Hjelp med virus/trojaner

[Grahaz10]

Heihei..

 

For litt siden så begynte Nod32 å finne at BITF8CC.tmp i wondows-mappen var infektert, og at pc'en min lastet ned et program (Anti.exe) fra rapidshare automatisk. Her er loggen (Fra Nod32):

 

Det startet med:

 

 

 

13.02.2009 19:47:05 Real-time file system protection file C:\Windows\BITF8CC.tmp Win32/Qhost.NGT trojan cleaned by deleting - quarantined NT-MYNDIGHET\SYSTEM Event occurred on a new file created by the application: C:\Windows\system32\svchost.exe.

 

13.02.2009 19:47:00 HTTP filter file http://rs344l33.rapidshare.com/files/163097907/Anti.exe Win32/Qhost.NGT trojan connection terminated - quarantined NT-MYNDIGHET\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

 

13.02.2009 19:36:56 Real-time file system protection file C:\Windows\BITF8CC.tmp Win32/Qhost.NGT trojan cleaned by deleting - quarantined NT-MYNDIGHET\SYSTEM Event occurred on a file modified by the application: C:\Windows\system32\svchost.exe.

 

13.02.2009 19:36:55 HTTP filter file http://rs344tl2.rapidshare.com/files/163097907/Anti.exe Win32/Qhost.NGT trojan connection terminated - quarantined NT-MYNDIGHET\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

 

13.02.2009 19:36:42 Real-time file system protection file C:\Windows\BIT44DB.tmp Win32/TrojanDownloader.Agent.OOJ trojan cleaned by deleting - quarantined NT-MYNDIGHET\SYSTEM Event occurred on a file modified by the application: C:\Windows\system32\svchost.exe.

 

13.02.2009 19:36:01 Real-time file system protection file C:\Windows\BIT10FE.tmp a variant of Win32/Kryptik.DQ trojan cleaned by deleting - quarantined NT-MYNDIGHET\SYSTEM Event occurred on a file modified by the application: C:\Windows\system32\svchost.exe.

 

13.02.2009 19:36:01 Real-time file system protection file C:\Windows\Update.exe a variant of Win32/Kryptik.DQ trojan cleaned by deleting - quarantined Event occurred on a file modified by the application: C:\Windows\system32\svchost.exe.

 

 

 

Så fortsetter den med:

 

 

13.02.2009 20:07:36 Real-time file system protection file C:\Windows\BITF8CC.tmp Win32/Qhost.NGT trojan cleaned by deleting - quarantined NT-MYNDIGHET\SYSTEM Event occurred on a new file created by the application: C:\Windows\system32\svchost.exe.

 

13.02.2009 20:07:29 HTTP filter file http://rs344l32.rapidshare.com/files/163097907/Anti.exe Win32/Qhost.NGT trojan connection terminated - quarantined NT-MYNDIGHET\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

 

13.02.2009 19:57:22 Real-time file system protection file C:\Windows\BITF8CC.tmp Win32/Qhost.NGT trojan cleaned by deleting - quarantined NT-MYNDIGHET\SYSTEM Event occurred on a new file created by the application: C:\Windows\system32\svchost.exe.

 

13.02.2009 19:57:14 HTTP filter file http://rs344gc.rapidshare.com/files/163097907/Anti.exe Win32/Qhost.NGT trojan connection terminated - quarantined NT-MYNDIGHET\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

 

 

I mellomrom på 10 minutter..

 

Så kjørte jeg en Malwarebytes' Anti-Malware - Scann:

 

 

 

Malwarebytes' Anti-Malware 1.34

Databaseversjon: 1749

Windows 6.0.6001 Service Pack 1

 

15.02.2009 07:39:33

mbam-log-2009-02-15 (07-39-24).txt

 

Skanntype: Full Skann (C:\|F:\|)

Objekter skannet: 317023

Tid tilbakelagt: 1 hour(s), 57 minute(s), 38 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 7

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 2

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_CLASSES_ROOT\nowstarter.nowstarterctrl.1 (Adware.CWS) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{6f553c18-15e6-4e5e-8f44-add50de754ed} (Adware.CWS) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{0409743c-e5e3-4bdd-9ec7-eff622530282} (Adware.CWS) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{40722371-e24c-4b36-8e76-010bb6c7185b} (Adware.CWS) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{825c19d3-35ce-428f-876b-88e080466689} (Adware.CWS) -> No action taken.

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Windows\System32\NowStarter.ocx (Adware.CWS) -> No action taken.

