 2008 HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:40:57, on 23.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe D:\NORMAN\Npm\bin\ELOGSVC.EXE D:\NORMAN\Npm\Bin\Zanda.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe D:\NORMAN\Npm\bin\NJEEVES.EXE C:\WINDOWS\System32\alg.exe D:\NORMAN\Nvc\BIN\NVCSCHED.EXE D:\NORMAN\Nvc\bin\nvcoas.exe C:\WINDOWS\TBPanel.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\D-Link\AirPlus XtremeG\AirPlusCFG.exe C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe D:\NORMAN\Npm\bin\ZLH.EXE C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\iTunes\iTunesHelper.exe D:\NORMAN\Nvc\BIN\NIP.EXE C:\Programfiler\iPod\bin\iPodService.exe D:\Programfiler\Logitech\G-series Software\LGDCore.exe D:\NORMAN\Nvc\bin\cclaw.exe D:\Programfiler\Logitech\G-series Software\LCDMon.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe D:\Programfiler\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe D:\Programfiler\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe D:\Programfiler\Logitech\G-series Software\Applets\LCDMedia.exe D:\Programfiler\Logitech\G-series Software\Applets\LCDClock.exe D:\Programfiler\BF2G15Mod\BF2 LCD.exe D:\FRAPS\FRAPS.EXE C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programfiler\Octoshape Streaming Services\Fredrik\OctoshapeClient.exe D:\Programfiler\DAEMON Tools\daemon.exe D:\Programfiler\Steam\Steam.exe C:\Programfiler\Electronic Arts\EADM\Core.exe C:\Programfiler\Skype\Phone\Skype.exe C:\Programfiler\RALINK\Common\RaUI.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Java\jre1.5.0_11\bin\jucheck.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Fredrik\Skrivebord\HJT\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 133.1.16.172:3127 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Programfiler\D-Link\AirPlus XtremeG\AirPlusCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [Norman ZANDA] "D:\NORMAN\Npm\bin\ZLH.EXE" /LOAD /SPLASH O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Launch LGDCore] "D:\Programfiler\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Launch LCDMon] "D:\Programfiler\Logitech\G-series Software\LCDMon.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Fraps] D:\FRAPS\FRAPS.EXE O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programfiler\Octoshape Streaming Services\Fredrik\OctoshapeClient.exe" -inv:bootrun O4 - HKCU\..\Run: [DAEMON Tools] "D:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [steam] "D:\Programfiler\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [EA Core] C:\Programfiler\Electronic Arts\EADM\Core.exe -silent O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [igndlm.exe] C:\Programfiler\Download Manager\DLM.exe /windowsstart /startifwork O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = D:\Adobe\Reader\reader_sl.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Programfiler\RALINK\Common\RaUI.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programfiler\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - D:\NORMAN\Npm\bin\ELOGSVC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Norman ASA - D:\NORMAN\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - D:\NORMAN\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - D:\NORMAN\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - D:\NORMAN\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 9782 bytes mbam: Malwarebytes' Anti-Malware 1.30 Database versjon: 1306 Windows 5.1.2600 Service Pack 2 23.10.2008 16:08:29 mbam-log-2008-10-23 (16-08-29).txt Skanntype: Rask Skann Objekter skannet: 49359 Tid tilbakelagt: 2 minute(s), 2 second(s) Minneprosesser infisert: 1 Minnemoduler infisert: 0 Registernøkler infisert: 2 Registerverdier infisert: 3 Registerfiler infisert: 2 Mapper infisert: 0 Filer infisert: 17 Minneprosesser infisert: C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process. Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registerfiler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully. Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot. C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully. C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wini10801.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\TDSSbrsr.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\TDSSrhym.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> Delete on reboot. Combofix: ComboFix 08-10-22.05 - Fredrik 2008-10-23 16:21:50.