[Løst](LØST) Trojan.Vundo, Logger fra HJT, MBAM og Combofix

[Pizzaen]

Hei Avira ble plutselig utrolig slitsom etter at jeg besøkte en side og det kom opp masse beskjeder fra Windows at masse filer manglett osv. Husker ikke hvilken side det var. Her er værtfall noen logger:

 

MBAM:

 

Malwarebytes' Anti-Malware 1.30

Database versjon: 1358

Windows 6.0.6001 Service Pack 1

 

03.11.2008 14:17:27

mbam-log-2008-11-03 (14-17-27).txt

 

Skanntype: Rask Skann

Objekter skannet: 44000

Tid tilbakelagt: 2 minute(s), 48 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 5

Registerverdier infisert: 5

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 9

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\Windows\System32\wvUopQIX.dll (Trojan.Vundo) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{3711eeb0-1851-42c2-9abd-c29470a5035c} (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8e28e (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3711eeb0-1851-42c2-9abd-c29470a5035c} (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Windows\System32\wvUopQIX.dll (Trojan.Agent) -> Delete on reboot.

C:\Users\Norum\AppData\Local\Temp\cbXnOHax.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\xxywxYRL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Norum\AppData\Local\Temp\gvmpwoke.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\Norum\AppData\Local\Temp\wvUoLBSm.dll (Malware.Trace) -> Quarantined and deleted successfully.

C:\Windows\System32\qoMgdawX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Windows\System32\ddcYrOIy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Windows\System32\rqRHbYrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Windows\System32\mlJAsPhI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

 

 

 

Combofix:

 

ComboFix 08-11-02.05 - Norum 2008-11-03 14:20:51.1 - NTFSx86 NETWORK

Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1674 [GMT 1:00]

Running from: c:\users\Norum\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\progra~2\Microsoft\Network\Downloader\qmgr0.dat

c:\progra~2\Microsoft\Network\Downloader\qmgr1.dat

 

----- BITS: Possible infected sites -----

 

hxxp://www.criticalsetup.com

.

((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))

.

 

No new files created in this timespan

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-03 13:03 --------- d-----w c:\users\Norum\AppData\Roaming\OnlineArmor

2008-11-03 13:03 --------- d-----w c:\program files\Steam

2008-11-03 13:01 --------- d-----w c:\users\Norum\AppData\Roaming\uTorrent

2008-11-03 12:50 --------- d-----w c:\program files\CodeStuff

2008-11-03 09:59 --------- d-----w c:\program files\Google

2008-11-03 00:28 --------- d-----w c:\program files\Gimp-2.0

2008-11-03 00:17 --------- d-----w c:\users\Norum\AppData\Roaming\Malwarebytes

2008-11-03 00:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-11-03 00:17 --------- d-----w c:\progra~2\Malwarebytes

2008-11-02 23:42 --------- d-----w c:\program files\Avira

2008-11-02 23:42 --------- d-----w c:\progra~2\Avira

2008-11-02 23:20 --------- d-----w c:\progra~2\OnlineArmor

2008-11-02 19:40 --------- d-----w c:\program files\Runtime Software

2008-11-02 17:03 --------- d-----w c:\program files\Tall Emu

2008-11-02 15:47 --------- d-----w c:\progra~2\Office Genuine Advantage

2008-11-02 13:10 --------- d-----w c:\program files\Pidgin

2008-11-02 13:09 --------- d-----w c:\users\Norum\AppData\Roaming\Dropbox

2008-11-02 12:58 --------- d-----w c:\users\Norum\AppData\Roaming\Clue

2008-11-02 12:58 --------- d-----w c:\program files\Clue

2008-11-02 11:52 --------- d-----w c:\program files\COMODO

2008-11-02 10:18 --------- d-----w c:\users\Norum\AppData\Roaming\Comodo

2008-11-02 10:18 --------- d-----w c:\progra~2\comodo

2008-11-02 02:08 --------- d-----w c:\progra~2\Microsoft Help

2008-11-01 11:01 --------- d-----w c:\program files\Microsoft Works

2008-11-01 11:00 --------- d-----w c:\program files\MSBuild

2008-11-01 10:59 --------- d-----w c:\program files\Microsoft.NET

2008-11-01 10:57 --------- d-----w c:\program files\Common Files\Adobe

2008-11-01 10:52 --------- d-----w c:\program files\Microsoft Visual Studio 8

2008-10-30 18:39 --------- d-----w c:\users\Norum\AppData\Roaming\TrueCrypt

2008-10-30 18:33 --------- d-----w c:\program files\Common Files\Steam

2008-10-30 18:28 235,840 ----a-w c:\windows\system32\drivers\truecrypt.sys

2008-10-30 18:28 --------- d-----w c:\program files\TrueCrypt

2008-10-30 17:25 --------- d-----w c:\program files\Globe Software

2008-10-30 17:14 --------- d-----w c:\progra~2\avg8

2008-10-30 17:00 --------- d-----w c:\program files\AVG

2008-10-29 18:51 --------- d-----w c:\progra~2\FLEXnet

2008-10-29 18:06 --------- d-----w c:\program files\Adobe Media Player

2008-10-29 18:05 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-10-29 17:59 --------- d-----w c:\program files\Common Files\Macrovision Shared