 

 

 

Så scannet jeg med Combofix:

 

 

ComboFix 09-02-14.01 - Joachim 2009-02-15 22:05:33.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1044.18.2046.982 [GMT 1:00]

Kjører fra: c:\users\Joachim\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

FW: COMODO Firewall *enabled*

* Opprettet nytt gjenopprettingspunkt

* Resident AV is active

 

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat

c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

c:\users\Joachim\AppData\Roaming\inst.exe

F:\install.exe

 

----- BITS: Mulige infiserte sider -----

 

hxxp://rapidshare.com

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-15 til 2009-02-15 )))))))))))))))))))))))))))))))))

.

 

2009-02-15 22:12 . 2009-02-15 22:12 20,480 --ah----- c:\windows\BITF8CC.tmp

2009-02-15 15:03 . 2009-02-15 15:03 29,584 --a------ c:\windows\System32\drivers\regguard.sys

2009-02-15 15:03 . 2009-02-15 15:03 (2) -rahs-ot- c:\windows\winstart.bat

2009-02-15 15:02 . 2009-02-15 15:02 34,760 --a------ c:\windows\System32\drivers\Partizan.sys

2009-02-15 15:02 . 2009-02-15 15:02 32,480 --a------ c:\windows\System32\Partizan.exe

2009-02-15 15:02 . 2008-12-22 17:04 20,192 --a------ c:\windows\WinBait.org

2009-02-15 15:02 . 2008-12-22 17:04 20,192 --a------ c:\windows\WinBait.exe

2009-02-15 15:01 . 2009-02-15 15:01 <DIR> d-------- c:\program files\Greatis

2009-02-15 10:17 . 2009-02-15 10:17 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com

2009-02-15 10:17 . 2009-02-15 10:17 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com

2009-02-15 09:27 . 2009-02-15 09:27 <DIR> d-------- c:\users\Joachim\AppData\Roaming\SUPERAntiSpyware.com

2009-02-15 09:27 . 2009-02-15 09:27 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-14 21:17 . 2009-02-14 21:17 <DIR> d-------- c:\users\Joachim\AppData\Roaming\Malwarebytes

2009-02-14 21:17 . 2009-02-14 21:17 <DIR> d-------- c:\users\All Users\Malwarebytes

2009-02-14 21:17 . 2009-02-14 21:17 <DIR> d-------- c:\programdata\Malwarebytes

2009-02-14 21:17 . 2009-02-14 21:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-14 21:17 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys

2009-02-14 21:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys

2009-02-13 19:36 . 2009-02-13 19:36 4,771 --a------ c:\windows\RunUpdater.exe

2009-02-13 15:25 . 2009-02-13 15:25 <DIR> d-------- c:\program files\Data Realms

2009-02-12 05:01 . 2009-02-12 05:01 <DIR> d-------- c:\windows\SQL9_KB960089_ENU

2009-02-11 15:48 . 2009-02-11 16:13 <DIR> d-------- c:\program files\Game Cam

2009-02-11 15:48 . 2002-01-05 07:48 974,848 --a------ c:\windows\System32\mfc70.dll

2009-02-11 15:48 . 2002-01-05 06:40 487,424 --a------ c:\windows\System32\msvcp70.dll

2009-02-11 15:14 . 2009-02-11 15:20 <DIR> d-------- c:\program files\Noitu Love 2

2009-02-11 11:52 . 2009-01-15 04:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb

2009-02-11 11:52 . 2009-01-15 07:11 827,392 --a------ c:\windows\System32\wininet.dll

2009-02-10 15:17 . 2009-02-10 15:17 <DIR> d-------- c:\program files\Monster Trucks Nitro Demo

2009-02-09 20:57 . 2009-02-09 20:57 <DIR> d-------- c:\program files\Pixie

2009-02-08 14:08 . 2009-02-08 18:05 <DIR> d-------- c:\program files\Phun

2009-02-05 21:50 . 2009-02-05 21:50 42,320 --a------ c:\windows\System32\xfcodec.dll

2009-02-04 16:51 . 2009-02-04 16:51 <DIR> d-------- c:\users\Joachim\AppData\Roaming\Crayon Physics Deluxe

2009-02-04 16:51 . 2009-02-07 20:12 <DIR> d-------- c:\program files\Crayon Physics Deluxe

2009-01-16 22:19 . 2009-01-16 22:19 <DIR> d-------- c:\program files\CFi

2009-01-15 14:26 . 2009-02-15 11:31 <DIR> d-------- C:\Fraps

2009-01-15 14:12 . 2009-01-15 14:27 <DIR> d-------- c:\program files\Game Cam V2

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-15 15:39 --------- d---a-w c:\programdata\TEMP

2009-02-15 15:38 --------- d-----w c:\users\Joachim\AppData\Roaming\Xfire

2009-02-15 08:26 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-14 20:37 --------- d-----w c:\programdata\Spybot - Search & Destroy

2009-02-14 10:00 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-14 05:29 --------- d-----w c:\program files\LogMeIn

2009-02-12 09:28 --------- d-----w c:\program files\Microsoft SQL Server

2009-02-12 06:51 --------- d-----w c:\users\Joachim\AppData\Roaming\stickies

2009-02-12 06:50 --------- d-----w c:\programdata\NVIDIA

2009-02-12 06:46 --------- d-----w c:\programdata\Xfire

2009-02-12 06:46 --------- d-----w c:\program files\Xfire

2009-02-12 04:00 --------- d-----w c:\program files\Windows Mail

2009-02-11 14:48 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-11 14:47 --------- d-----w c:\users\Joachim\AppData\Roaming\uTorrent

2009-02-09 17:54 --------- d-----w c:\users\Joachim\AppData\Roaming\Aegisub

2009-01-28 16:49 --------- d-----w c:\users\Joachim\AppData\Roaming\Image Zone Express

2009-01-17 09:57 --------- d-----w c:\users\Joachim\AppData\Roaming\Download Manager

2009-01-13 14:22 --------- d-----w c:\program files\QuickTime

2009-01-13 14:21 --------- d-----w c:\program files\Common Files\Apple

2009-01-13 14:20 --------- d-----w c:\program files\Apple Software Update

2009-01-12 15:08 --------- d-----w c:\programdata\TechSmith

2009-01-12 15:08 --------- d-----w c:\program files\TechSmith

2009-01-12 15:08 --------- d-----w c:\program files\Common Files\TechSmith Shared

2009-01-10 16:19 119,752 ----a-w c:\windows\System32\rdpdispd.dll

2009-01-10 16:19 10,056 ----a-w c:\windows\system32\drivers\rdpdispm.sys

2009-01-10 16:19 --------- d-----w c:\program files\Live Mesh

2009-01-09 20:20 --------- d-----w c:\programdata\LogMeIn

2009-01-09 19:55 --------- d-----w c:\program files\Microsoft Silverlight

2009-01-09 14:10 --------- d-----w c:\program files\Microsoft

2009-01-09 14:09 --------- d-----w c:\program files\Windows Live SkyDrive

2009-01-06 14:43 --------- d-----w c:\program files\Ubisoft

2009-01-04 18:25 --------- d-----w c:\programdata\Lavasoft

2009-01-04 18:24 --------- d-----w c:\program files\Lavasoft

2009-01-03 11:24 81,920 ----a-w c:\windows\System32\frapsvid.dll

2009-01-03 09:54 99,344 ----a-w c:\windows\system32\drivers\cmdguard.sys

2009-01-03 09:54 25,104 ----a-w c:\windows\system32\drivers\cmdhlp.sys

2009-01-03 09:53 147,192 ----a-w c:\windows\System32\guard32.dll

2008-12-29 22:57 --------- d-----w c:\users\Joachim\AppData\Roaming\mIRC

2008-12-29 12:15 --------- d-----w c:\program files\mIRC

2008-12-29 10:55 --------- d-----w c:\programdata\comodo

2008-12-29 10:36 --------- d-----w c:\users\Joachim\AppData\Roaming\Comodo

2008-12-29 10:35 --------- d-----w c:\program files\COMODO

2008-12-29 10:16 159,982 ----a-w c:\windows\Marsu-Fix 2.3 Uninstaller.exe

2008-12-29 10:14 --------- d-----w c:\programdata\ESET

2008-12-29 10:14 --------- d-----w c:\program files\ESET

2008-12-28 20:34 --------- d-----w c:\program files\7-Zip

2008-12-28 09:27 --------- d-----w c:\users\Joachim\AppData\Roaming\vlc

2008-12-27 12:54 --------- d-----w c:\program files\Common Files\Blizzard Entertainment

2008-12-26 22:46 --------- d-----w c:\program files\Steam

2008-12-26 21:49 --------- d-----w c:\program files\Common Files\Steam

2008-12-26 21:47 --------- d-----w c:\programdata\Autodesk

2008-12-26 21:47 --------- d-----w c:\program files\Common Files\Autodesk Shared

2008-12-18 13:46 --------- d-----w c:\programdata\TrackMania

2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-04 21:23 410,984 ----a-w c:\windows\System32\deploytk.dll

2008-12-02 21:37 49,480 ----a-w c:\windows\System32\sirenacm.dll

2008-11-24 21:31 65,888 ----a-w c:\windows\System32\sqlctr90.dll

2008-11-24 21:31 2,248,544 ----a-w c:\windows\System32\sqlncli.dll

2008-09-16 20:08 47,360 ----a-w c:\users\Joachim\AppData\Roaming\pcouffin.sys

2008-08-05 15:17 66,160 ----a-w c:\users\Joachim\AppData\Roaming\GDIPFONTCACHEV1.DAT