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1478 [GMT 2:00] Running from: L:\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\drsmartload2.dat C:\WINDOWS\keyboard1.dat C:\WINDOWS\newname.dat C:\WINDOWS\teller2.chk . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NSESVC -------\Legacy_TDSSSERV.SYS) -------\Service_nsesvc -------\Service_TDSSserv.sys) ((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 ))))))))))))))))))))))))))))))) . 2008-10-23 16:04 . 2008-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Fredrik\Programdata\Malwarebytes 2008-10-23 16:04 . 2008-10-23 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-23 16:04 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-23 16:04 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-23 16:03 . 2008-10-23 16:03 <DIR> dr-h----- C:\Documents and Settings\Fredrik\Siste 2008-10-23 16:01 . 2008-10-23 16:01 <DIR> d-------- C:\Programfiler\CCleaner 2008-10-23 15:22 . 2008-10-23 15:29 44,544 --a------ C:\WINDOWS\system32\av.dat 2008-10-23 15:22 . 2008-10-23 15:29 164 --a------ C:\WINDOWS\system32\TDSSosvd.dat 2008-10-15 16:17 . 2008-10-15 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Blizzard 2008-09-29 16:07 . 2008-10-22 13:14 <DIR> d-------- C:\Programfiler\Microsoft Silverlight 2008-09-28 14:56 . 2008-09-28 14:56 94,208 --a------ C:\WINDOWS\ScUnin.exe 2008-09-28 14:56 . 2008-09-28 14:56 12,720 --a------ C:\WINDOWS\scunin.dat 2008-09-28 14:56 . 2008-09-28 14:56 967 --a------ C:\WINDOWS\ScUnin.pif 2008-09-28 14:46 . 2008-09-28 14:46 <DIR> d-------- C:\Programfiler\Download Manager 2008-09-28 14:46 . 2008-09-28 14:46 <DIR> d-------- C:\Documents and Settings\Fredrik\Programdata\IGN_DLM . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-23 13:47 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\Skype 2008-10-23 13:27 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\uTorrent 2008-10-23 12:30 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\skypePM 2008-10-22 18:04 --------- d-----w C:\Programfiler\SystemRequirementsLab 2008-10-15 21:02 --------- d-----w C:\Programfiler\Windows Live Safety Center 2008-09-28 23:55 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\dvdcss 2008-09-28 15:21 137,728 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-09-28 15:21 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-09-28 14:11 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\teamspeak2 2008-09-27 23:20 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\Hamachi 2008-09-15 15:42 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-14 17:03 47 ----a-w C:\Documents and Settings\Fredrik\.bat 2008-09-02 10:48 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys 2008-09-01 15:11 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-26 08:30 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-08-14 13:48 2,182,144 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 13:48 2,059,520 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-07-31 17:17 8,210 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg 2008-04-25 12:23 22,328 ----a-w C:\Documents and Settings\Fredrik\Programdata\PnkBstrK.sys 2008-03-22 13:37 1 ----a-w C:\Documents and Settings\Fredrik\SI.bin 2003-12-18 09:33 20,102 ----a-w C:\Programfiler\Readme.txt 2003-09-03 05:46 10,960 ----a-w C:\Programfiler\EULA.txt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "Fraps"="D:\FRAPS\FRAPS.EXE" [2006-06-18 774144] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856] "Octoshape Streaming Services"="C:\Programfiler\Octoshape Streaming Services\Fredrik\OctoshapeClient.exe" [2006-02-13 214648] "DAEMON Tools"="D:\Programfiler\DAEMON Tools\daemon.exe" [2007-04-04 165784] "Steam"="D:\Programfiler\Steam\Steam.exe" [2008-10-08 1410296] "EA Core"="C:\Programfiler\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512] "Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-08-06 21738792] "igndlm.exe"="C:\Programfiler\Download Manager\DLM.exe" [2008-08-01 1103216] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gainward"="C:\WINDOWS\TBPanel.exe" [2006-02-23 2088960] "D-Link AirPlus XtremeG"="C:\Programfiler\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 1011712] "ANIWZCS2Service"="C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152] "Norman ZANDA"="D:\NORMAN\Npm\bin\ZLH.EXE" [2008-06-02 273520] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-04-27 