Treig maskin. Første gang scannet

[NOwar]

Klikk for å se/fjerne innholdet nedenfor

ComboFix 09-01-20.05 - hannyg1 2009-01-21 10:36:15.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.119 [GMT 1:00]

Running from: c:\documents and settings\hannyg1\skrivebord\ComboFix.exe

AV: Norman Virus Control ver. 5.99 *On-access scanning enabled* (Updated)

FW: Norman Personal Firewall v. 1.4 *enabled*

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

 

----- BITS: Possible infected sites -----

 

hxxp://ped-01wsus

.

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))

.

 

2009-01-21 09:58 . 2009-01-21 09:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 09:58 . 2009-01-21 09:58 <DIR> d-------- c:\documents and settings\hannyg1\Application Data\Malwarebytes

2009-01-21 09:58 . 2009-01-21 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 09:58 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 09:58 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-09 17:46 . 2001-09-30 19:10 246,784 --a------ c:\windows\system32\ActiveSkin.ocx

2009-01-09 17:46 . 2001-05-24 12:59 162,304 --a------ C:\UNWISE.EXE

2009-01-09 17:46 . 2002-01-18 18:12 112 --a------ c:\windows\ActiveSkin.INI

2009-01-07 12:05 . 2009-01-20 11:31 <DIR> d-------- c:\documents and settings\hannyg1\Application Data\U3

2009-01-06 11:00 . 2009-01-06 11:00 <DIR> d-------- c:\program files\Bonjour

2009-01-06 10:44 . 2009-01-06 10:44 <DIR> d-------- c:\program files\Common Files\Macrovision Shared

2009-01-06 09:56 . 2009-01-06 09:56 <DIR> d-------- c:\documents and settings\Hansi\Application Data\Hamachi

2009-01-03 18:01 . 2009-01-03 18:01 <DIR> d-------- c:\program files\Bytescout XLS Viewer

2008-12-27 16:53 . 2008-12-27 16:52 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-25 01:19 . 2008-12-25 01:19 0 --a------ c:\windows\tosOBEX.INI

2008-12-25 01:15 . 2008-12-25 01:15 <DIR> d-------- c:\program files\Toshiba

2008-12-25 01:10 . 2004-08-03 22:58 100,992 --a------ c:\windows\system32\drivers\bthpan.sys

2008-12-25 01:10 . 2004-08-03 22:58 100,992 --a--c--- c:\windows\system32\dllcache\bthpan.sys

2008-12-25 01:10 . 2004-08-03 23:10 59,648 --a------ c:\windows\system32\drivers\rfcomm.sys

2008-12-25 01:10 . 2004-08-03 23:10 59,648 --a--c--- c:\windows\system32\dllcache\rfcomm.sys

2008-12-25 01:10 . 2004-08-03 23:10 17,024 --a------ c:\windows\system32\drivers\BthEnum.sys

2008-12-25 01:10 . 2004-08-03 23:10 17,024 --a--c--- c:\windows\system32\dllcache\bthenum.sys

2008-12-25 01:09 . 2004-08-03 23:10 18,944 --a------ c:\windows\system32\drivers\BTHUSB.SYS

2008-12-25 01:09 . 2004-08-03 23:10 18,944 --a--c--- c:\windows\system32\dllcache\bthusb.sys

2008-12-25 01:09 . 2009-01-21 10:23 836 --a------ c:\windows\bthservsdp.dat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 09:30 --------- d-----w c:\documents and settings\All Users\Application Data\NPF

2009-01-21 09:28 5 ----a-w C:\NPF_USER.DAT

2009-01-21 09:24 --------- d-----w c:\program files\Norman

2009-01-21 08:32 --------- d-----w c:\program files\LogMeIn

2009-01-20 09:58 --------- d-----w c:\documents and settings\hannyg1\Application Data\Hamachi

2009-01-06 10:03 --------- d-----w c:\program files\Opera

2009-01-06 10:00 --------- d-----w c:\program files\Common Files\Adobe

2008-12-27 15:52 --------- d-----w c:\program files\Java

2008-12-27 12:44 --------- d-----w c:\documents and settings\Marta.H-OYG-BB-HANSI\Application Data\Hamachi

2008-12-11 15:18 --------- d-----w c:\documents and settings\hannyg1\Application Data\Ahead

2008-12-02 11:25 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet

2008-12-02 09:47 --------- d-----w c:\program files\Adobe Media Player

2008-12-02 09:42 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-12-02 09:07 --------- d-----w c:\documents and settings\hannyg1\Application Data\Download Manager

2008-11-28 10:10 --------- d-----w c:\documents and settings\hannyg1\Application Data\uTorrent