2008-04-18 12:32 174 --sha-w c:\program files\desktop.ini

2007-12-06 11:38 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-12-06 11:38 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-12-06 11:38 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

2008-01-04 14:41 56 --sh--r c:\windows\System32\BDCCC04B9D.sys

2008-06-16 16:38 14,602 --sha-w c:\windows\System32\KGyGaAvL.sys

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ABIT uGuruIII"="c:\program files\U-ABIT\uGuru\LaunchuGuru.exe" [2007-02-09 22528]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-06-03 6144]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"MoeMonitor.exe"="c:\users\Joachim\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.5\MoeMonitor.exe" [2009-01-10 17:16 1225032]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

"Regrun2"="c:\progra~1\Greatis\REGRUN~1\WatchDog.exe" [2008-12-22 383712]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]

"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-23 380928]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]

"D-Link D-Link Wireless N DWA-140"="c:\program files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 1388544]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

"TrialReset"="c:\windows\fix.exe" [2008-04-28 208353]

"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-01-03 1797880]

"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-01-03 1797880]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]

"RegRun WinBait"="c:\windows\winbait.exe" [2008-12-22 20192]

"@RegRunOnSecure"="c:\progra~1\Greatis\REGRUN~1\OnSecure.exe" [2008-12-22 61664]

"RtHDVCpl"="RtHDVCpl.exe" [2007-02-06 c:\windows\RtHDVCpl.exe]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"wextract_cleanup0"="c:\windows\system32\advpack.dll" [2008-01-19 128000]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]

 

c:\users\Joachim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Find and Run Robot.lnk - c:\program files\FindAndRunRobot\FindAndRunRobot.exe [2008-06-01 3169792]

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice 3\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-01-16 757760]

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= c:\windows\system32\guard32.dll

"LoadAppInit_DLLs"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.i420"= i420vfw.dll

"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

"VIDC.XFR1"= xfcodec.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan\0

SetupExecute REG_MULTI_SZ c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6001.18000_none_095f6148c74a7a64\poqexec.exe /display_progress \SystemRoot\WinSxS\pending.xml

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{EE3FE7F7-A6D9-4305-83BE-78ACAE52194B}"= UDP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe

"{7054B94C-167E-4A53-B62B-2C8E0489C79C}"= TCP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe

"{988AA1F3-A75A-4310-AE89-E32A3138D60E}"= UDP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe

"{00B0116B-B040-4C53-861C-1FB63C7A174D}"= TCP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe

"{1428959D-B574-4EB7-9AEA-CBB4E878726C}"= UDP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe

"{7EF2B9B1-C681-40D3-8F17-B4E5A8659CE7}"= TCP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe

"TCP Query User{8F699D50-8DA3-4446-A204-48537D3A02C3}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home

"UDP Query User{0F3286AC-F56F-4F7C-953B-CA909BBCEF8C}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home

"TCP Query User{DBBE86AD-E20E-44E2-BA48-C51B7DEBE629}c:\\program files\\nero\\nero8\\nero burning rom\\nero.exe"= UDP:c:\program files\nero\nero8\nero burning rom\nero.exe:Nero Express

"UDP Query User{A56AB68D-A319-433D-9400-7AC617B96F38}c:\\program files\\nero\\nero8\\nero burning rom\\nero.exe"= TCP:c:\program files\nero\nero8\nero burning rom\nero.exe:Nero Express

"{5B9A1979-04B0-41CB-9AFB-31D4427777E4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent

"{C7A84026-A70D-46DB-A857-10501D28374E}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent

"{B0E75C9A-EA35-4F69-9FC9-71E62001AAA8}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe

"{27D8EE2F-D2FE-42D9-B098-B4137E74B17E}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe

"{DE4AA65A-8623-4A12-84B1-3E7A84E63911}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe

"{4CD8BAD6-DF63-4773-82F4-6D13E7BEEB6E}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe

"{17B729DC-0AF9-4A65-88A0-E44C16C3D988}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

"{70BE434B-756F-4031-AA0C-89A7EF2F1A61}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

"{35AAC0AB-CE19-462F-8E5F-3EB070BF69A6}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes

"{CF02129E-50C2-4B71-8514-6D85B514E97B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

"TCP Query User{5A697D90-DD57-4DE1-8684-C11DD6FC9271}d:\\d-link.exe"= UDP:D:\d-link.exe:Setup Wizard Template

"UDP Query User{E5E17D1D-E9F1-4890-A8D2-F407A0BC1B34}d:\\d-link.exe"= TCP:D:\d-link.exe:Setup Wizard Template

"TCP Query User{7B2CF8CB-BB51-416F-8258-7FE73D91A7D6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent

"UDP Query User{E1D8442C-11A3-459C-A955-6577CC28DCFA}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent

"TCP Query User{C3C90186-3FB3-4B9B-AC8C-285B6681E320}c:\\program files\\microsoft lifecam\\lifeexp.exe"= UDP:c:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe

"UDP Query User{49D3E89A-E1AC-47D8-A7BD-F02C42F02202}c:\\program files\\microsoft lifecam\\lifeexp.exe"= TCP:c:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe

"TCP Query User{A56FBCF5-30E0-4E01-8ABC-7BE398892998}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever

"UDP Query User{9A20F77B-275B-476C-B047-A5297D0E6F4B}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever

"{61B5DB6C-0FED-4FEF-ABA5-06E69353C6CC}"= UDP:c:\program files\e-Games\O2Jam\O2JamLauncher.exe:O2Jam

"{3920A40A-A4F3-4464-AFFF-897883EE31EB}"= TCP:c:\program files\e-Games\O2Jam\O2JamLauncher.exe:O2Jam

"{CC434236-69A2-47DD-8CCB-0675955429AC}"= UDP:27417:LocalSubnet:LocalSubnet:Utorrent-port

"TCP Query User{5C4B917D-EC3B-421E-8299-01AF8601C4FB}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home

"UDP Query User{CB2A22D9-3011-438E-96E1-F1B00D343A18}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home

"TCP Query User{D7F5103C-A1B2-4443-B81B-E71B6642A02C}c:\\users\\joachim\\desktop\\install-ting\\tight vnc\\winvnc.exe"= UDP:c:\users\joachim\desktop\install-ting\tight vnc\winvnc.exe:winvnc.exe

"UDP Query User{1108DCBB-4A6E-44D4-94D2-106D18A5E712}c:\\users\\joachim\\desktop\\install-ting\\tight vnc\\winvnc.exe"= TCP:c:\users\joachim\desktop\install-ting\tight vnc\winvnc.exe:winvnc.exe

"{CF8DF036-9FA6-4377-A80A-B5CD00E4B71E}"= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS

"{512D65B4-DAF1-4F0C-B81C-EEF913B3FAD4}"= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS

"{01F6A717-CBCB-4389-A3EB-A61858F7F270}"= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS

"{484ED86C-D00C-476F-8C71-5431D601CB73}"= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS

"TCP Query User{98B01CD5-090C-4074-B70F-0C5D470E7519}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC

"UDP Query User{473C929C-3387-4829-9E34-D891991259C7}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC

"{8B69D013-727B-4253-B297-211E4DAB941A}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9

"{A3DF8B3F-70A7-495F-A718-550CBFF26520}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9

"{000B2080-54EE-4BF6-9AE2-5710A7F3519B}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10

"{699FD595-9FB3-4594-862A-1E0AC5BD845A}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10

"{CFA33549-7F05-4231-9919-C0C6FC65A500}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update

"{E4EC91D7-4A4C-4D91-B766-93AEC0990214}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update

"{0D630100-559A-4536-8145-0E0A91F9AF4E}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)

"{6B8B90BF-AD23-45AB-9498-3F8C2DC18EB6}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

"{BBEED653-46A5-442D-B9E7-87D0C27821E0}"= Disabled:UDP:54227:SolidNetworkManager

"{34F76627-307C-446A-8CA0-5AC88A1F0D8F}"= Disabled:TCP:54227:SolidNetworkManager

"{C8277B86-50D0-4629-9DFD-B23E5EBA333B}"= UDP:f:\program files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (CLI)

"{844829FB-84B0-4A1A-93AD-EDB34A832F15}"= TCP:f:\program files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (CLI)

"{8E669473-A5B5-436C-BF09-9633BDD202CD}"= UDP:f:\program files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (SRV)

"{F3DF1929-E22D-4851-BB62-9AC4FE2C8A68}"= TCP:f:\program files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (SRV)

"{205CE67E-4B3F-48CD-93BF-C5557177572A}"= UDP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3

"{88A75C8B-CF76-4339-B609-FAF18DCA80CD}"= TCP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3

"{55D57F2D-27D9-4BAE-98DE-618C4AFAD971}"= UDP:f:\program files\Space Siege\GPGNet\GPG.Multiplayer.Client.exe:GPGNet

"{647FCF93-FD86-4DC8-857E-02C9D58790DA}"= TCP:f:\program files\Space Siege\GPGNet\GPG.Multiplayer.Client.exe:GPGNet

"{8E720CED-66B7-4047-8CB0-22B30287F18B}"= UDP:c:\program files\Autodesk\3ds Max 9\3dsmax.exe:Autodesk 3ds Max 9 32-bit