282624] "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-06-01 257088] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776] "Launch LGDCore"="D:\Programfiler\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304] "Launch LCDMon"="D:\Programfiler\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920] "SoundMan"="SOUNDMAN.EXE" [2006-11-17 C:\WINDOWS\soundman.exe] "nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - D:\Adobe\Reader\reader_sl.exe [2005-09-23 29696] Ralink Wireless Utility.lnk - C:\Programfiler\RALINK\Common\RaUI.exe [2006-09-10 589824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2005-05-11 18:57 1015808 C:\Programfiler\SanDisk\CruzerLogin\homefus.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\StubInstaller.exe"= "D:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\mIRC\\mirc.exe"= "D:\\Programfiler\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"= "D:\\Programfiler\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Programfiler\\Xfire\\Xfire.exe"= "D:\\Programfiler\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"= "D:\\Programfiler\\THQ\\Dawn of War\\W40k.exe"= "D:\\Programfiler\\THQ\\Dawn of War\\W40kWA.exe"= "D:\\Programfiler\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"= "D:\\Programfiler\\Warcraft III\\Warcraft III.exe"= "D:\\Programfiler\\uTorrent\\utorrent.exe"= "D:\\Programfiler\\Foolish Entertainment\\ATC for Battlefield 2\\atcbf2.exe"= "D:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "C:\\Documents and Settings\\Fredrik\\Skrivebord\\quake2 på matsd\\quake2.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "C:\\Programfiler\\Octoshape Streaming Services\\Fredrik\\OctoshapeClient.exe"= "C:\\Programfiler\\Microsoft Games\\Halo\\halo.exe"= "D:\\Programfiler\\Hamachi\\hamachi.exe"= "D:\\Programfiler\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Programfiler\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"= "D:\\Programfiler\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\WINDOWS\\system32\\dpnsvr.exe"= "D:\\quake2\\quake2.exe"= "D:\\Programfiler\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"= "D:\\Programfiler\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "D:\\Programfiler\\Steam\\steamapps\\spacewaker3\\counter-strike\\hl.exe"= "D:\\Programfiler\\DC++\\DCPlusPlus.exe"= "D:\\Programfiler\\America's Army\\System\\ArmyOps.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "D:\\UnrealTournament\\System\\UnrealTournament.exe"= "D:\\YnHub_1.036.152\\YnHub.exe"= "C:\\Programfiler\\Electronic Arts\\EADM\\Core.exe"= "D:\\UT2004\\System\\UT2004.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6112:UDP"= 6112:UDP:Dark Crusade "6500:UDP"= 6500:UDP:Dark crusade "6667:TCP"= 6667:TCP:Dark Crusade "27900:UDP"= 27900:UDP:Dark Crusade "27901:UDP"= 27901:UDP:Dark Crusade "28910:TCP"= 28910:TCP:Dark Crusade "29900:TCP"= 29900:TCP:Dark Crusade "29901:TCP"= 29901:TCP:Dark Crusade "29910:UDP"= 29910:UDP:Dark Crusade "29920:TCP"= 29920:TCP:Dark Crusade "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R2 Ndiskio;Ndiskio;D:\NORMAN\Nse\bin\NDISKIO.SYS [2007-01-02 20448] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512] R3 nvcoas;Norman Virus Control on-access component;D:\NORMAN\Nvc\bin\nvcoas.exe [2008-04-29 183352] R3 NVCScheduler;Norman Virus Control Scheduler;D:\NORMAN\Nvc\BIN\NVCSCHED.EXE [2008-03-11 146488] S1 lusbaudio;Logitech USB-mikrofon;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 25216] S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 450400] S3 nvcfsr;nvcfsr;D:\NORMAN\Nvc\bin\nvcfsr.sys [2007-01-09 6712] S3 nvcoafl51;nvcoafl51;D:\NORMAN\Nvc\bin\nvcoafl51.sys [2007-01-09 30264] S3 nvcoaft51;nvcoaft51;D:\NORMAN\Nvc\bin\nvcoaft51.sys [2007-01-09 129848] S3 nvcoarc51;nvcoarc51;D:\NORMAN\Nvc\bin\nvcoarc51.sys [2007-01-09 23224] S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 31872] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{666ac347-da32-11da-b715-806d6172696f}] \Shell\AutoRun\command - J:\ASUSACPI.exe . Contents of the 'Scheduled Tasks' folder 2008-10-23 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20] . - - - - ORPHANS REMOVED - - - - HKLM-Run-NVMixerTray - C:\Programfiler\NVIDIA Corporation\NvMixer\NVMixerTray.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Fredrik\Programdata\Mozilla\Firefox\Profiles\huj62huc.