2008-10-29 13:27 --------- d-----w c:\users\Norum\AppData\Roaming\.purple

2008-10-29 13:26 --------- d-----w c:\program files\Windows Live

2008-10-29 13:24 --------- d-----w c:\progra~2\WLInstaller

2008-10-28 09:57 --------- d-----w c:\program files\DAMN NFO Viewer

2008-10-27 17:42 --------- d-----w c:\program files\DAEMON Tools Toolbar

2008-10-27 17:42 --------- d-----w c:\program files\DAEMON Tools Lite

2008-10-27 17:40 717,296 ----a-w c:\windows\system32\drivers\sptd.sys

2008-10-27 17:40 --------- d-----w c:\users\Norum\AppData\Roaming\DAEMON Tools

2008-10-27 16:06 --------- d-----w c:\progra~2\Eset

2008-10-27 14:49 --------- d-----w c:\program files\uTorrent

2008-10-27 13:32 --------- d-----w c:\program files\Aspell

2008-10-27 13:30 --------- d-----w c:\program files\Common Files\GTK

2008-10-26 20:09 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller

2008-10-26 19:13 --------- d-----w c:\users\Norum\AppData\Roaming\KeePass

2008-10-26 19:11 --------- d-----w c:\program files\KeePass Password Safe

2008-10-26 19:10 --------- d-----w c:\users\Norum\AppData\Roaming\vlc

2008-10-26 19:10 --------- d-----w c:\program files\VideoLAN

2008-10-26 19:01 --------- d-----w c:\users\Norum\AppData\Roaming\InstallShield

2008-10-26 16:58 --------- d-----w c:\program files\Microsoft Games

2008-10-26 16:56 --------- d-----w c:\program files\BitLocker

2008-10-26 16:54 --------- d-----w c:\program files\Windows Sidebar

2008-10-26 16:54 --------- d-----w c:\program files\Windows Photo Gallery

2008-10-26 16:54 --------- d-----w c:\program files\Windows Mail

2008-10-26 16:54 --------- d-----w c:\program files\Windows Journal

2008-10-26 16:54 --------- d-----w c:\program files\Windows Defender

2008-10-26 16:54 --------- d-----w c:\program files\Windows Collaboration

2008-10-26 16:54 --------- d-----w c:\program files\Windows Calendar

2008-10-26 16:42 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-10-17 22:29 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe

2008-10-17 22:29 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe

2008-10-17 22:29 288,768 ----a-w c:\windows\system32\drivers\srv.sys

2008-10-17 22:28 827,392 ----a-w c:\windows\System32\wininet.dll

2008-10-17 22:27 428,544 ----a-w c:\windows\System32\EncDec.dll

2008-10-17 22:27 293,376 ----a-w c:\windows\System32\psisdecd.dll

2008-10-17 22:27 2,032,640 ----a-w c:\windows\System32\win32k.sys

2008-10-06 23:09 30,920 ----a-w c:\windows\system32\drivers\OAmon.sys

2008-10-06 23:09 29,384 ----a-w c:\windows\system32\drivers\OAnet.sys

2008-10-06 23:09 178,376 ----a-w c:\windows\system32\drivers\OADriver.sys

2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll

2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll

2008-09-14 01:33 625,152 ----a-w c:\windows\system32\drivers\dxgkrnl.sys

2008-09-14 01:33 565,248 ----a-w c:\windows\System32\emdmgmt.dll

2008-09-14 01:33 45,056 ----a-w c:\windows\System32\dataclen.dll

2008-09-14 01:33 36,864 ----a-w c:\windows\System32\cdd.dll

2008-09-14 01:33 211,968 ----a-w c:\windows\system32\drivers\mrxsmb10.sys

2008-09-14 01:33 148,480 ----a-w c:\windows\system32\drivers\nwifi.sys

2008-09-14 01:32 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll

2008-09-14 01:32 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll

2008-09-14 01:32 303,616 ----a-w c:\windows\System32\wmpeffects.dll

2008-09-14 01:32 28,160 ----a-w c:\windows\System32\Apphlpdm.dll

2008-09-14 01:32 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll

2008-09-14 01:32 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll

2008-09-14 01:31 2,048 ----a-w c:\windows\System32\tzres.dll

2008-09-03 03:59 468,992 ----a-w c:\windows\System32\newdev.dll

2008-09-03 03:58 74,752 ----a-w c:\windows\System32\newdev.exe

2008-08-28 09:50 30,720 ----a-w c:\windows\System32\soundschemes2.exe

2008-08-17 10:33 678,408 ----a-w c:\windows\System32\gpprefcl.dll

2008-08-13 13:22 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL

2008-08-13 13:21 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"Steam"="c:\program files\steam\steam.exe" [2008-10-27 1410296]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-10-07 6223048]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=???? c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