2008-11-24 08:27 --------- d-----w c:\program files\Google

2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr

2008-10-24 11:14 109,568 ------w c:\windows\system32\pxinsi64.exe

2008-10-24 11:14 108,544 ------w c:\windows\system32\pxcpyi64.exe

2008-10-22 07:44 87,352 ----a-w c:\windows\system32\LMIinit.dll

2008-10-22 07:44 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll

2008-10-22 07:44 28,984 ----a-w c:\windows\system32\LMIport.dll

2008-10-22 07:44 23,736 ----a-w c:\windows\system32\lmimirr.dll

2008-10-22 07:44 10,040 ----a-w c:\windows\system32\lmimirr2.dll

2007-08-09 12:08 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll

2007-08-09 12:10 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-10 868352]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]

"Norman ZANDA"="c:\program files\Norman\Npm\bin\ZLH.EXE" [2008-06-02 273520]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"AtiPTA"="atiptaxx.exe" [2006-02-22 c:\windows\system32\atiptaxx.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-05-06 483328]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-05-12 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideShutdownScripts"= 1 (0x1)

"MaxGPOScriptWait"= 32000 (0x7d00)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableLockWorkstation"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"DisablePersonalDirChange"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoPublishingWizard"= 0 (0x0)

"NoWebServices"= 0 (0x0)

"NoOnlinePrintsWizard"= 0 (0x0)

"ForceClassicControlPanel"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-22 08:44 87352 c:\windows\system32\LMIinit.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=lokadm.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]

"Script"=pcbb.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-489248529-1699838375-1845911597-228722\Scripts\Logon\0\0]

"Script"=Sym2Server.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-489248529-1699838375-1845911597-228722\Scripts\Logon\1\0]

"Script"=OYG_elev.bat

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^Hansi^Start Menu^Programs^Startup^CCC.lnk]

path=c:\documents and settings\Hansi\Start Menu\Programs\Startup\CCC.lnk

backup=c:\windows\pss\CCC.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2006-11-16 19:04 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2006-11-10 16:19 1051648 c:\program files\Nero\Nero 7\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2006-10-16 01:41 1694208 c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

--a------ 2006-11-10 20:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

--a------ 2008-02-29 02:12 76304 c:\windows\KHALMNPR.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

R0 NDIS_RD;Firewall Engine Type-R2;c:\windows\system32\drivers\Ndis_rd.sys [2008-03-27 53320]

R1 TDI_RD;Firewall Engine Type-R;c:\windows\system32\drivers\Tdi_rd.sys [2008-03-27 32176]

R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [2008-06-28 322616]

R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2008-03-27 19512]

R3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\NVC\bin\Nvcoas.exe [2008-03-27 183352]

R3 NVCScheduler;Norman Virus Control Scheduler;c:\program files\Norman\NVC\bin\Nvcsched.exe [2008-03-27 146488]

R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-13 47640]

R4 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [2008-03-27 20448]

S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.SYS [2008-09-12 40672]

S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2008-08-27 32000]

S4 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-09-12 12856]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - mchInjDrv

.

Contents of the 'Scheduled Tasks' folder

 

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://oyg.hfk.no

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&ksporter til Microsoft Excel - c:\program files\Microsoft Office\OFFICE11\EXCEL.EXE/3000

TCP: {1CD2079E-9E20-4468-8E20-BBA3800E7B3C} = 192.168.100.1

DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab

FF - ProfilePath - c:\documents and settings\hannyg1\Application Data\Mozilla\Firefox\Profiles\u18sfigo.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.no/webhp?hl=nn&btnG=Google-s%C3%B8k

FF - prefs.js: network.proxy.type - 2

FF - plugin: c:\documents and settings\hannyg1\Application Data\Mozilla\Firefox\Profiles\u18sfigo.default\extensions\[email protected]\plugins\npRACtrl.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-21 10:43:04

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(780)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\windows\system32\LMIinit.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\windows\system32\LMIRfsClientNP.dll

 

- - - - - - - > 'lsass.exe'(836)

c:\program files\Bonjour\mdnsNSP.dll

.

Completion time: 2009-01-21 10:46:32

ComboFix-quarantined-files.txt 2009-01-21 09:46:28

 

Pre-Run: 10 139 168 768 bytes free

Post-Run: 12,619,489,280 bytes free

 

232 --- E O F --- 2009-01-05 07:53:19

 

 

 

 

 

Malwarebytes' Anti-Malware 1.33

Databaseversjon: 1673

Windows 5.1.2600 Service Pack 2

 

21.01.2009 10:21:38

mbam-log-2009-01-21 (10-21-38).txt

 

Skanntype: Rask Skann

Objekter skannet: 87250

Tid tilbakelagt: 18 minute(s), 3 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 6

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

[NOwar]

Slett denne tråden..

[r2d290]

Slett denne tråden..

Fordi du har postet loggen i stickey-en til norbat? I så fall tror jeg vi fortsetter supporten i denne tråden, da vi ikke ønsker å drive support i den andre tråden.

[NOwar]

Den er grei:)

[NOwar]

Sidan ingen har gitt tilakemelding på loggen min, reknar eg med at den er fin.

kan berre sletta posten.

 

Mvh meg

[norbat]

Ja, loggen viser ikke noe malware