[Løst]Infisert etter å ha gått inn på Fotovideo.no

[k-orm]

Fotovideo.no ble 'hacket' i helgen, jeg gikk inn å ble infisert. Har fått fjernet en del, men sliter med å fjerne comsa32.sys og tpszxyd.sys, mm.

Har prøvd å rense med ComboFix i sikkerhetsmodus, men det kommer bare tilbake.

 

Malwarebytes logen:

 

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 8

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer (Trojan.Agent) -> No action taken.

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\atlsystem100282.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\atlsystem21217.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\atlsystem384518.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\atlsystem505551.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\nxtepad.exe (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\msrstart.exe (Trojan.Agent) -> No action taken.

 

Hijackthis logen:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:18:18, on 23.02.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Task Killer\TaskKiller.exe

C:\Program Files\Opera\opera.exe

H:\Programmer for backup\Backup DVD\Den Store Freeware DVDen\Sikkerhet\Virusverktøy\Hijack This\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mit.forum.dk/login.aspx?returnUrl=h...ail.forum.dk%2f

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 76.176.120.172:3128

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\JRE\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\JRE\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\JRE\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\msrstart.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Task Killer] C:\Program Files\Task Killer\TaskKiller.exe

O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe

O4 - HKUS\S-1-5-21-1957994488-1770027372-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1957994488-1770027372-839522115-1003\..\Run: [Task Killer] C:\Program Files\Task Killer\TaskKiller.exe (User '?')

O4 - HKUS\S-1-5-21-1957994488-1770027372-839522115-1003\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - S-1-5-21-1957994488-1770027372-839522115-1003 Startup: hott notes 4.lnk = C:\Program Files\hott notes 4\hottnotes.exe (User '?')

O4 - Startup: hott notes 4.lnk = C:\Program Files\hott notes 4\hottnotes.exe

O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JRE\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JRE\bin\jp2iexp.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\JRE\bin\jqs.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

 

--

End of file - 5834 bytes

 

 

[raWrz]

No action taken....

kjør mbam igjen og trykk på "fjern valgte" og start dataen på nytt hvis den krever det.

 

post også combofix loggen

[k-orm]

No action taken....

Lagret logen før jeg fjernet det som kom opp, så det er gjordt.

post også combofix loggen

Ops, glemte det ja...

 

Endret: Ny oppdatert ComboFix logg

 

ComboFix 09-02-21.01 - user 2009-02-23 0:55:11.7 - NTFSx86

Kjører fra: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches brukt :: c:\documents and settings\user\Desktop\CFScript.txt

 

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\200925650.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_DEFAULTLIB

-------\Service_defaultlib

 

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-22 til 2009-02-22 )))))))))))))))))))))))))))))))))

.

 

2009-02-22 22:56 . 2009-02-22 22:56 86,016 --a------ c:\windows\system32\u222239053.dll

2009-02-22 22:56 . 2009-02-22 22:56 77,824 --a------ c:\windows\system32\u222289051.dll

2009-02-22 20:05 . 2009-02-22 20:05 122,880 --a------ c:\windows\system32\atlsystem53077.exe

2009-02-22 20:05 . 2009-02-22 20:05 86,016 --a------ c:\windows\system32\u202276532.dll

2009-02-22 20:05 . 2009-02-22 20:05 77,824 --a------ c:\windows\system32\u202210928.dll

2009-02-22 18:51 . 2009-02-22 18:51 86,016 --a------ c:\windows\system32\u182290613.dll

2009-02-22 18:51 . 2009-02-22 18:51 77,824 --a------ c:\windows\system32\u18223599.dll

2009-02-22 17:59 . 2009-02-22 17:59 86,016 --a------ c:\windows\system32\u172232855.dll

2009-02-22 17:59 . 2009-02-22 17:59 77,824 --a------ c:\windows\system32\u172282850.dll

2009-02-22 15:43 . 2009-02-22 15:43 86,016 --a------ c:\windows\system32\u152285923.dll

2009-02-22 15:43 . 2009-02-22 15:43 77,824 --a------ c:\windows\system32\u152231219.dll

2009-02-22 02:39 . 2009-02-22 02:39 86,016 --a------ c:\windows\system32\u22262541.dll

2009-02-22 02:39 . 2009-02-22 02:39 77,824 --a------ c:\windows\system32\u2229337.dll