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.diskusjon.no/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-23 16:25:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Programfiler\SanDisk\CruzerLogin\homefus.dll . ------------------------ Other Running Processes ------------------------ . D:\NORMAN\npm\bin\elogsvc.exe D:\NORMAN\npm\bin\Zanda.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe D:\NORMAN\npm\bin\Njeeves.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\D-Link\AIRPLU~1\AIRPLU~1.EXE C:\PROGRA~1\ANI\ANIWZC~1\WZCSLDR2.exe C:\PROGRA~1\Java\JRE15~1.0_1\bin\jusched.exe C:\PROGRA~1\QUICKT~1\qttask.exe C:\PROGRA~1\iTunes\ITUNES~1.EXE D:\NORMAN\NVC\Bin\Nip.exe C:\Programfiler\iPod\bin\iPodService.exe D:\NORMAN\NVC\Bin\CClaw.exe C:\WINDOWS\system32\rundll32.exe D:\Programfiler\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe D:\Programfiler\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe C:\PROGRA~1\MSNMES~1\msnmsgr.exe D:\Programfiler\Logitech\G-series Software\Applets\LCDMedia.exe D:\Programfiler\Logitech\G-series Software\Applets\LCDClock.exe D:\Programfiler\BF2G15Mod\BF2 LCD.exe C:\PROGRA~1\Google\GOOGLE~2\GOOGLE~1.EXE C:\PROGRA~1\OCTOSH~1\Fredrik\OCTOSH~1.EXE C:\PROGRA~1\ELECTR~1\EADM\Core.exe C:\PROGRA~1\Skype\Phone\Skype.exe . ************************************************************************** . Completion time: 2008-10-23 16:30:21 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-23 14:30:17 Pre-Run: 4 827 123 712 byte ledig Post-Run: 4,604,424,192 byte ledig 240 --- E O F --- 2008-10-21 21:57:43 Lenke til kommentar
snippsat Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 Kopiere fet tekst under bildet->åpne notisblokk og lim inn. Lagre på skrivebordet som CFScript.txt Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt File:: C:\WINDOWS\system32\av.dat C:\WINDOWS\system32\TDSSosvd.dat Lenke til kommentar
Valkyria Skrevet 23. oktober 2008 Forfatter Del Skrevet 23. oktober 2008 scannen pågaår, og norman fanget opp et virus mens søket pågår. er det meningen at det skal skje eller var det viruset som forsøkte å lage krøll da det merket at det ble behandlet? Lenke til kommentar
Valkyria Skrevet 23. oktober 2008 Forfatter Del Skrevet 23. oktober 2008 her er anyways loggen: ComboFix 08-10-22.05 - Fredrik 2008-10-23 21:33:24.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1182 [GMT 2:00] Running from: L:\ComboFix.exe Command switches used :: C:\Documents and Settings\Fredrik\Skrivebord\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\av.dat C:\WINDOWS\system32\TDSSosvd.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\av.dat C:\WINDOWS\system32\TDSSosvd.dat . ((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 ))))))))))))))))))))))))))))))) . 2008-10-23 16:04 . 2008-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Fredrik\Programdata\Malwarebytes 2008-10-23 16:04 . 2008-10-23 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-23 16:04 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-23 16:04 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-23 16:03 . 2008-10-23 21:30 <DIR> dr-h----- C:\Documents and Settings\Fredrik\Siste 2008-10-23 16:01 . 2008-10-23 16:01 <DIR> d-------- C:\Programfiler\CCleaner 2008-10-15 16:17 . 2008-10-15 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Blizzard 2008-09-29 16:07 . 2008-10-22 13:14 <DIR> d-------- C:\Programfiler\Microsoft Silverlight 2008-09-28 14:56 . 2008-09-28 14:56 94,208 --a------ C:\WINDOWS\ScUnin.exe 2008-09-28 14:56 . 2008-09-28 14:56 12,720 --a------ C:\WINDOWS\scunin.dat 2008-09-28 14:56 . 2008-09-28 14:56 967 --a------ C:\WINDOWS\ScUnin.pif 2008-09-28 14:46 . 2008-09-28 14:46 <DIR> d-------- C:\Programfiler\Download Manager 2008-09-28 14:46 . 2008-09-28 14:46 <DIR> d-------- C:\Documents and Settings\Fredrik\Programdata\IGN_DLM . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-23 19:22 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\Skype 2008-10-23 16:22 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\skypePM 2008-10-23 13:27 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\uTorrent 2008-10-22 18:04 --------- d-----w C:\Programfiler\SystemRequirementsLab 2008-10-15 21:02 --------- d-----w C:\Programfiler\Windows Live Safety Center 2008-09-28 23:55 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\dvdcss 2008-09-28 15:21 137,728 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-09-28 15:21 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-09-28 14:11 