[Løst]Er det noe malware her? (HJT, MBAM og Combofix log)

[thrashrat]

Hei. Er det noe malware eller annet skummelt her? Har kjørt CCleaner, Spybot og NOD32, og de finner ikke noe mer.

 

HijackThis log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:13:28 PM, on 1/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Acer\eManager\anbmServ.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Launch Manager\LaunchAp.exe

C:\Program Files\Launch Manager\PowerKey.exe

C:\Program Files\Launch Manager\HotkeyApp.exe

C:\Program Files\Launch Manager\OSDCtrl.exe

C:\Program Files\Launch Manager\Wbutton.exe

C:\acer\epm\epm-dm.exe

C:\WINDOWS\system32\taskswitch.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ESET\nod32kui.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\meg\Desktop\Diskusjon\teste.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 147.102.3.101:3124

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup

O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe

O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe

O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe

O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe

O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"

O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe

O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228917334687

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228917323921

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 8346 bytes

 

 

MBAM log

 

Malwarebytes' Anti-Malware 1.31

Databaseversjon: 1602

Windows 5.1.2600 Service Pack 3

 

1/3/2009 6:44:41 PM

mbam-log-2009-01-03 (18-44-41).txt

 

Skanntype: Rask Skann

Objekter skannet: 57642

Tid tilbakelagt: 3 minute(s), 35 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 2

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

 

 

Combofix log

 

ComboFix 09-01-01.02 - meg 2009-01-03 19:04:13.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.835 [GMT 1:00]

Running from: c:\documents and settings\meg\Desktop\ComboFix.exe

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))

.

 

2009-01-03 18:35 . 2009-01-03 18:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-03 18:35 . 2009-01-03 18:35 <DIR> d-------- c:\documents and settings\meg\Application Data\Malwarebytes

2009-01-03 18:35 . 2009-01-03 18:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-03 18:35 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-03 18:35 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-28 11:16 . 2008-12-28 11:22 139,264 --a------ c:\windows\War3Unin.exe

2008-12-28 11:16 . 2008-12-28 11:22 73,117 --a------ c:\windows\War3Unin.dat

2008-12-28 11:16 . 2008-12-28 11:22 2,829 --a------ c:\windows\War3Unin.pif

2008-12-10 19:35 . 2008-12-10 19:35 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2

2008-12-10 15:37 . 2008-12-10 15:37 <DIR> d-------- c:\program files\Microsoft Silverlight

2008-12-09 23:44 . 2008-12-10 18:31 <DIR> d-------- c:\documents and settings\meg\Contacts

2008-12-09 23:29 . 2008-12-09 23:36 <DIR> d-------- c:\program files\Windows Live

2008-12-09 23:29 . 2008-12-09 23:34 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller

2008-12-09 23:29 . 2008-12-09 23:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller

2008-12-08 10:06 . 2008-12-09 13:57 <DIR> d-------- C:\Diverse sanger

2008-12-06 12:48 . 2008-12-06 12:48 268 --ah----- C:\sqmdata01.sqm

2008-12-06 12:48 . 2008-12-06 12:48 244 --ah----- C:\sqmnoopt01.sqm

2008-12-05 22:25 . 2008-12-05 22:25 244 --ah----- C:\sqmnoopt00.sqm

2008-12-05 22:25 . 2008-12-05 22:25 232 --ah----- C:\sqmdata00.sqm

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-03 18:04 --------- d-----w c:\program files\ESET

2009-01-03 16:32 --------- d-----w c:\program files\CCleaner

2009-01-03 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-22 14:12 --------- d-----w c:\program files\PeerGuardian2

2008-12-22 14:12 --------- d-----w c:\documents and settings\meg\Application Data\uTorrent

2008-11-16 16:29 --------- d-----w c:\program files\SystemRequirementsLab

2008-11-16 16:29 --------- d-----w c:\documents and settings\meg\Application Data\SystemRequirementsLab

2008-11-11 13:34 --------- d-----w c:\documents and settings\meg\Application Data\dvdcss

2008-11-07 23:40 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-11-07 11:02 --------- d-----w c:\program files\CDBurnerXP

2008-11-07 11:02 --------- d-----w c:\documents and settings\meg\Application Data\Canneverbe_Limited

2008-11-07 11:00 --------- d-----w c:\program files\Astonsoft

2008-11-07 10:45 --------- d-----w c:\documents and settings\meg\Application Data\DeepBurner

2008-11-07 10:25 --------- d-----w c:\program files\dvdSanta

2008-11-06 04:18 --------- d-----w c:\program files\Foxit Software

2008-11-04 09:23 --------- d-----w c:\program files\Real Alternative

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 13:12 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 13:07 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-08-14 19:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081420080815\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-10 5566464]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 729177]

"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-03-30 32768]

"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]

"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-04-15 69632]

"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]

"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2004-10-11 245760]

"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-04-18 81920]

"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-04-07 188416]

"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-15 2893824]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-14 949376]

"nwiz"="nwiz.exe" [2005-03-10 c:\windows\system32\nwiz.exe]

"Resume copy"="copyfstq.exe" [2006-03-06 c:\windows\copyfstq.exe]

"NvMediaCenter"="NvMCTray.dll" [2005-03-10 c:\windows\system32\nvmctray.dll]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\andre\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\windows\system32\logonuiX.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 01:11 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 03:41 11776 c:\windows\system32\tabbtnwl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 01:12 32256 c:\windows\system32\tpgwlnot.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]

--a------ 2002-09-03 18:38 987187 c:\program files\WinCustomize\LogonStudio\LogonStudio.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"<NO NAME>"=

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"d:\\Spill\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"30315:TCP"= 30315:TCP:*:Disabled:utorrent

"30315:UDP"= 30315:UDP:*:Disabled:utorrent

 

R1 GhPciScan;GhostPciScanner;\??\c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]

R1 Hotkey;Hotkey;c:\windows\system32\drivers\Hotkey.sys [2006-03-06 9867]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-14 15424]

R2 EpmPsd;Acer EPM Power Scheme Driver;\??\c:\windows\system32\drivers\epm-psd.sys [2006-03-06 4096]

R2 EpmShd;Acer EPM System Hardware Driver;\??\c:\windows\system32\drivers\epm-shd.sys [2006-03-06 78208]

R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-03-04 8704]

R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]

R3 POWERKEY;POWERKEY;\??\c:\program files\Launch Manager\POWERKEY.sys [2006-03-06 2343]

R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2006-03-06 14208]

S1 mailKmd;mailKmd; []

S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys []

 

*Newly Created Service* - PROCEXP90

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.myspace.com/

uInternet Settings,ProxyServer = 147.102.3.101:3124

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\imon.dll

FF - ProfilePath - c:\documents and settings\meg\Application Data\Mozilla\Firefox\Profiles\8bkj2kgk.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.vg.no/

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-03 19:05:40

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'lsass.exe'(740)

c:\windows\system32\imon.dll

.

Completion time: 2009-01-03 19:06:40

ComboFix-quarantined-files.txt 2009-01-03 18:06:30

 

Pre-Run: 22,620,626,944 bytes free

Post-Run: 22,724,141,056 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

 

185

 

 

Endret 3. januar 2009 av thrashrat

[r2d290]

Kjenner du til ip-adressen: 147.102.3.101 ?

 

Ellers ser loggene fine ut. Var dette bare en sjekk, eller har du mistanke om at du har malware?

 

 

Du bør oppdatere Java

Det er viktig å bruke den seneste versjonen av Java, siden tidligere versjoner kan inneholde sikkerhetshull som vil øke sansynligheten for at du

blir infisert igjen. Det ser ut til at din verjson av Java er utdatert

 

Oppdatere Java:

• Trykk på følgende link, og last ned nyeste versjon av Java:http://java.com/en/download/index.jsp
  

[*]Gå til Start > Kontrollpanel > Legg til/fjern programmer.

[*]Søk i listen over alle tidligere versjoner av Java (JRE, J2SE Runtime, J2RE osv.... )

Alle disse versjonene bør ha dette bildet foran:

Velg alle du finner, og trykk på Fjern

[*]Deretter installerer du den Java-versjonen som du lastet ned i starten.

Fortell hvordan det gikk med oppdateringen, da problemer med oppdatering kan indikere flere malware på systemet ditt.

[thrashrat]

Kjenner ikke til den ip-adressen nei. Er det bare å slette den da eller?

 

Jeg har vært litt bekymret siden jeg har 2 rundll32.exe prosesser og 6-7 svchost.exe prosesser kjørende hele tiden.

 

Og i det siste har Warcraft 3 begynt å "kræsje" etter at jeg har spilt det en stund. Kan gå fint i alt fra en halvtime til opptil flere timer, men så stopper alt opp og skjermen blir hvit, med en svart strek midt på. Men når jeg har spilt det på en annen pc så har det gått bra.

 

Fikk oppdatert Java uten noen problemer, så da burde det være iorden?

[r2d290]

Helt normalt å ha flere "rundll32.exe og svchost.exe prosesser. Jeg tror du kan fikse den linja fra HijackThis ja. Merker du noen problemer etter dette så sier du ifra så gjenopretter vi den bare.

 

Problemet du beskriver rundt Wow kan være så mangt. Mest sansynlig enten en hardwarefeil eller utdatert driver vil jeg tro. Se om noen av de andre har noen meninger om dette...

 

 

Combofix må avinstalleres.

 

Gå til Start > Kjør

Skriv følgende i boksen:

• ComboFix /u
  

PS: legg merke til mellomrommet mellom X og /u

 

Du skal nå ha noe som tilsvarer bildet nedenfor:

 

Trykk Enter.

 

Denne kommandoen vil:

• Fjerne følgende:
  • ComboFix og dets tilhørende filer og mapper.
    VundoFix backups, hvis de eksisterer.
    Mappen C:\Deckard, hvis den eksisterer
    Mappen C:\OtMoveIt, hvis den eksisterer
    

  [*] Nullstille klokke-instillingene.

   

  [*] Skjule filetternavn hvis det er nødvendig.

   

  [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig.

   

  [*] Nullstille systemgjennoprettingspunkter.

[thrashrat]

Da var den linja fra HijackThis fjernet og Combofix avinstallert, og alt virker fremdeles.

 

Skal sjekke ut det problemet med Warcraft 3 litt nærmere.

 

Tusen takk for hjelpen

[raWrz]

hei

 

dette høres litt ut som at Grafikkorte ditt blir for varmt

 

1. hold inn windows tasten og R og skriv inn DxDiag i kjør felte

la den søke ferdig og så trykker du på lagre informasjon og poster den loggen:)

 

2. når du kjører WC III så last ned SpeedFan (trykk der det er blått og står SpeedFan 4.37) og sjekk temperaturer på GPU og si dem

 

*du kan også prøve og sette GPU viften på maks hvis det er vifte på den. det kan bråke litt men er verdt en sjekk *

Endret 4. januar 2009 av Submit