2009-02-22 02:27 . 2009-02-22 02:27 86,016 --a------ c:\windows\system32\u22242141.dll

2009-02-22 02:27 . 2009-02-22 02:27 77,824 --a------ c:\windows\system32\u22292136.dll

2009-02-22 01:47 . 2009-02-22 01:47 86,016 --a------ c:\windows\system32\u12242119.dll

2009-02-22 01:47 . 2009-02-22 01:47 77,824 --a------ c:\windows\system32\u12290614.dll

2009-02-22 00:52 . 2009-02-22 00:52 86,016 --a------ c:\windows\system32\u02271818.dll

2009-02-22 00:52 . 2009-02-22 00:52 77,824 --a------ c:\windows\system32\u02218714.dll

2009-02-22 00:43 . 2009-02-22 00:43 86,016 --a------ c:\windows\system32\u02281215.dll

2009-02-22 00:43 . 2009-02-22 00:43 77,824 --a------ c:\windows\system32\u02210911.dll

2009-02-22 00:36 . 2009-02-22 00:36 86,016 --a------ c:\windows\system32\u02281232.dll

2009-02-22 00:36 . 2009-02-22 00:36 77,824 --a------ c:\windows\system32\u02257827.dll

2009-02-21 21:19 . 2009-02-21 21:19 86,016 --a------ c:\windows\system32\u212165630.dll

2009-02-21 21:19 . 2009-02-21 21:19 86,016 --a------ c:\windows\system32\u212114053.dll

2009-02-21 21:19 . 2009-02-21 21:19 77,824 --a------ c:\windows\system32\u212159351.dll

2009-02-21 21:19 . 2009-02-21 21:19 77,824 --a------ c:\windows\system32\u212110929.dll

2009-02-21 21:19 . 2009-02-21 21:19 65,536 --a------ c:\windows\system32\der9879928.dll

2009-02-21 21:19 . 2009-02-21 21:19 65,536 --a------ c:\windows\system32\der6619988.dll

2009-02-13 12:45 . 2009-02-13 23:42 <DIR> d-------- c:\windows\SxsCaPendDel

2009-02-10 02:11 . 2009-02-10 02:11 <DIR> d-------- c:\program files\Defraggler

2009-02-10 01:58 . 2009-02-10 01:58 <DIR> d-------- c:\documents and settings\user\Application Data\Media Player Classic

2009-02-09 00:22 . 2009-02-09 00:22 <DIR> d-------- c:\documents and settings\user\Application Data\dvdcss

2009-02-07 19:51 . 2009-02-07 19:51 <DIR> d-------- c:\program files\Spotify

2009-02-07 19:51 . 2009-02-22 21:03 <DIR> d-------- c:\documents and settings\user\Application Data\Spotify

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-22 20:27 --------- d-----w c:\documents and settings\user\Application Data\.purple

2009-02-22 15:09 --------- d-----w c:\documents and settings\user\Application Data\uTorrent

2009-02-21 23:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-21 23:42 --------- d-----w c:\program files\SpywareBlaster

2009-02-21 23:19 --------- d-----w c:\program files\PeerGuardian2

2009-02-13 22:57 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-13 11:45 --------- d-----w c:\program files\OpenOffice.org 3

2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 01:09 --------- d-----w c:\program files\CCleaner

2009-02-08 19:56 --------- d-----w c:\documents and settings\user\Application Data\IEPro

2009-01-18 23:23 --------- d-----w c:\program files\Kazaa Lite Resurrection

2009-01-18 23:13 --------- d-----w c:\documents and settings\user\Application Data\Kazaa Lite

2009-01-18 16:50 --------- d-----w c:\documents and settings\user\Application Data\Malwarebytes

2009-01-18 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-12 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy

2009-01-12 00:52 --------- d-----w c:\program files\WorldOfGooDemo

2009-01-01 13:12 --------- d-----w c:\program files\MediaMonkey

2008-12-31 16:28 --------- d-----w c:\program files\SUPERAntiSpyware

2008-12-31 16:28 --------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com

2008-12-31 16:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-30 22:51 --------- d-----w c:\program files\Opera

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Task Killer"="c:\program files\Task Killer\TaskKiller.exe" [2007-11-04 221696]