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\teamspeak2 2008-09-27 23:20 --------- d-----w C:\Documents and Settings\Fredrik\Programdata\Hamachi 2008-09-15 15:42 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-14 17:03 47 ----a-w C:\Documents and Settings\Fredrik\.bat 2008-09-02 10:48 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys 2008-09-01 15:11 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-26 08:30 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-08-14 13:48 2,182,144 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 13:48 2,059,520 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-07-31 17:17 8,210 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg 2008-04-25 12:23 22,328 ----a-w C:\Documents and Settings\Fredrik\Programdata\PnkBstrK.sys 2008-03-22 13:37 1 ----a-w C:\Documents and Settings\Fredrik\SI.bin 2003-12-18 09:33 20,102 ----a-w C:\Programfiler\Readme.txt 2003-09-03 05:46 10,960 ----a-w C:\Programfiler\EULA.txt . ((((((((((((((((((((((((((((( snapshot@2008-10-23_16.29.53.03 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-23 14:15:40 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-10-23 16:24:59 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-10-23 14:15:40 73,088 ----a-w C:\WINDOWS\system32\perfc014.dat + 2008-10-23 16:25:00 73,088 ----a-w C:\WINDOWS\system32\perfc014.dat - 2008-10-23 14:15:40 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-10-23 16:25:00 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat - 2008-10-23 14:15:40 412,788 ----a-w C:\WINDOWS\system32\perfh014.dat + 2008-10-23 16:25:00 412,788 ----a-w C:\WINDOWS\system32\perfh014.dat - 2008-10-23 14:12:15 1,500 ----a-w C:\WINDOWS\UI\BIOSCTL.DAT + 2008-10-23 16:21:20 1,500 ----a-w C:\WINDOWS\UI\BIOSCTL.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "Fraps"="D:\FRAPS\FRAPS.EXE" [2006-06-18 774144] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856] "Octoshape Streaming Services"="C:\Programfiler\Octoshape Streaming Services\Fredrik\OctoshapeClient.exe" [2006-02-13 214648] "DAEMON Tools"="D:\Programfiler\DAEMON Tools\daemon.exe" [2007-04-04 165784] "Steam"="D:\Programfiler\Steam\Steam.exe" [2008-10-08 1410296] "EA Core"="C:\Programfiler\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512] "Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-08-06 21738792] "igndlm.exe"="C:\Programfiler\Download Manager\DLM.exe" [2008-08-01 1103216] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gainward"="C:\WINDOWS\TBPanel.exe" [2006-02-23 2088960] "D-Link AirPlus XtremeG"="C:\Programfiler\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 1011712] "ANIWZCS2Service"="C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152] "Norman ZANDA"="D:\NORMAN\Npm\bin\ZLH.EXE" [2008-06-02 273520] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-04-27 282624] "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-06-01 257088] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776] "Launch LGDCore"="D:\Programfiler\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304] "Launch LCDMon"="D:\Programfiler\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920] "SoundMan"="SOUNDMAN.EXE" [2006-11-17 C:\WINDOWS\soundman.exe] "nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - D:\Adobe\Reader\reader_sl.exe [2005-09-23 29696] Ralink Wireless Utility.lnk - C:\Programfiler\RALINK\Common\RaUI.exe [2006-09-10 589824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2005-05-11 18:57 1015808 C:\Programfiler\SanDisk\CruzerLogin\homefus.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\StubInstaller.exe"= "D:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\mIRC\\mirc.exe"= "D:\\Programfiler\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"= "D:\\Programfiler\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Programfiler\\Xfire\\Xfire.exe"= "D:\\Programfiler\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"= "D:\\Programfiler\\THQ\\Dawn of War\\W40k.exe"= "D:\\Programfiler\\THQ\\Dawn of War\\W40kWA.exe"= "D:\\Programfiler\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"= "D:\\Programfiler\\Warcraft III\\Warcraft III.exe"= "D:\\Programfiler\\uTorrent\\utorrent.exe"= "D:\\Programfiler\\Foolish Entertainment\\ATC for Battlefield 2\\atcbf2.exe"= "D:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "C:\\Documents and Settings\\Fredrik\\Skrivebord\\quake2 på matsd\\quake2.