"{CC80BE75-49FC-41D7-9803-AD645A7B0121}"= TCP:c:\program files\Autodesk\3ds Max 9\3dsmax.exe:Autodesk 3ds Max 9 32-bit

"{1E792FF3-F162-4FAB-B18A-D6CFD048439B}"= UDP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor

"{05B68B87-2C43-4E81-99A1-C9AD4F79BBC0}"= TCP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor

"{6CBDB425-6A0E-4736-9005-C85110C44075}"= UDP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager

"{B2C27281-BC8C-41FD-B4E4-F869123059AA}"= TCP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager

"{27579CA3-17D6-42B5-AF5A-00649274EB52}"= UDP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server

"{B77B3ABD-106F-48E3-8EE9-393EC019DD76}"= TCP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server

"{65AF1EB5-7CC2-4AE6-8E2A-57721C699B39}"= UDP:f:\program files\Far Cry 2\bin\FarCry2.exe:Far Cry 2

"{AD9ECA9F-B27E-43A6-843D-54DA88243BCE}"= TCP:f:\program files\Far Cry 2\bin\FarCry2.exe:Far Cry 2

"{538723C7-3408-454C-9E97-79E478DD78AA}"= UDP:f:\program files\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater

"{0EB7F423-368C-43B5-9B03-AF86792A1F10}"= TCP:f:\program files\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater

"{EC7EDF0F-F634-4752-BA0A-DDB3600F859D}"= UDP:f:\program files\Far Cry 2\bin\FC2Editor.exe:Editor

"{D41FE79F-3FB2-4C78-88FF-FA18B1D1EAF9}"= TCP:f:\program files\Far Cry 2\bin\FC2Editor.exe:Editor

"TCP Query User{E759E9E4-69C5-471C-AD3E-5C74D2F1A318}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox

"UDP Query User{A160B9C3-E9C8-446E-A184-7F5B58715D8B}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox

"{B9D9AFA6-449B-4B48-AFB7-05836C99B2C4}"= UDP:c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe:Live Mesh Remote Desktop

"{93C75F61-631D-494E-AC86-9EA0763241FB}"= TCP:c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe:Live Mesh Remote Desktop

"{A297C483-65F2-4917-93BD-799BB1833EA8}"= UDP:c:\users\Joachim\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

"{C724A2A8-1B0E-4900-9016-16869FF421A3}"= TCP:c:\users\Joachim\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

"{5A825C3D-1472-4151-A9C3-7A27C2A0C49F}"= UDP:f:\program files\Fear Perseus Mandate\FEARXP2.exe:FEARXP2

"{3F4A4A11-2251-483E-8674-E26E77E883CA}"= TCP:f:\program files\Fear Perseus Mandate\FEARXP2.exe:FEARXP2

"TCP Query User{E980FD75-D1A0-449A-A280-0C5B4B9A4303}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire

"UDP Query User{27EE0AB8-FED6-48DF-8A75-6520C4E82886}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

 

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [2008-12-29 99344]

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [2008-12-29 25104]

R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [2008-07-01 34312]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R1 UGURU;UGURU;c:\windows\System32\drivers\uGuru.sys [2007-10-23 21048]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2009-01-09 47640]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-02-10 810320]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [2009-01-10 42824]

R3 RDPDISPM;RDPDISPM;c:\windows\System32\drivers\rdpdispm.sys [2009-01-10 10056]

R3 RegGuard;RegGuard;c:\windows\System32\drivers\regguard.sys [2009-02-15 29584]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S0 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [2009-02-15 34760]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]

S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [2008-11-18 7808]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\System32\drivers\rt2870.sys [2008-01-31 476416]

 

--- Andre tjenester/drivere lastet i minnet ---

 

*NewlyCreated* - REGGUARD

*NewlyCreated* - SASDIFSV

*NewlyCreated* - SASENUM

*NewlyCreated* - SASKUTIL

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

bthsvcs REG_MULTI_SZ BthServ

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e303fb4-4f3d-11dd-9a70-001167000000}]

\shell\AutoRun\command - h:\wd_windows_tools\Setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85294027-80e0-11dc-90d3-806e6f6e6963}]

\shell\AutoRun\command - D:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{add59069-309c-11dd-a26f-001167000000}]

\shell\AutoRun\command - E:\autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca35f8f2-9924-11db-bb48-806e6f6e6963}]

\shell\AutoRun\command - D:\Autorun.exe root.ini

.

- - - - TOMME PEKERE FJERNET - - - -

 

HKCU-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

 

 

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.google.no/

uInternet Settings,ProxyOverride = *.local

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {6EA38E9B-3549-45BA-850C-C2D6DE163426} = 192.168.0.1

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab

FF - ProfilePath - c:\users\Joachim\AppData\Roaming\Mozilla\Firefox\Profiles\mkqdh800.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.no/ig

1 fil(er) ble flyttet.

FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\VOIPlay\npvoiplay.dll

FF - plugin: c:\users\Joachim\AppData\Roaming\Mozilla\Firefox\Profiles\mkqdh800.default\extensions\[email protected]\plugins\npRACtrl.dll

FF - plugin: c:\users\Joachim\AppData\Roaming\Mozilla\Firefox\Profiles\mkqdh800.default\extensions\[email protected]\plugins\npDyyno.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-15 22:24:38

Windows 6.0.6001 Service Pack 1 NTFS

 

detected NTDLL code modification:

ZwClose

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(840)

c:\windows\system32\guard32.dll

 

- - - - - - - > 'lsass.exe'(744)

c:\windows\system32\guard32.dll

 

- - - - - - - > 'explorer.exe'(6136)

c:\windows\system32\guard32.dll

.

Tidspunkt ferdig: 2009-02-15 22:26:38

ComboFix-quarantined-files.txt 2009-02-15 21:26:33

 

Pre-Run: 64 820 088 832 byte ledig

Post-Run: 64,243,400,704 byte ledig

 

357 --- E O F --- 2009-02-12 09:31:40

 

 

 

 

Etter dette har Nod32 sluttet å finne trojanere... Men jeg tenkte jeg bare skulle sjekke...

 

Etter dette tok jeg også en HiJackThis-Scan..

Her er loggen:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 15:29:24, on 16.02.2009

Platform: Unknown Windows (WinNT 6.00.1905 SP1)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\ASUS\GamerOSD\GamerOSD.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\FindAndRunRobot\FindAndRunRobot.exe

C:\Program Files\Stickies\stickies.exe

C:\Program Files\U-ABIT\uGuru\uGuru.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\OpenOffice 3\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice 3\OpenOffice.org 3\program\soffice.bin

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe

C:\Windows\system32\CF31484.exe

C:\Windows\system32\conime.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\explorer.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Windows\regedit.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-140] C:\Program Files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [TrialReset] C:\Windows\fix.exe

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RegRun WinBait] C:\Windows\winbait.exe

O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Joachim\AppData\Local\Temp\IXP000.TMP\"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\uGuru\LaunchuGuru.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Users\Joachim\AppData\Local\Microsoft\Live Mesh\Bin\Servicing.9.3424.5\MoeMonitor.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

O4 - Startup: Find and Run Robot.lnk = C:\Program Files\FindAndRunRobot\FindAndRunRobot.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice 3\OpenOffice.org 3\program\quickstart.exe

O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O13 - Gopher Prefix:

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6EA38E9B-3549-45BA-850C-C2D6DE163426}: NameServer = 192.168.0.1

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Fast User Switch Service (ATKFUSService) - ASUSTeK COMPUTER INC. - C:\Windows\system32\ATKFUSService.exe

O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)

O23 - Service: SQL Server (SONY_MEDIAMGR2) (MSSQL$SONY_MEDIAMGR2) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSONY_MEDIAMGR2 (file missing)

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

 

 

 

 

 

Takker på forhånd

[norbat]

Gå til nettstedet Virustotal, og last opp følgende fil for sjekk:

 

c:\windows\RunUpdater.exe

 

Gi tilbakemelding på om det ble funnet noe.

Endret 16. februar 2009 av norbat

[snippsat]

Kjør en ny scann med MBAM,nå merker du av så den sletter det den finner.

I loggen din står det "No action taken"

 

Etter det kjører du combofix på nytt og poster loggen,så ser vi om det er noe som må tas manuelt.

 

Edit:

Ja postet likt som norbat.

Endret 16. februar 2009 av SNIPPSAT

[Grahaz10]

Gå til nettstedet Virustotal, og last opp følgende fil for sjekk:

 

c:\windows\RunUpdater.exe

 

Gi tilbakemelding på om det ble funnet noe.

 

Her er loggen:

 

 

 

File RunUpdater.exe received on 02.16.2009 18:07:17 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/38 (0%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

 

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

 