"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2008-10-20 45603]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amd_dc_opt"="c:\program files\AMD Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]

"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

 

c:\documents and settings\user\Start Menu\Programs\Startup\

hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [5/16/2007 2:04:42 AM 1249280]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi2"= usbnp4x4.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

 

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-03-07 38448]

R2 softyinforwow1;Sysmtens;c:\windows\System32\svchost.exe [2008-04-14 14336]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-11-18 7808]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

R4 WCMSHSGOYFHYMDN;WCMSHSGOYFHYMDN; [x]

S1 atitray;atitray;c:\program files\ATI Tray Tools\atitray.sys [2007-05-22 18088]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]

S2 eq2soft;Service Eset;c:\windows\System32\svchost.exe [2008-04-14 14336]

S2 netmantow;Network Connections.;c:\windows\System32\svchost.exe [2008-04-14 14336]

S3 MADFU003;MADFU003;c:\windows\system32\DRIVERS\MADFU003.sys [2008-03-14 75912]

S3 MAUSBAP;Service for M-Audio Audiophile (WDM);c:\windows\system32\DRIVERS\mausbap.sys [2008-03-14 143624]

S3 USBNP4X4;M-Audio Audiophile USB Midi;c:\windows\system32\drivers\usbnp4x4.sys [2008-03-14 29000]

 

 

--- Andre tjenester/drivere lastet i minnet ---

 

*Deregistered* - AegisP

*Deregistered* - AFD

*Deregistered* - ALG

*Deregistered* - AmdLLD

*Deregistered* - Ati HotKey Poller

*Deregistered* - ATI Smart

*Deregistered* - atitray

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - CryptSvc

*Deregistered* - Dhcp

*Deregistered* - dmio

*Deregistered* - dmload

*Deregistered* - dmserver

*Deregistered* - Dnscache

*Deregistered* - eq2soft

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fastfat

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - HTTP

*Deregistered* - HTTPFilter

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - Kbdclass

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - LanmanWorkstation

*Deregistered* - mnmdd

*Deregistered* - Mouclass

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - netmantow

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - ParVdm

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - rdpdr

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - SASDIFSV

*Deregistered* - SASKUTIL

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - softyinforwow1

*Deregistered* - Spooler

*Deregistered* - sptd

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - swenum

*Deregistered* - Tcpip

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - Update

*Deregistered* - upnphost

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - WZCSVC

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

netmantow

softyinforwow1

eq2soft

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://mit.forum.dk/login.aspx?returnUrl=http%3a%2f%2fmail.forum.dk%2f

uInternet Settings,ProxyServer = 76.176.120.172:3128

IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab

FF - ProfilePath -

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-23 00:57:05

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

@Allowed: (Read) (Administrators)

"AB141C35E9F4BF344B9FC010BB17F68A"=""

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(644)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\atlsystem720803.exe

c:\windows\system32\tpszxyd.sys

.

**************************************************************************

.

Tidspunkt ferdig: 2009-02-23 0:58:31 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-02-22 23:58:28

ComboFix2.txt 2009-02-22 20:28:40

ComboFix3.txt 2009-02-22 16:47:31

 

Pre-Run: 12 428 177 408 bytes free

Post-Run: 12,416,815,104 bytes free

 

284

 

 

 

Endret 2: Servicene soxpeca, afisicx, mabidwe, og tpszxyd startet ette restart og at Combofix hadde gjordt seg ferdig.

Endret 23. februar 2009 av k-orm

[raWrz]

Trykk Start - Alle Programmer - Tilbehør - Notisblokk

 

Kopier og Lim inn teksten i kodeboksen nedenfor, inn i Notisblokken:

 

File::
c:\windows\system32\u152285923.dll
c:\windows\system32\u152231219.dll
c:\windows\system32\u22262541.dll
c:\windows\system32\u2229337.dll
c:\windows\system32\u22242141.dll
c:\windows\system32\u22292136.dll
c:\windows\system32\u12242119.dll
c:\windows\system32\u12290614.dll
c:\windows\system32\u02271818.dll
c:\windows\system32\u02218714.dll
c:\windows\system32\u02281215.dll
c:\windows\system32\u02210911.dll
c:\windows\system32\u02281232.dll
c:\windows\system32\u02257827.dll
c:\windows\system32\u212165630.dll
c:\windows\system32\u212114053.dll
c:\windows\system32\u212159351.dll
c:\windows\system32\u212110929.dll
c:\windows\system32\der9879928.dll
c:\windows\system32\der6619988.dll

DirLook::
c:\windows\SxsCaPendDel

Driver::
MADFU003
WCMSHSGOYFHYMDN

 

Lagre det som CFScript på Skrivebordet

 

Dra CFScript over ComboFix.exe som ligger på Skrivebordet, slik animasjonen nedenfor viser.