 

[HKLM\~\startupfolder\C:^Users^Norum^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\users\Norum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnk.Startup

backupExtension=.Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2008-08-08 13:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

--a------ 2008-01-21 03:21 1008184 c:\program files\Windows Defender\MSASCui.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{83BCE585-BB30-4582-9082-F60682978660}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)

"{4C51C01E-5A1C-4405-8D8E-E27123BA5909}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

"{83888891-48ED-4C13-8B55-A34542142562}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{E36ABDE0-0851-4A88-9852-F0114F4DE33E}"= UDP:5353:Adobe CSI CS4

"{D61B9251-CCF2-44E7-AEC2-4F08C29F98F2}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4

"{972DBB4B-4780-4CA8-8287-4CF2F907898A}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4

"TCP Query User{7DFEAD93-A854-43A6-825D-7A2FECC0A2AF}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{0BCE0B38-08E3-43D7-9AE2-4A4666D88732}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

"{81744B61-DF71-44AE-80D2-6FABB07AA705}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{AD8CC626-1EC7-43EF-9CD8-155A08D64C53}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{58075FF4-524B-4234-A96A-5492B804716A}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{F2093231-DD43-4A9C-8DBF-3AC26062D265}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{A00C6E49-D024-4B1F-8CAA-4E348CECE193}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

 

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-10-07 30920]

R3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2008-10-07 29384]

S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-10-07 178376]

S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2008-10-07 1402568]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2008-10-07 3321032]

S3 atikmdag;atikmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2008-06-03 3695104]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-11-03 30192]

S3 Steam Client Service;Steam Client Service;c:\program files\Common Files\Steam\SteamService.exe [2008-10-27 87288]

S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-21 6656]

S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.sys [2008-01-21 386616]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

 

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]

%SystemRoot%\system32\soundschemes.exe /AddRegistration

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]

%SystemRoot%\system32\soundschemes2.exe /AddRegistration

.

- - - - ORPHANS REMOVED - - - -

 

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)

HKLM-RunOnce-<NO NAME> - (no file)

MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

MSConfigStartUp-Adobe Acrobat Speed Launcher - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe

MSConfigStartUp-Adobe_ID0ENQBO - c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\users\Norum\AppData\Roaming\Mozilla\Firefox\Profiles\lfq24t07.default\

FF -: plugin - c:\program files\Adobe\Acrobat 9.0\Acrobat\browser\nppdf32.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF -: plugin - c:\users\Norum\AppData\Roaming\Mozilla\Firefox\Profiles\lfq24t07.default\extensions\[email protected]\plugins\npRACtrl.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-03 14:24:12

Windows 6.0.6001 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "c:\program files\Windows Live\Messenger\msnmsgr.exe" /background??s

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-03 14:25:23

ComboFix-quarantined-files.txt 2008-11-03 13:25:21

 

 

 

HJT:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:26:15, on 03.11.2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Safe mode with network support

 

Running processes:

C:\Windows\Explorer.exe

C:\Users\Norum\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [statBar] C:\Program Files\Globe Software\StatBar\StatBar.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: ???? C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

 

--

End of file - 5253 bytes

 

Pre-Run: Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application.

Post-Run: 7,542,030,336 byte ledig

 

221 --- E O F --- 2008-11-02 02:09:18

 

 

 

 

Edit: Glemte og si at Avira ikke greide og fjerne noe av det det fant, det stod at det fant en fil også trykket jeg at den skulle slettes og 3 sek etter kom samme filen på nytt.

 

Edit2: Jeg kjørte MBAM, HJT og Combofix i sikkerhetsmodus siden alt gikk utrolig tregt i vanlig modus så det har kommet til og tatt et par timer.

Endret 3. november 2008 av Pizzaen

[norbat]

-og hvordan går det nå med problemet?

[Pizzaen]

Avira har blitt stille og ingen meldinger om manglende filer i windows, så regner med at jeg er clean

[Bruker-158599]

Avira har blitt stille og ingen meldinger om manglende filer i windows, så regner med at jeg er clean

Bra det;) Kan du forandre emne tittlen til [LØST]? etter eller før Svarer i Trojan.Vundo, Logger fra HJT, MBAM og Combofix

[Pizzaen]

Ingen som sier at jeg må skrive combofix /u i kjør feltet da? Jaja, takker for hjelp btw

[r2d290]

Ingen som sier at jeg må skrive combofix /u i kjør feltet da? Jaja, takker for hjelp btw

Hender vi glemmer det men så lenge du vet at du må gjøre det, så er det det viktigste...