Antivirus Version Last Update Result

a-squared 4.0.0.93 2009.02.16 -

AhnLab-V3 5.0.0.2 2009.02.16 -

AntiVir 7.9.0.79 2009.02.16 -

Authentium 5.1.0.4 2009.02.16 -

Avast 4.8.1335.0 2009.02.16 -

AVG 8.0.0.237 2009.02.16 -

BitDefender 7.2 2009.02.16 -

CAT-QuickHeal 10.00 2009.02.16 -

ClamAV 0.94.1 2009.02.16 -

Comodo 980 2009.02.16 -

DrWeb 4.44.0.09170 2009.02.16 -

eSafe 7.0.17.0 2009.02.15 -

eTrust-Vet 31.6.6360 2009.02.16 -

F-Prot 4.4.4.56 2009.02.16 -

F-Secure 8.0.14470.0 2009.02.16 -

Fortinet 3.117.0.0 2009.02.16 -

GData 19 2009.02.16 -

Ikarus T3.1.1.45.0 2009.02.16 -

K7AntiVirus 7.10.630 2009.02.14 -

Kaspersky 7.0.0.125 2009.02.16 -

McAfee 5527 2009.02.15 -

McAfee+Artemis 5527 2009.02.15 -

Microsoft 1.4306 2009.02.16 -

NOD32 3857 2009.02.16 -

Norman 6.00.02 2009.02.13 -

nProtect 2009.1.8.0 2009.02.16 -

Panda 10.0.0.10 2009.02.16 -

PCTools 4.4.2.0 2009.02.16 -

Prevx1 V2 2009.02.16 -

Rising 21.17.02.00 2009.02.16 -

SecureWeb-Gateway 6.7.6 2009.02.16 -

Sophos 4.38.0 2009.02.16 -

Sunbelt 3.2.1851.2 2009.02.12 -

Symantec 10 2009.02.16 -

TheHacker 6.3.2.2.258 2009.02.16 -

TrendMicro 8.700.0.1004 2009.02.16 -

ViRobot 2009.2.16.1609 2009.02.16 -

VirusBuster 4.5.11.0 2009.02.16 -

Additional information

File size: 4771 bytes

MD5...: a7d54a82e4fbcd8b72efad67f0f675d0

SHA1..: 2392491f251f268df685702f58ded0d0092cde9d

SHA256: c0ef715005aa7394e4719bf6b7e29b9a0e532b6a0412713bdb660a74910b1f55

SHA512: 8859009dfac73cf4286f336c22fc8f6813dbf4e3c598b3b3356904bda753195c

67b476a8ed16d1309ef2bf89c7020ee9ff67bde1229bbd61c310bd4989b13f7f

ssdeep: 48:sqVxYR6+y6urhiiYAYn+uHVFVazXVL0KHVh2rz/1Mr0o62TB/DBYqo3lTTaVA

Kkw:sUiMjJ1h2/6LpmV38Vvk7F783w9oZ

PEiD..: -

TrID..: File type identification

HyperText Markup Language with DOCTYPE (80.6%)

HyperText Markup Language (19.3%)

PEInfo: -

 

 

 

 

Hvis jeg ikke tar helt feil betyr vel dette: ingen virus på denne filen eller?

 

(Jeg gjør det Snippsat ba meg om nå)

[Grahaz10]

Kjør en ny scann med MBAM,nå merker du av så den sletter det den finner.

I loggen din står det "No action taken"

 

Etter det kjører du combofix på nytt og poster loggen,så ser vi om det er noe som må tas manuelt.

 

Edit:

Ja postet likt som norbat.

 

 

Hmm. Det virker som om filene ligger i Karantene...

 

Skal jeg bare trykke slett? Så kjøre combofix igjen?

[snippsat]

Ja du merker av så MBAM sletter det den finner.

Så kjøre combofix igjen og poste loggen.

[Grahaz10]

Her er den nyeste ComboFix-Scannen:

 

Den ligger som et vedlegg..

Den var ganske stor ^_^.. Jeg fikk med masse ting som ikke ble med forrige gang (?)

 

Er det noen rester igjen?

Siden jeg tror vel at det meste ble borte etter den første ComboFix-scannen..

Nod32 har ihvertfall sluttet å rapportere trojanere..

log___Combofix_2.txt

Endret 16. februar 2009 av Grahaz10

[norbat]

Sørg for at du kan se skjulte filer og mapper (kontrollpanel->mappealt.->vis->vis skjulte filer og mapper

 

Bruk utforsker til å slette følgende fil:

c:\windows\BITF8CC.tmp

 

Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'.

Kjør også noen runder med 'Register'til det ikke finner flere feil.

 

Deretter:

Avinstaller combofix ved å skrive combofix /u i kjør-feltet (start->kjør).

 

Dette skulle være alt, så langt jeg ser

[Grahaz10]

Sørg for at du kan se skjulte filer og mapper (kontrollpanel->mappealt.->vis->vis skjulte filer og mapper

 

Bruk utforsker til å slette følgende fil:

c:\windows\BITF8CC.tmp

 

Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'.

Kjør også noen runder med 'Register'til det ikke finner flere feil.

 

Deretter:

Avinstaller combofix ved å skrive combofix /u i kjør-feltet (start->kjør).

 

Dette skulle være alt, så langt jeg ser

 

Tusen Takk