[Løst]Får ikke fjernet trojanere (Win32.flux.fm mm)

Kvikksølv · 25. desember 2008

Etter å ha hatt sikkerhetsproblemer med brukerkontoen min til WoW, bestemte jeg meg for å ta en skikkelig opprenskning på PC'n. Trend Micro fant ingen ting, SUPERANTI SPYWARE fant noen cookies, men Spybot S&D fant en trojaner som heter Win32.flux.fm. Fant en guide på Spybot sitt forum om hvordan man kan fjærne den manuelt (den dukker opp igjen etter hver scan), men finner ikke filene som guiden sier jeg skal slette.

Kjørte også F-Secure sin online scan som også fant noen keyloggere ( het noe med gametheif) som også dukker oppigjen.

Her er HJT logg:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:32:30, on 25.12.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

D:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe

D:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe

D:\Programfiler\DAEMON Tools\daemon.exe

D:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

D:\Programfiler\Logitech\SetPoint\SetPoint.exe

C:\Programfiler\Fellesfiler\Logishrd\KHAL2\KHALMNPR.EXE

C:\Programfiler\Java\jre1.6.0_07\bin\jucheck.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

D:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [pccguide.exe] "C:\Programfiler\Trend Micro\Internet Security 2007\pccguide.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [amd_dc_opt] C:\Programfiler\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-140] d:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OE] "C:\Programfiler\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [DAEMON Tools] "d:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [igndlm.exe] d:\Programfiler\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech SetPoint.lnk = D:\Programfiler\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Programfiler\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173478481781

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174028390703

O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: 24F82B7C - Unknown owner - C:\WINDOWS\Fonts\14E750A0.EXE

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programfiler\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-tjeneste (iPod Service) - Unknown owner - C:\Programfiler\iPod\bin\iPodService.exe (file missing)

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programfiler\Fellesfiler\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Spionprogrambeskyttelse fra Trend Micro (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--

End of file - 8978 bytes

Og her er Combifix log:

ComboFix 08-12-24.01 - VKA 2008-12-25 15:12:47.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.2047.1329 [GMT 1:00]

Kjører fra: c:\documents and settings\VKA\Mine dokumenter\ComboFix.exe

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2008-11-25 til 2008-12-25 )))))))))))))))))))))))))))))))))

.

2008-12-25 13:42 . 2008-12-25 13:42 dr-h----- c:\documents and settings\VKA\Siste

2008-12-24 21:36 . 2008-12-24 21:36 682,280 --a------ c:\windows\system32\pbsvc.exe

2008-12-24 06:28 . 2008-12-24 06:36 d-------- c:\windows\BDOSCAN8

2008-12-23 18:01 . 2008-12-23 18:01 d-------- c:\programfiler\Panda Security

2008-12-23 18:01 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-23 17:14 . 2008-12-23 17:14 d-------- C:\fsaua.data

2008-12-23 16:27 . 2008-12-23 16:27 d-------- c:\programfiler\Malwarebytes' Anti-Malware

2008-12-23 16:27 . 2008-12-23 16:27 d-------- c:\documents and settings\VKA\Programdata\Malwarebytes

2008-12-23 16:27 . 2008-12-23 16:27 d-------- c:\documents and settings\All Users\Programdata\Malwarebytes

2008-12-23 16:27 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-23 16:27 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-23 15:43 . 2008-12-23 15:43 d--h----- c:\windows\system32\GroupPolicy

2008-12-22 18:55 . 2008-12-22 20:16 0 --a------ c:\windows\2.ini

2008-12-22 12:35 . 2008-12-22 12:36 d-------- c:\documents and settings\All Users\Programdata\Lavasoft

2008-12-22 10:57 . 2008-12-22 11:01 241 --a------ c:\windows\QSync.INI

2008-12-22 10:56 . 2008-12-22 11:01 d--h----- c:\windows\msdownld.tmp

2008-12-22 10:56 . 2008-12-22 10:56 d-------- c:\programfiler\Windows Media Components

2008-12-22 10:56 . 2008-12-22 10:57 d-------- c:\programfiler\Fellesfiler\Logitech

2008-12-22 10:56 . 2008-12-22 10:57 756 --a------ c:\windows\_delis32.ini

2008-12-22 10:53 . 2008-12-22 10:53 d-------- c:\programfiler\Logitech

2008-12-14 18:25 . 2008-12-23 10:38 33 --a------ c:\windows\1.ini

2008-12-14 17:44 . 2008-12-14 17:44 20 --a------ c:\windows\syscheck

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-25 13:17 36,864 ----a-w c:\windows\Fonts\B3349BD0.DLL

2008-12-25 11:31 202,000 ----a-w c:\windows\system32\PnkBstrB.exe

2008-12-25 11:31 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-12-25 00:04 --------- d-----w c:\documents and settings\VKA\Programdata\dvdcss

2008-12-24 20:37 22,328 ----a-w c:\documents and settings\VKA\Programdata\PnkBstrK.sys

2008-12-24 20:36 --------- d--h--w c:\programfiler\InstallShield Installation Information

2008-12-23 14:49 --------- d-----w c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy

2008-12-22 20:34 66,872 ----a-w c:\windows\system32\PnkBstrA.exe

2008-12-22 11:35 --------- d-----w c:\programfiler\Fellesfiler\Wise Installation Wizard

2008-12-14 18:53 --------- d-----w c:\documents and settings\VKA\Programdata\OpenOffice.org2

2008-11-12 19:55 --------- d-----w c:\documents and settings\All Users\Programdata\TrackMania

2008-11-12 16:48 --------- d-----w c:\programfiler\Google

2008-11-07 12:20 --------- d-----w c:\programfiler\Western Digital

2008-11-07 12:19 --------- d-----w c:\programfiler\Western Digital Technologies

2008-11-04 20:35 --------- d-----w c:\documents and settings\VKA\Programdata\U3

2008-11-03 14:25 --------- d-----w c:\programfiler\Windows Live Safety Center

2008-10-27 17:21 30 ----a-w c:\documents and settings\VKA\jagex_runescape_preferences.dat

2008-10-25 15:43 --------- d-----w c:\documents and settings\VKA\Programdata\Leadertech

2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:33 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"OE"="c:\programfiler\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-09-27 315392]

"DAEMON Tools"="d:\programfiler\DAEMON Tools\daemon.exe" [2006-11-12 157592]

"igndlm.exe"="d:\programfiler\Download Manager\DLM.exe" [2007-03-05 1103480]

"SUPERAntiSpyware"="d:\programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pccguide.exe"="c:\programfiler\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-15 3112960]

"Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"amd_dc_opt"="c:\programfiler\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"ANIWZCS2Service"="c:\programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]

"D-Link D-Link Wireless N DWA-140"="d:\programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 1388544]

"SunJavaUpdateSched"="c:\programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"LVCOMS"="c:\programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-05 c:\windows\RTHDCPL.exe]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]

"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\VKA\Start-meny\Programmer\Oppstart\

Adobe Gamma.lnk - c:\programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\

Logitech SetPoint.lnk - d:\programfiler\Logitech\SetPoint\SetPoint.exe [2008-08-09 789008]

Microsoft Office.lnk - d:\programfiler\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-12-22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 20:10 352256 d:\programfiler\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-01-09 11:30 72208 c:\programfiler\Fellesfiler\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"d:\\Programfiler\\LimeWire\\LimeWire.exe"=

"d:\\Programfiler\\World of Warcraft\\Launcher.exe"=

"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"d:\\Programfiler\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"d:\\Programfiler\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"d:\\Programfiler\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-23 28544]

R1 SASDIFSV;SASDIFSV;\??\d:\programfiler\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]

R1 SASKUTIL;SASKUTIL;\??\d:\programfiler\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 55024]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-01-15 503808]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-09-14 933952]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2006-08-16 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-09-14 561223]

R3 SASENUM;SASENUM;\??\d:\programfiler\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2006-09-14 281600]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-23 38496]

S3 PciCon;PciCon;\??\D:\PciCon.sys []

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-08-14 476416]

S3 T5100_usb;LGE USB driver;c:\windows\system32\Drivers\T5100.sys [2007-05-22 29568]

S3 XDva064;XDva064;\??\c:\windows\system32\XDva064.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wowsystemcode123

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38e042ca-acc6-11dd-a627-00508d951983}]

\Shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9898108a-76d9-11dd-a5d9-00508d951983}]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.google.no/

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}

hxxp://www.srtest.com/srl_bin/sysreqlab3.cab

c:\windows\Downloaded Program Files\SysReqLab3.osd

FF - ProfilePath - c:\documents and settings\VKA\Programdata\Mozilla\Firefox\Profiles\ag6nuw2m.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia

FF - prefs.js: browser.startup.homepage - hxxp://google.com

.

------- Filassosiasjoner -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-25 15:13:49

Windows 5.1.2600 Service Pack 2 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket

skjulte filer: 0

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'winlogon.exe'(1064)

d:\programfiler\SUPERAntiSpyware\SASWINLO.DLL

c:\programfiler\fellesfiler\logishrd\bluetooth\LBTWlgn.dll

c:\programfiler\fellesfiler\logishrd\bluetooth\LBTServ.dll

.

Tidspunkt ferdig: 2008-12-25 15:16:52

ComboFix-quarantined-files.txt 2008-12-25 14:16:50

ComboFix2.txt 2008-12-25 13:28:40

ComboFix3.txt 2007-12-29 10:14:32

Pre-Run: 97 081 143 296 byte ledig

Post-Run: 97,067,241,472 byte ledig

185 --- E O F --- 2008-12-25 10:59:29

Vil selvsagt bli kvitt disse før jeg logger inn på WoW-accounten igjen.

All hjelp verdsettes til det fulle

EDIT: skriveleif

Endret 26. desember 2008 av Almeida

r2d290 · 25. desember 2008

Ønsker at du kjører et scan til før vi fortsetter:

Last ned Malwarebytes' Anti-Malware Her eller Her.''' Lagre den på Skrivebordet.

Kjør fila og installer programmet. Velg Norsk språkdrakt.

Sett en hake ved siden av Oppdater Malwarebytes' Anti-Malware og Kjør Malwarebytes' Anti-Malware, og trykk Ferdig.

La programmet oppdatere seg og velg Utfør full systemskann.

Du får en meldingsboks når programmet er ferdigkjørt

Klikk deretter på Vis resultat-knappen. Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgt -knappen for å fjerne malwaren som evt. ble funnet.

Notis:

Hvis MBAM finner en fil som er vanskelig å fjerne, vil du bli spurt om to spørsmål.

Trykk OK på begge, og la MBAM gjøre seg ferdig med desinfeksjonen.

Hvis du blir spurt om å restarte maskinen, gjør du det med en gang.

Når MBAM er ferdig med å fjerne det den har funnet, vil det bli åpnet en logg i notisblokk. Den poster du hvis den finner annet enn cookies

Hvis MBAM finner annet enn cookies, poster du også ny combofix-logg

Forresten: Kan du fortelle nøyaktig adresse til filene som Spybot s&d og F-secure finner, så vet vi hva vi skal jobbe ut ifra.

Endret 25. desember 2008 av r2d290

Kvikksølv · 26. desember 2008

F-Secure online-scan fant:

-Backdoor.Win32.Popwin.bzf (C:\WINDOWS\FONTS\B3349BD0.DLL)

-Trojan-GameTheif.Win32.Magania ( står bare "System")

MBAM scan logg:

Malwarebytes' Anti-Malware 1.31

Databaseversjon: 1546

Windows 5.1.2600 Service Pack 2

26.12.2008 01:12:57

mbam-log-2008-12-26 (01-12-57).txt

Skanntype: Full Skann (C:\|D:\|)

Objekter skannet: 142169

Tid tilbakelagt: 1 hour(s), 46 minute(s), 50 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

Minneprosesser infisert: