Jeg finner ikke viruset.

Adversary · 9. januar 2009

Hei, posta for litt sia ett innlegg i Veiledning: Hjelp til å få fjernet malware-tråden (link )Da ble jeg fortalt at jeg skulle starte en egen tråd. når jeg kom hjem fra skolen i dag fant jeg dette.

Når jeg trykker remove selected infections får jeg bare opp files not found på 13/14 av trojanerene.

Scanna igjennom med AVG og SAS etter jeg tok bildet og de fant intenting, bare et par cookies.

HJT logg

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:31:45 PM, on 1/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20900)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system\ComHookMonitor.exe

C:\Program Files\ASUS Xonar D2 Audio\Customapp\Program\MixerMonitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe

C:\Program Files\Messenger\msmsgs.exe

C:\FRAPS\FRAPS.EXE

C:\Program Files\ASUS Xonar D2 Audio\CustomApp\Program\AsusAudioCenter.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 66.98.148.65 auto.search.msn.com

O1 - Hosts: 66.98.148.65 auto.search.msn.es

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Cmaudio8788Hook] C:\WINDOWS\system\ComHookMonitor.exe Envoke

O4 - HKLM\..\Run: [Cmaudio8788MixerMonitor] C:\Program Files\ASUS Xonar D2 Audio\Customapp\Program\MixerMonitor.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE

O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe (User 'SYSTEM')

O4 - S-1-5-18 Startup: Shortcut to AsusAudioCenter.lnk = C:\Program Files\ASUS Xonar D2 Audio\CustomApp\Program\AsusAudioCenter.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe (User 'Default user')

O4 - .DEFAULT Startup: Shortcut to AsusAudioCenter.lnk = C:\Program Files\ASUS Xonar D2 Audio\CustomApp\Program\AsusAudioCenter.exe (User 'Default user')

O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe

O4 - Startup: Shortcut to AsusAudioCenter.lnk = C:\Program Files\ASUS Xonar D2 Audio\CustomApp\Program\AsusAudioCenter.exe

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--

End of file - 8179 bytes

AVG som feilrapporterer?

raWrz · 9. januar 2009

hei

Last ned Malwarebytes' Anti-Malware Her eller Her.''' Lagre den på Skrivebordet.

Kjør fila og installer programmet. Velg Norsk språkdrakt.

Sett en hake ved siden av Oppdater Malwarebytes' Anti-Malware og Kjør Malwarebytes' Anti-Malware, og trykk Ferdig.

La programmet oppdatere seg og velg Utfør hurtig systemskann.

Du får en meldingsboks når programmet er ferdigkjørt

Klikk deretter på Vis resultat-knappen. Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgt -knappen for å fjerne malwaren som evt. ble funnet.

Notis:

Hvis MBAM finner en fil som er vanskelig å fjerne, vil du bli spurt om to spørsmål.

Trykk OK på begge, og la MBAM gjøre seg ferdig med desinfeksjonen.

Hvis du blir spurt om å restarte maskinen, gjør du det med en gang.

Når MBAM er ferdig med å fjerne det den har funnet, vil det bli åpnet en logg i notisblokk. Den poster du senere om den fant noe annet enn cookies

Last ned Combofix (av sUBs), og legg det på Skrivebordet.

Kjør combofix.exe, og følg veiledningen.

Du vil under oppstart av combofix bli anbefalt å installere gjenopprettingskonsollen (om du ikke har den installert fra før). Det sier du ja til.
Du må ikke klikke på vinduet mens programmet kjører. Dette kan føre til at programmet fryser.

Hva gjør ComboFix:

- ComboFix er et multifix-program som er laget for å fjerne en hel del kjente infeksjoner, samt lager en logg/rapport som viser filer/prosesser/registeroppføringer som ligger på PC-en. Loggen kan avgjøre om det fortsatt ligger noe på PC-en som skal fjernes. Det kreves da at noen med erfaring kan lese loggen og fortelle hvordan man skal gå videre.

PS: Combofix vil blant ramse opp alle filer som har blitt opprettet den siste måneden, og kan i enkelte tilfeller også fortelle fullt navn og annen informasjon som kan betraktes som sensitiv. Av den grunn bør du gå gjennom loggen og se om du finner informasjon du ikke vil dele med alle, og sensurere det.

Post loggfilen fra Combofix (c:\combofix.txt)

Adversary · 9. januar 2009

Der var jeg tilbake fra butikken og combofix er ferdig, MBAM fant ingenting.

ComboFix-logg

ComboFix 09-01-08.05 - Rolfie 2009-01-09 18:21:05.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2139 [GMT 1:00]

Running from: c:\documents and settings\Rolfie\Desktop\ComboFix.exe

AV: AVG Internet Security *On-access scanning enabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_AVG

((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))

.

2009-01-09 18:13 . 2009-01-09 18:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-09 18:13 . 2009-01-09 18:13 <DIR> d-------- c:\documents and settings\Rolfie\Application Data\Malwarebytes

2009-01-09 18:13 . 2009-01-09 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-09 18:13 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-09 18:13 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-09 15:38 . 2009-01-09 15:38 <DIR> d-------- c:\program files\Trend Micro

2009-01-08 07:01 . 2009-01-08 07:01 <DIR> d-------- c:\windows\New Folder

2009-01-03 03:33 . 2009-01-03 03:33 <DIR> d-------- c:\program files\Common Files\Logitech

2008-12-29 22:07 . 2008-12-29 22:07 <DIR> d-------- c:\program files\Ventrilo

2008-12-29 22:07 . 2008-12-29 22:07 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

2008-12-29 22:03 . 2008-12-29 22:08 <DIR> d-------- c:\documents and settings\Rolfie\Application Data\Ventrilo

2008-12-25 04:05 . 2008-02-06 03:17 2,570,520 -ra------ c:\windows\system32\drivers\LV302V32.SYS

2008-12-25 04:01 . 2008-12-25 04:01 <DIR> d-------- c:\program files\Logitech

2008-12-25 04:01 . 2008-12-25 04:05 <DIR> d-------- c:\program files\Common Files\LogiShrd

2008-12-25 04:01 . 2008-12-25 04:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech

2008-12-25 04:01 . 2009-01-03 03:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logishrd

2008-12-25 03:59 . 2008-04-14 00:15 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys

2008-12-25 03:59 . 2008-04-14 00:15 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys

2008-12-21 04:29 . 2008-12-22 21:21 <DIR> d-------- c:\documents and settings\Rolfie\Application Data\Touchstone

2008-12-21 04:27 . 2008-12-21 04:27 <DIR> d-------- c:\documents and settings\Rolfie\Application Data\Leadertech

2008-12-21 04:11 . 2008-12-21 04:11 <DIR> d-------- c:\windows\A5B5A16D277A476B8F621029A2F23072.TMP

2008-12-21 04:10 . 2008-12-22 21:21 120 --a------ c:\windows\disney.ini

2008-12-19 22:29 . 2008-12-19 22:29 8 --a------ c:\windows\system32\nvModes.dat

2008-12-18 19:21 . 2009-01-07 19:18 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys

2008-12-18 19:21 . 2009-01-07 19:18 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys

2008-12-18 19:21 . 2009-01-07 19:18 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys

2008-12-18 19:21 . 2009-01-07 19:18 10,520 --a------ c:\windows\system32\avgrsstx.dll

2008-12-18 19:20 . 2009-01-09 18:23 <DIR> d-------- c:\windows\system32\drivers\Avg

2008-12-18 18:14 . 2008-12-18 18:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

2008-12-18 17:42 . 2008-12-18 17:42 <DIR> d-------- c:\windows\system32\NtmsData

2008-12-14 17:41 . 2008-12-14 21:26 <DIR> d-------- c:\documents and settings\Rolfie\EurekaLog

2008-12-13 15:44 . 2008-12-13 15:44 <DIR> d-------- c:\program files\VentriloMIX

2008-12-13 15:44 . 2008-12-13 15:44 <DIR> d-------- c:\documents and settings\Rolfie\Application Data\teamspeak2

2008-12-13 15:39 . 2008-12-13 15:39 268 --ah----- C:\sqmdata03.sqm

2008-12-13 15:39 . 2008-12-13 15:39 244 --ah----- C:\sqmnoopt03.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-09 17:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-09 17:19 --------- d-----w c:\documents and settings\Rolfie\Application Data\uTorrent

2009-01-08 14:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-01-03 04:59 --------- d-----w c:\program files\FlashGet

2008-12-29 21:07 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-26 06:42 --------- d-----w c:\documents and settings\Rolfie\Application Data\dvdcss

2008-12-24 18:04 --------- d-----w c:\program files\Java

2008-12-22 20:21 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-20 21:49 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-12-17 16:50 --------- d-----w c:\program files\Opera

2008-12-14 16:42 --------- d-----w c:\program files\MediaMonkey

2008-12-08 23:38 --------- d-----w c:\program files\RevConnect

2008-12-07 21:59 --------- d-----w c:\documents and settings\Rolfie\Application Data\Hamachi

2008-12-06 21:53 --------- d-----w c:\program files\WorldOfGoo

2008-12-06 16:30 --------- d-----w c:\program files\Audacity

2008-12-06 16:28 --------- d-----w c:\program files\lame3.98.2

2008-12-06 15:12 --------- d-----w c:\documents and settings\Rolfie\Application Data\Toribash

2008-12-05 02:26 --------- d-----w c:\documents and settings\Rolfie\Application Data\OpenOffice.org2

2008-12-05 00:08 --------- d-----w c:\program files\SystemRequirementsLab

2008-12-05 00:06 --------- d-----w c:\documents and settings\Rolfie\Application Data\SystemRequirementsLab

2008-11-26 22:17 --------- d-----w c:\program files\Hamachi

2008-11-26 22:16 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys

2008-11-12 21:49 --------- d-----w c:\program files\MSXML 4.0

2008-11-12 21:49 --------- d-----w c:\program files\Microsoft Silverlight

2008-11-11 22:39 --------- d-----w c:\program files\ASUS Xonar D2 Audio

2008-11-11 22:06 22,328 ----a-w c:\documents and settings\Rolfie\Application Data\PnkBstrK.sys

2008-11-09 21:51 --------- d-----w c:\documents and settings\Rolfie\Application Data\Red Alert 3

2008-11-09 15:32 --------- d-----w c:\program files\PortTrigger

2008-11-09 13:14 --------- d-----w c:\documents and settings\Rolfie\Application Data\Locktime

2008-11-09 11:13 --------- d-----w c:\program files\NetLimiter 2 Pro

2008-11-09 11:13 --------- d-----w c:\documents and settings\All Users\Application Data\Locktime

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-27 1576176]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

"EVEREST AutoStart"="c:\program files\Lavalys\EVEREST Ultimate Edition\everest.exe" [2008-03-16 2083424]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Fraps"="c:\fraps\FRAPS.EXE" [2008-01-14 3182248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"Cmaudio8788Hook"="c:\windows\system\ComHookMonitor.exe" [2007-08-10 20480]

"Cmaudio8788MixerMonitor"="c:\program files\ASUS Xonar D2 Audio\Customapp\Program\MixerMonitor.exe" [2007-09-07 90112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1601304]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\Rolfie\Start Menu\Programs\Startup\

Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-02-13 493832]

Shortcut to AsusAudioCenter.lnk - c:\program files\ASUS Xonar D2 Audio\CustomApp\Program\AsusAudioCenter.exe [2008-10-13 1044480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 12:58 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-01-07 19:18 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Rolfie^Start Menu^Programs^Startup^hamachi.lnk]

path=c:\documents and settings\Rolfie\Start Menu\Programs\Startup\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"nlsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\RevConnect\\DCPlusPlus.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"g:\\Spill\\Left 4 dead\\left4dead.exe"=

"g:\\Spill\\Steam\\SteamApps\\adversary221\\diprip warm up\\hl2.exe"=

"g:\\Spill\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

"g:\\Spill\\Steam\\Steam.exe"=

"g:\\Spill\\Steam\\SteamApps\\adversary221\\garrysmod\\hl2.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"g:\\Spill\\Battlefield2\\BF2.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"g:\\Spill\\Steam\\SteamApps\\adversary221\\counter-strike source\\hl2.exe"=

"g:\\Spill\\Steam\\SteamApps\\adversary221\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"20001:TCP"= 20001:TCP:connect

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-18 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-18 324872]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-18 107272]

R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-08-19 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-08-19 55024]

R3 cmudaxp;ASUS Xonar D2 Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-10-13 1839680]

R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2008-10-13 23152]

R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2008-10-28 9216]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]

R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-07 298264]

.

------- Supplementary Scan -------

.

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Rolfie\Start Menu\Programs\IMVU\Run IMVU.lnk

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-09 18:25:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\documents and settings\Rolfie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-01-09 18:26:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-09 17:26:35

Pre-Run: 21,696,303,104 bytes free

Post-Run: 21,729,857,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

223

raWrz · 9. januar 2009

Gå til http://virusscan.jotti.org , trykk på Browse, og last opp følgende fil til analyse:

c:\windows\system32\drivers\LV302V32.SYS

Deretter trykker du på Submit. Godta at filen blir scannet. Til slutt kopierer du resultatet, og limer det inn i din neste post, så jeg kan se på den, og vurdere hva som må gjøres videre.

norbat · 9. januar 2009

Ang. det AVG fant i 1.posten din, så var dette infiserte filer som lå i systemgjenopprettingen din (ufarlig så lenge du ikke kjørte en systemgjenoppretting). Dette vil du uansett få ordnet ved slutten av denne supporten.

Adversary · 10. januar 2009

Gå til http://virusscan.jotti.org , trykk på Browse, og last opp følgende fil til analyse:
c:\windows\system32\drivers\LV302V32.SYS

Deretter trykker du på Submit. Godta at filen blir scannet. Til slutt kopierer du resultatet, og limer det inn i din neste post, så jeg kan se på den, og vurdere hva som må gjøres videre.

File: LV302V32.SYS

Status: OK

MD5: 39c3cdf1f845e8cc14331bbd3799c7cb

Packers detected: -

Found nothing på alle antivirusene

Adversary · 10. januar 2009

Ble møtt av denne på bærbaren på samme nettverket når jeg prøver å logge på msn, samme feilmelding var på stasjonæren når jeg våkna i dag. prøver samme rutine på bærbaren nå.

raWrz · 10. januar 2009

kan du vente med og poste logg på den ?

vi blir ferdig med den første også tar vi neste

raWrz · 10. januar 2009

Trykk Start - Alle Programmer - Tilbehør - Notisblokk

Kopier og Lim inn teksten i kodeboksen nedenfor, inn i Notisblokken:

File::
c:\windows\A5B5A16D277A476B8F621029A2F23072.TMP
c:\windows\disney.ini

Lagre det som CFScript på Skrivebordet

Dra CFScript over ComboFix.exe som ligger på Skrivebordet, slik animasjonen nedenfor viser.

Dette vil starte ComboFix igjen. Hvis maskinen ber om en omstart, lar du den gjøre det med én gang.

Post innholdet til ComboFix.txt inn i ditt neste svar på forumet.

Adversary · 10. januar 2009

ComboFix-logg

ComboFix 09-01-09.03 - Rolfie 2009-01-10 13:30:14.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2156 [GMT 1:00]

Running from: c:\documents and settings\Rolfie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rolfie\Desktop\CFScript.txt

AV: AVG Internet Security *On-access scanning enabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\A5B5A16D277A476B8F621029A2F23072.TMP

c:\windows\disney.ini

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\disney.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_AVG

((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))

.

2009-01-10 03:01 . 2009-01-10 03:01 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-01-10 03:00 . 2009-01-10 03:03 1,374 --a------ c:\windows\imsins.BAK

2009-01-10 02:29 . 2008-10-23 13:36 286,720 -----c--- c:\windows\system32\dllcache\gdi32.dll