 

 

Dette vil starte ComboFix igjen. Hvis maskinen ber om en omstart, lar du den gjøre det med én gang.

 

Post innholdet til ComboFix.txt inn i ditt neste svar på forumet.

[k-orm]

Ny combofix logg:

 

ComboFix 09-02-21.01 - user 2009-02-23 1:16:40.8 - NTFSx86

Kjører fra: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches brukt :: c:\documents and settings\user\Desktop\CFScript.txt

 

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\Install.txt

c:\windows\system32\200925818.dll

c:\windows\system32\afisicx.exe

c:\windows\system32\comsa32.sys

c:\windows\system32\Install.txt

c:\windows\system32\mabidwe.exe

c:\windows\system32\soxpeca.exe

c:\windows\system32\tpszxyd.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_AFISICX

-------\Legacy_DEFAULTLIB

-------\Legacy_MABIDWE

-------\Legacy_SOXPECA

-------\Legacy_WCMSHSGOYFHYMDN

-------\Service_afisicx

-------\Service_mabidwe

-------\Service_MADFU003

-------\Service_soxpeca

-------\Service_WCMSHSGOYFHYMDN

 

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-23 til 2009-02-23 )))))))))))))))))))))))))))))))))

.

 

2009-02-23 00:58 . 2009-02-23 00:58 86,016 --a------ c:\windows\system32\u02385924.dll

2009-02-23 00:58 . 2009-02-23 00:58 77,824 --a------ c:\windows\system32\u02334320.dll

2009-02-22 22:56 . 2009-02-22 22:56 86,016 --a------ c:\windows\system32\u222239053.dll

2009-02-22 22:56 . 2009-02-22 22:56 77,824 --a------ c:\windows\system32\u222289051.dll

2009-02-22 20:05 . 2009-02-22 20:05 122,880 --a------ c:\windows\system32\atlsystem53077.exe

2009-02-22 20:05 . 2009-02-22 20:05 86,016 --a------ c:\windows\system32\u202276532.dll

2009-02-22 20:05 . 2009-02-22 20:05 77,824 --a------ c:\windows\system32\u202210928.dll

2009-02-22 18:51 . 2009-02-22 18:51 86,016 --a------ c:\windows\system32\u182290613.dll

2009-02-22 18:51 . 2009-02-22 18:51 77,824 --a------ c:\windows\system32\u18223599.dll

2009-02-22 17:59 . 2009-02-22 17:59 86,016 --a------ c:\windows\system32\u172232855.dll

2009-02-22 17:59 . 2009-02-22 17:59 77,824 --a------ c:\windows\system32\u172282850.dll

2009-02-22 15:43 . 2009-02-22 15:43 86,016 --a------ c:\windows\system32\u152285923.dll

2009-02-22 15:43 . 2009-02-22 15:43 77,824 --a------ c:\windows\system32\u152231219.dll

2009-02-22 02:39 . 2009-02-22 02:39 86,016 --a------ c:\windows\system32\u22262541.dll

2009-02-22 02:39 . 2009-02-22 02:39 77,824 --a------ c:\windows\system32\u2229337.dll

2009-02-22 02:27 . 2009-02-22 02:27 86,016 --a------ c:\windows\system32\u22242141.dll

2009-02-22 02:27 . 2009-02-22 02:27 77,824 --a------ c:\windows\system32\u22292136.dll

2009-02-22 01:47 . 2009-02-22 01:47 86,016 --a------ c:\windows\system32\u12242119.dll

2009-02-22 01:47 . 2009-02-22 01:47 77,824 --a------ c:\windows\system32\u12290614.dll

2009-02-22 00:52 . 2009-02-22 00:52 86,016 --a------ c:\windows\system32\u02271818.dll

2009-02-22 00:52 . 2009-02-22 00:52 77,824 --a------ c:\windows\system32\u02218714.dll