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "C:\\Programfiler\\Octoshape Streaming Services\\Fredrik\\OctoshapeClient.exe"= "C:\\Programfiler\\Microsoft Games\\Halo\\halo.exe"= "D:\\Programfiler\\Hamachi\\hamachi.exe"= "D:\\Programfiler\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Programfiler\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"= "D:\\Programfiler\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\WINDOWS\\system32\\dpnsvr.exe"= "D:\\quake2\\quake2.exe"= "D:\\Programfiler\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"= "D:\\Programfiler\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "D:\\Programfiler\\Steam\\steamapps\\spacewaker3\\counter-strike\\hl.exe"= "D:\\Programfiler\\DC++\\DCPlusPlus.exe"= "D:\\Programfiler\\America's Army\\System\\ArmyOps.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"= "D:\\Programfiler\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "D:\\UnrealTournament\\System\\UnrealTournament.exe"= "D:\\YnHub_1.036.152\\YnHub.exe"= "C:\\Programfiler\\Electronic Arts\\EADM\\Core.exe"= "D:\\UT2004\\System\\UT2004.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6112:UDP"= 6112:UDP:Dark Crusade "6500:UDP"= 6500:UDP:Dark crusade "6667:TCP"= 6667:TCP:Dark Crusade "27900:UDP"= 27900:UDP:Dark Crusade "27901:UDP"= 27901:UDP:Dark Crusade "28910:TCP"= 28910:TCP:Dark Crusade "29900:TCP"= 29900:TCP:Dark Crusade "29901:TCP"= 29901:TCP:Dark Crusade "29910:UDP"= 29910:UDP:Dark Crusade "29920:TCP"= 29920:TCP:Dark Crusade "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R2 Ndiskio;Ndiskio;D:\NORMAN\Nse\bin\NDISKIO.SYS [2007-01-02 20448] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512] R3 nvcoas;Norman Virus Control on-access component;D:\NORMAN\Nvc\bin\nvcoas.exe [2008-04-29 183352] R3 NVCScheduler;Norman Virus Control Scheduler;D:\NORMAN\Nvc\BIN\NVCSCHED.EXE [2008-03-11 146488] S1 lusbaudio;Logitech USB-mikrofon;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 25216] S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 450400] S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-10-22 38496] S3 nvcfsr;nvcfsr;D:\NORMAN\Nvc\bin\nvcfsr.sys [2007-01-09 6712] S3 nvcoafl51;nvcoafl51;D:\NORMAN\Nvc\bin\nvcoafl51.sys [2007-01-09 30264] S3 nvcoaft51;nvcoaft51;D:\NORMAN\Nvc\bin\nvcoaft51.sys [2007-01-09 129848] S3 nvcoarc51;nvcoarc51;D:\NORMAN\Nvc\bin\nvcoarc51.sys [2007-01-09 23224] S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 31872] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{666ac347-da32-11da-b715-806d6172696f}] \Shell\AutoRun\command - J:\ASUSACPI.exe . Contents of the 'Scheduled Tasks' folder 2008-10-23 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-23 21:35:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Programfiler\SanDisk\CruzerLogin\homefus.dll . Completion time: 2008-10-23 21:36:13 ComboFix-quarantined-files.txt 2008-10-23 19:36:09 ComboFix2.txt 2008-10-23 14:30:23 Pre-Run: 4,662,210,560 byte ledig Post-Run: 4,645,920,768 byte ledig 209 --- E O F --- 2008-10-21 21:57:43 Lenke til kommentar
norbat Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 Vet du hva dette er for en fil: C:\Documents and Settings\***\.bat Hvis ikke, høyreklikk på fila og velg å åpne den i notisblokk for å se hva den inneholder. Lenke til kommentar
snippsat Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 (endret) Det er normalt at antivirus reagerer på combofix,derfor er det greit og disable den når combofix kjører. Loggen ser fin ut. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Surf trygt. Ja og sjekk filen norbat lurer på. Endret 23. oktober 2008 av SNIPPSAT Lenke til kommentar
Valkyria Skrevet 23. oktober 2008 Forfatter Del Skrevet 23. oktober 2008 ok... det står: @echo off msg* Du har virus hack: goto hack men om jeg husker rett var det en kompis av meg som skulle vise meg et triks :\ noe mistenkelig bortsettfra denne filen? nekter å tro jeg er kvitt, det, fordi jeg har fått meldinger om at norman har fanget opp et virus 2-3 ganger etter jeg tok første scannen. siste var som sagt under scanningen Lenke til kommentar
snippsat Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 Den bat filen er grei. norman har fanget opp et virus 2-3 ganger Ingen tro på at det er virus,combofix er et kraftig verktøy. Finner norman vil det alltid bli laget en logg med plassering. Da poster du plassering,så ser vi om det er noe og fixe. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå