spyware/virus på PC. kan noen sjekke disse loggene?

gukki · 25. oktober 2008

Holder på å fikser opp i samboerens bærbare PC.

Jeg vet at det er no spyware/virus, for Norton 360 kommer opp med risikoadvarsler hele tia.

Windows kommer også opp med en advarsel om at "Datamaskinen kan være utsatt for risiko. Automatiske oppdateringer er slått av"

Har fulgt veiledningen til norbat, så nå trenger jeg noen for å se på loggene.

MBAM:

Malwarebytes' Anti-Malware 1.30

Database versjon: 1316

Windows 5.1.2600 Service Pack 3

25.10.2008 15:16:33

mbam-log-2008-10-25 (15-16-33).txt

Skanntype: Rask Skann

Objekter skannet: 62088

Tid tilbakelagt: 7 minute(s), 19 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 2

Registernøkler infisert: 14

Registerverdier infisert: 1

Registerfiler infisert: 2

Mapper infisert: 0

Filer infisert: 30

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

C:\WINDOWS\system32\iogmddqg.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ysjgdp.dll (Trojan.Vundo) -> Delete on reboot.

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2bd2d409-912b-4f16-9bf9-e1b7cc3f9042} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2bd2d409-912b-4f16-9bf9-e1b7cc3f9042} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8a4b4c8-79dd-4e1c-8eb2-98b9c7a4be42} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b8a4b4c8-79dd-4e1c-8eb2-98b9c7a4be42} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8a4b4c8-79dd-4e1c-8eb2-98b9c7a4be42} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53e0b6e8-a51d-448b-b692-40b67b285543} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\47009234 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kddkf.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\WINDOWS\system32\awtrQJBQ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\QBJQrtwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\QBJQrtwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ysjgdp.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\iogmddqg.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\gqddmgoi.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tlejddum.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\muddjelt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bdacrivl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bnicli.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cjyxvp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cwuhzo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fegicx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gpzxlp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hgwnlnxb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jzheij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kkgcduth.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kwigxhyf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mdmjcdyh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mqlupfsh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qnoflx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qwdnuegn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sqqhux.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\unvvtmbi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uxchgdit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vyhpqufb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zsecvy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\*****\Lokale innstillinger\Temp\nsfC9.tmp\System.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\******\Lokale innstillinger\Temp\nsh96.tmp\System.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ldinfo.ldr (Malware.Trace) -> Quarantined and deleted successfully.

Combofix:

ComboFix 08-10-24.02 - ********** 2008-10-25 15:33:12.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.474 [GMT 2:00]

Running from: C:\Documents and Settings\***********.PC575124631228\Skrivebord\stash\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\***********.PC575124631228\Programdata\inst.exe

C:\WINDOWS\system32\agisaiwy.ini

C:\WINDOWS\system32\bmfqpdgi.ini

C:\WINDOWS\system32\daavcwqy.ini

C:\WINDOWS\system32\fknjkiin.ini

C:\WINDOWS\system32\myptktys.ini

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\sqdolqce.ini

C:\WINDOWS\system32\uuhfemtr.ini

C:\WINDOWS\system32\wiejdwlr.ini

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-09-25 to 2008-10-25 )))))))))))))))))))))))))))))))

.

2008-10-25 15:07 . 2008-10-25 15:07 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-10-25 15:07 . 2008-10-25 15:07 <DIR> d-------- C:\Documents and Settings\***********.PC575124631228\Programdata\Malwarebytes

2008-10-25 15:07 . 2008-10-25 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-10-25 15:07 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-25 15:07 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-25 14:49 . 2008-10-25 15:17 <DIR> dr-h----- C:\Documents and Settings\********.PC575124631228\Siste

2008-10-17 15:36 . 2008-10-17 17:46 29 --a------ C:\WINDOWS\Irremote.ini

2008-10-17 15:13 . 2008-10-17 18:41 <DIR> d-------- C:\Programfiler\Fellesfiler\Nero

2008-10-17 15:13 . 2008-10-17 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero

2008-10-16 04:20 . 2008-09-08 12:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys

2008-10-16 04:19 . 2008-08-14 15:27 2,190,976 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2008-10-16 04:19 . 2008-08-14 15:27 2,147,328 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2008-10-16 04:19 . 2008-08-14 15:27 2,067,840 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2008-10-16 04:19 . 2008-08-14 15:27 2,025,984 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

2008-10-16 04:19 . 2008-09-15 17:29 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys

2008-10-06 23:58 . 2008-10-06 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-25 13:19 --------- d-----w C:\Programfiler\Steam

2008-10-25 10:42 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec

2008-10-24 17:37 --------- d-----w C:\Documents and Settings\All Users\Programdata\TrackMania

2008-10-21 22:12 --------- d-----w C:\Programfiler\Norton 360

2008-10-20 07:38 --------- d-----w C:\Documents and Settings\*********.PC575124631228\Programdata\uTorrent

2008-10-17 14:03 --------- d-----w C:\Documents and Settings\***********.PC575124631228\Programdata\Nero

2008-10-17 13:35 --------- d-----w C:\Programfiler\Nero

2008-10-17 01:10 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-10-16 09:58 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2008-10-13 19:29 --------- d-----w C:\Programfiler\Project64 1.6

2008-10-13 19:28 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-10-13 19:27 --------- d-----w C:\Programfiler\Opera

2008-10-13 19:25 --------- d-----w C:\Programfiler\iTunes

2008-10-13 19:25 --------- d-----w C:\Programfiler\iPod

2008-10-13 19:19 --------- d-----w C:\Programfiler\Hamachi

2008-10-13 19:18 --------- d-----w C:\Programfiler\DivX

2008-10-03 17:31 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll

2008-10-03 09:44 --------- d-----w C:\Programfiler\CONEXANT

2008-09-17 12:55 --------- d-----w C:\Documents and Settings\All Users\Programdata\MySQL

2008-09-15 15:29 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys

2008-09-13 19:07 --------- d-----w C:\Documents and Settings\All Users\Programdata\VIZ_MPS

2008-09-13 19:06 --------- d-----w C:\Programfiler\Vizky

2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-09-03 12:39 --------- d-----w C:\Programfiler\Noel Danjou

2008-09-02 20:25 --------- d-----w C:\Programfiler\Messenger Plus! Live

2008-08-27 09:30 3,593,216 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-08-25 08:41 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-08-25 08:38 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-08-23 05:56 635,848 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-08-14 13:27 2,147,328 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 13:27 2,025,984 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys

2007-12-31 13:26 47,360 ----a-w C:\Documents and Settings\***********.PC575124631228\Programdata\pcouffin.sys

2007-09-19 08:05 51,968 ----a-w C:\Documents and Settings\***************.PC575124631228\Programdata\GDIPFONTCACHEV1.DAT

2006-07-18 13:41 1,019,094 --sha-r C:\Programfiler\serial.zip

2006-07-18 13:41 1,019,094 --sha-r C:\Programfiler\serial.tde

2006-05-28 16:46 397,306 -csha-r C:\Programfiler\wunauclt.zip

2006-05-28 16:46 397,306 --sha-r C:\Programfiler\wunauclt.tbe

2006-11-04 00:28 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

2008-05-18 20:40 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012008051820080519\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

"msnmsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"Steam"="c:\programfiler\steam\steam.exe" [2008-10-08 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"hpWirelessAssistant"="C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-21 7561216]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-05-27 413696]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoStartMenuPinnedList"= 0 (0x0)

"NoStartMenuMFUprogramsList"= 0 (0x0)

"NoUserNameInStartMenu"= 0 (0x0)

"NoStartMenuSubFolders"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

"NoPrinterTabs"= 0 (0x0)

"NoDeletePrinter"= 0 (0x0)

"NoAddPrinter"= 0 (0x0)

"NoPrinters"= 0 (0x0)

"NoFavoritesMenu"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoChangeAnimation"= 0 (0x0)

"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=ysjgdp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

"C:\\WINDOWS\\system32\\dplaysvr.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Documents and Settings\\***********.PC575124631228\\Skrivebord\\****\\Musikk\\Downloads\\Utorrent\\utorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=

R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]

S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Programfiler\LogMeIn\x86\RaInfo.sys [ ]

S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

*Newly Created Service* - COMHOST

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{137D2C53-280A-277A-0705-040707040403}]

C:\WINDOWS\svchost.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\*********.PC575124631228\Programdata\Mozilla\Firefox\Profiles\zcrilsw3.default\

FF -: plugin - C:\Programfiler\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - C:\Programfiler\Opera\program\plugins\npdivx32.dll

FF -: plugin - C:\Programfiler\Vizky\npVizky.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-25 15:42:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

Completion time: 2008-10-25 15:46:51

ComboFix-quarantined-files.txt 2008-10-25 13:45:46

Pre-Run: 17 304 829 952 byte ledig

Post-Run: 17,450,295,296 byte ledig

183 --- E O F --- 2008-10-17 01:10:29

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:59:53, on 25.10.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Programfiler\QuickTime\QTTask.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\programfiler\steam\steam.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Hewlett-Packard\Shared\hpqwmiex.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\Programfiler\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Windows Live\Messenger\msnmsgr.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Programfiler\Symantec\LiveUpdate\luall.exe

C:\Programfiler\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Documents and Settings\*******.PC575124631228\Skrivebord\stash\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.sol.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Norton-verktøylinjen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169383497187

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.33/g_bin/eng/poker_2_0_0_49.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{13026171-6CC2-4906-8C00-29F1AFBC1184}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{318574DA-08B2-4E0B-BAAF-3077EEB893B3}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{603B9EEB-06CA-4534-A7BA-5C996C9761D3}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{749F8C39-BE92-49B6-86D4-1FEC839FA246}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\..\{13026171-6CC2-4906-8C00-29F1AFBC1184}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\..\{13026171-6CC2-4906-8C00-29F1AFBC1184}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS4\Services\Tcpip\..\{13026171-6CC2-4906-8C00-29F1AFBC1184}: NameServer = 208.67.220.220,208.67.222.222

O18 - Protocol: fin - {5C472352-90D0-4214-BF20-8E4A2B82F980} - (no file)

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: ysjgdp.dll

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\VAScanner\comHost.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programfiler\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 11167 bytes

Håper noen får sett på disse og veiledet meg videre.

Takker

Endret 25. oktober 2008 av gukki

norbat · 25. oktober 2008

Heisann,

Avinstaller, om mulig, Messenger Plus! Live

Åpne notisblokk, kopier og lim inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript

Dra og slipp fila over Combofix-iconet. Combofix vil starte igjen. Post loggen sammen med en ny hjt-logg.

file::

C:\Programfiler\serial.zip

C:\Programfiler\serial.tde

C:\WINDOWS\svchost.exe

registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{137D2C53-280A-277A-0705-040707040403}]

gukki · 25. oktober 2008

Da har jeg gjort nøyaktig hva du sa. Her er loggene:

Combofix:

ComboFix 08-10-24.02 - ******** 2008-10-25 17:35:16.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.395 [GMT 2:00]

Running from: C:\Documents and Settings\*******.PC575124631228\Skrivebord\stash\ComboFix.exe

Command switches used :: C:\Documents and Settings\******.PC575124631228\Skrivebord\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-09-25 to 2008-10-25 )))))))))))))))))))))))))))))))

.

2008-10-25 15:07 . 2008-10-25 15:07 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-10-25 15:07 . 2008-10-25 15:07 <DIR> d-------- C:\Documents and Settings\******.PC575124631228\Programdata\Malwarebytes

2008-10-25 15:07 . 2008-10-25 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-10-25 15:07 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-25 15:07 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-25 14:49 . 2008-10-25 17:33 <DIR> dr-h----- C:\Documents and Settings\******.PC575124631228\Siste