2009-02-22 00:43 . 2009-02-22 00:43 86,016 --a------ c:\windows\system32\u02281215.dll

2009-02-22 00:43 . 2009-02-22 00:43 77,824 --a------ c:\windows\system32\u02210911.dll

2009-02-22 00:36 . 2009-02-22 00:36 86,016 --a------ c:\windows\system32\u02281232.dll

2009-02-22 00:36 . 2009-02-22 00:36 77,824 --a------ c:\windows\system32\u02257827.dll

2009-02-21 21:19 . 2009-02-21 21:19 86,016 --a------ c:\windows\system32\u212165630.dll

2009-02-21 21:19 . 2009-02-21 21:19 86,016 --a------ c:\windows\system32\u212114053.dll

2009-02-21 21:19 . 2009-02-21 21:19 77,824 --a------ c:\windows\system32\u212159351.dll

2009-02-21 21:19 . 2009-02-21 21:19 77,824 --a------ c:\windows\system32\u212110929.dll

2009-02-21 21:19 . 2009-02-21 21:19 65,536 --a------ c:\windows\system32\der9879928.dll

2009-02-21 21:19 . 2009-02-21 21:19 65,536 --a------ c:\windows\system32\der6619988.dll

2009-02-13 12:45 . 2009-02-13 23:42 <DIR> d-------- c:\windows\SxsCaPendDel

2009-02-10 02:11 . 2009-02-10 02:11 <DIR> d-------- c:\program files\Defraggler

2009-02-10 01:58 . 2009-02-10 01:58 <DIR> d-------- c:\documents and settings\user\Application Data\Media Player Classic

2009-02-09 00:22 . 2009-02-09 00:22 <DIR> d-------- c:\documents and settings\user\Application Data\dvdcss

2009-02-07 19:51 . 2009-02-07 19:51 <DIR> d-------- c:\program files\Spotify

2009-02-07 19:51 . 2009-02-22 21:03 <DIR> d-------- c:\documents and settings\user\Application Data\Spotify

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-22 23:57 --------- d-----w c:\documents and settings\user\Application Data\.purple

2009-02-22 15:09 --------- d-----w c:\documents and settings\user\Application Data\uTorrent

2009-02-21 23:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-21 23:42 --------- d-----w c:\program files\SpywareBlaster

2009-02-21 23:19 --------- d-----w c:\program files\PeerGuardian2

2009-02-13 22:57 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-13 11:45 --------- d-----w c:\program files\OpenOffice.org 3

2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 01:09 --------- d-----w c:\program files\CCleaner

2009-02-08 19:56 --------- d-----w c:\documents and settings\user\Application Data\IEPro

2009-01-18 23:23 --------- d-----w c:\program files\Kazaa Lite Resurrection

2009-01-18 23:13 --------- d-----w c:\documents and settings\user\Application Data\Kazaa Lite

2009-01-18 16:50 --------- d-----w c:\documents and settings\user\Application Data\Malwarebytes

2009-01-18 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-12 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy

2009-01-12 00:52 --------- d-----w c:\program files\WorldOfGooDemo

2009-01-01 13:12 --------- d-----w c:\program files\MediaMonkey

2008-12-31 16:28 --------- d-----w c:\program files\SUPERAntiSpyware

2008-12-31 16:28 --------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com

2008-12-31 16:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-30 22:51 --------- d-----w c:\program files\Opera

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

---- Directory of c:\windows\SxsCaPendDel ----

 

 

 

((((((((((((((((((((((((((((( SnapShot@2009-02-22_ 2.39.26.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2001-08-31 14:57:22 240,640 ----a-w c:\windows\system32\msrstart.exe

+ 2001-08-31 14:57:22 240,640 ----a-w c:\windows\system32\nxtepad.exe

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Task Killer"="c:\program files\Task Killer\TaskKiller.exe" [2007-11-04 221696]

"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2008-10-20 45603]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amd_dc_opt"="c:\program files\AMD Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]

"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

 

c:\documents and settings\user\Start Menu\Programs\Startup\

hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [5/16/2007 2:04:42 AM 1249280]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi2"= usbnp4x4.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

 

R2 softyinforwow1;Sysmtens;c:\windows\System32\svchost.exe [2008-04-14 14336]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-11-18 7808]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-03-07 38448]

S1 atitray;atitray;c:\program files\ATI Tray Tools\atitray.sys [2007-05-22 18088]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]

S2 eq2soft;Service Eset;c:\windows\System32\svchost.exe [2008-04-14 14336]

S2 netmantow;Network Connections.;c:\windows\System32\svchost.exe [2008-04-14 14336]

S3 MAUSBAP;Service for M-Audio Audiophile (WDM);c:\windows\system32\DRIVERS\mausbap.sys [2008-03-14 143624]

S3 USBNP4X4;M-Audio Audiophile USB Midi;c:\windows\system32\drivers\usbnp4x4.sys [2008-03-14 29000]

 

 

--- Andre tjenester/drivere lastet i minnet ---

 

*Deregistered* - AegisP

*Deregistered* - AFD

*Deregistered* - ALG

*Deregistered* - AmdLLD

*Deregistered* - Ati HotKey Poller

*Deregistered* - ATI Smart

*Deregistered* - atitray

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - CryptSvc

*Deregistered* - Dhcp

*Deregistered* - dmio

*Deregistered* - dmload

*Deregistered* - dmserver

*Deregistered* - Dnscache

*Deregistered* - eq2soft

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fastfat

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - hotcore3

*Deregistered* - HTTP

*Deregistered* - HTTPFilter

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - Kbdclass

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - LanmanWorkstation

*Deregistered* - mnmdd

*Deregistered* - Mouclass

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - netmantow

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - rdpdr

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - SASDIFSV

*Deregistered* - SASKUTIL

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - softyinforwow1

*Deregistered* - Spooler

*Deregistered* - sptd

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - swenum

*Deregistered* - Tcpip

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - Update

*Deregistered* - upnphost

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - WZCSVC

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

netmantow

softyinforwow1

eq2soft

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://mit.forum.dk/login.aspx?returnUrl=http%3a%2f%2fmail.forum.dk%2f

uInternet Settings,ProxyServer = 76.176.120.172:3128

IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab

FF - ProfilePath -

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-23 01:18:42

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

@Allowed: (Read) (Administrators)

"AB141C35E9F4BF344B9FC010BB17F68A"=""

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(640)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\atlsystem35947.exe

.

**************************************************************************

.

Tidspunkt ferdig: 2009-02-23 1:20:00 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-02-23 00:19:58

ComboFix2.txt 2009-02-22 23:58:31

ComboFix3.txt 2009-02-22 20:28:40

ComboFix4.txt 2009-02-22 16:47:31

 

Pre-Run: 12 423 675 904 bytes free

Post-Run: 12,417,273,856 bytes free

 

309

 

[raWrz]

Trykk Start - Alle Programmer - Tilbehør - Notisblokk

 

Kopier og Lim inn teksten i kodeboksen nedenfor, inn i Notisblokken:

 

File::
c:\windows\system32\atlsystem53077.exe
c:\windows\system32\u02385924.dll
c:\windows\system32\u02334320.dll
c:\windows\system32\u222239053.dll
c:\windows\system32\u222289051.dll
c:\windows\system32\u202276532.dll
c:\windows\system32\u202210928.dll
c:\windows\system32\u182290613.dll
c:\windows\system32\u18223599.dll
c:\windows\system32\u172232855.dll
c:\windows\system32\u172282850.dll
c:\windows\system32\u152285923.dll
c:\windows\system32\u152231219.dll
c:\windows\system32\u22262541.dll
c:\windows\system32\u2229337.dll
c:\windows\system32\u22242141.dll
c:\windows\system32\u22292136.dll
c:\windows\system32\u12242119.dll
c:\windows\system32\u12290614.dll
c:\windows\system32\u02271818.dll
c:\windows\system32\u02218714.dll
c:\windows\system32\u02281215.dll
c:\windows\system32\u02210911.dll
c:\windows\system32\u02281232.dll
c:\windows\system32\u02257827.dll
c:\windows\system32\u212165630.dll
c:\windows\system32\u212114053.dll
c:\windows\system32\u212159351.dll
c:\windows\system32\u212110929.dll
c:\windows\system32\der9879928.dll
c:\windows\system32\der6619988.dll

 

Lagre det som CFScript på Skrivebordet

 

Dra CFScript over ComboFix.exe som ligger på Skrivebordet, slik animasjonen nedenfor viser.

 

 

Dette vil starte ComboFix igjen. Hvis maskinen ber om en omstart, lar du den gjøre det med én gang.

 

Post innholdet til ComboFix.txt inn i ditt neste svar på forumet.

Endret 23. februar 2009 av Submit

[k-orm]

Ny ComboFix logg:

 

ComboFix 09-02-21.01 - user 2009-02-23 1:32:42.9 - NTFSx86

Kjører fra: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches brukt :: c:\documents and settings\user\Desktop\CFScript.txt

 

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\200921954.dll

c:\windows\system32\comsa32.sys

c:\windows\system32\tpszxyd.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_DEFAULTLIB

-------\Service_defaultlib

 

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-23 til 2009-02-23 )))))))))))))))))))))))))))))))))

.

 

2009-02-23 01:20 . 2009-02-23 01:20 86,016 --a------ c:\windows\system32\u1237180.dll

2009-02-23 01:19 . 2009-02-23 01:19 77,824 --a------ c:\windows\system32\u12323456.dll

2009-02-23 01:19 . 2009-02-23 01:19 58,880 --a------ c:\windows\system32\atlsystem78877.exe

2009-02-23 01:19 . 2009-02-23 01:19 58,880 --a------ c:\windows\system32\atlsystem169261.exe

2009-02-23 01:19 . 2009-02-23 01:20 58,880 --a------ c:\windows\system32\atlsystem159661.exe

2009-02-23 00:58 . 2009-02-23 00:58 86,016 --a------ c:\windows\system32\u02385924.dll

2009-02-23 00:58 . 2009-02-23 00:58 77,824 --a------ c:\windows\system32\u02334320.dll

2009-02-22 22:56 . 2009-02-22 22:56 86,016 --a------ c:\windows\system32\u222239053.dll

2009-02-22 22:56 . 2009-02-22 22:56 77,824 --a------ c:\windows\system32\u222289051.dll

2009-02-22 20:05 . 2009-02-22 20:05 122,880 --a------ c:\windows\system32\atlsystem53077.exe

2009-02-22 20:05 . 2009-02-22 20:05 86,016 --a------ c:\windows\system32\u202276532.dll

2009-02-22 20:05 . 2009-02-22 20:05 77,824 --a------ c:\windows\system32\u202210928.dll

2009-02-22 18:51 . 2009-02-22 18:51 86,016 --a------ c:\windows\system32\u182290613.dll

2009-02-22 18:51 . 2009-02-22 18:51 77,824 --a------ c:\windows\system32\u18223599.dll

2009-02-22 17:59 . 2009-02-22 17:59 86,016 --a------ c:\windows\system32\u172232855.dll

2009-02-22 17:59 . 2009-02-22 17:59 77,824 --a------ c:\windows\system32\u172282850.dll

2009-02-22 15:43 . 2009-02-22 15:43 86,016 --a------ c:\windows\system32\u152285923.dll

2009-02-22 15:43 . 2009-02-22 15:43 77,824 --a------ c:\windows\system32\u152231219.dll

2009-02-22 02:39 . 2009-02-22 02:39 86,016 --a------ c:\windows\system32\u22262541.dll

2009-02-22 02:39 . 2009-02-22 02:39 77,824 --a------ c:\windows\system32\u2229337.dll

2009-02-22 02:27 . 2009-02-22 02:27 86,016 --a------ c:\windows\system32\u22242141.dll

2009-02-22 02:27 . 2009-02-22 02:27 77,824 --a------ c:\windows\system32\u22292136.dll

2009-02-22 01:47 . 2009-02-22 01:47 86,016 --a------ c:\windows\system32\u12242119.dll

2009-02-22 01:47 . 2009-02-22 01:47 77,824 --a------ c:\windows\system32\u12290614.dll

2009-02-22 00:52 . 2009-02-22 00:52 86,016 --a------ c:\windows\system32\u02271818.dll

2009-02-22 00:52 . 2009-02-22 00:52 77,824 --a------ c:\windows\system32\u02218714.dll

2009-02-22 00:43 . 2009-02-22 00:43 86,016 --a------ c:\windows\system32\u02281215.dll

2009-02-22 00:43 . 2009-02-22 00:43 77,824 --a------ c:\windows\system32\u02210911.dll

2009-02-22 00:36 . 2009-02-22 00:36 86,016 --a------ c:\windows\system32\u02281232.dll

2009-02-22 00:36 . 2009-02-22 00:36 77,824 --a------ c:\windows\system32\u02257827.dll

2009-02-21 21:19 . 2009-02-21 21:19 86,016 --a------ c:\windows\system32\u212165630.dll

2009-02-21 21:19 . 2009-02-21 21:19 86,016 --a------ c:\windows\system32\u212114053.dll

2009-02-21 21:19 . 2009-02-21 21:19 77,824 --a------ c:\windows\system32\u212159351.dll

2009-02-21 21:19 . 2009-02-21 21:19 77,824 --a------ c:\windows\system32\u212110929.dll

2009-02-21 21:19 . 2009-02-21 21:19 65,536 --a------ c:\windows\system32\der9879928.dll

2009-02-21 21:19 . 2009-02-21 21:19 65,536 --a------ c:\windows\system32\der6619988.dll

2009-02-13 12:45 . 2009-02-13 23:42 <DIR> d-------- c:\windows\SxsCaPendDel

2009-02-10 02:11 . 2009-02-10 02:11 <DIR> d-------- c:\program files\Defraggler

2009-02-10 01:58 . 2009-02-10 01:58 <DIR> d-------- c:\documents and settings\user\Application Data\Media Player Classic

2009-02-09 00:22 . 2009-02-09 00:22 <DIR> d-------- c:\documents and settings\user\Application Data\dvdcss

2009-02-07 19:51 . 2009-02-07 19:51 <DIR> d-------- c:\program files\Spotify

2009-02-07 19:51 . 2009-02-22 21:03 <DIR> d-------- c:\documents and settings\user\Application Data\Spotify

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-23 00:18 --------- d-----w c:\documents and settings\user\Application Data\.purple

2009-02-22 15:09 --------- d-----w c:\documents and settings\user\Application Data\uTorrent

2009-02-21 23:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-21 23:42 --------- d-----w c:\program files\SpywareBlaster

2009-02-21 23:19 --------- d-----w c:\program files\PeerGuardian2

2009-02-13 22:57 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-13 11:45 --------- d-----w c:\program files\OpenOffice.org 3

2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 01:09 --------- d-----w c:\program files\CCleaner

2009-02-08 19:56 --------- d-----w c:\documents and settings\user\Application Data\IEPro

2009-01-18 23:23 --------- d-----w c:\program files\Kazaa Lite Resurrection

2009-01-18 23:13 --------- d-----w c:\documents and settings\user\Application Data\Kazaa Lite

2009-01-18 16:50 --------- d-----w c:\documents and settings\user\Application Data\Malwarebytes

2009-01-18 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-12 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy

2009-01-12 00:52 --------- d-----w c:\program files\WorldOfGooDemo

2009-01-01 13:12 --------- d-----w c:\program files\MediaMonkey

2008-12-31 16:28 --------- d-----w c:\program files\SUPERAntiSpyware

2008-12-31 16:28 --------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com

2008-12-31 16:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-30 22:51 --------- d-----w c:\program files\Opera

.

 

((((((((((((((((((((((((((((( SnapShot@2009-02-22_ 2.39.26.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2001-08-31 14:57:22 240,640 ----a-w c:\windows\system32\msrstart.exe

+ 2001-08-31 14:57:22 240,640 ----a-w c:\windows\system32\nxtepad.exe

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Task Killer"="c:\program files\Task Killer\TaskKiller.exe" [2007-11-04 221696]

"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2008-10-20 45603]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amd_dc_opt"="c:\program files\AMD Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]

"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

 

c:\documents and settings\user\Start Menu\Programs\Startup\

hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [5/16/2007 2:04:42 AM 1249280]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi2"= usbnp4x4.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

 

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-11-18 7808]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-03-07 38448]

S1 atitray;atitray;c:\program files\ATI Tray Tools\atitray.sys [2007-05-22 18088]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]

S2 eq2soft;Service Eset;c:\windows\System32\svchost.exe [2008-04-14 14336]

S2 netmantow;Network Connections.;c:\windows\System32\svchost.exe [2008-04-14 14336]

S2 softyinforwow1;Sysmtens;c:\windows\System32\svchost.exe [2008-04-14 14336]

S3 MAUSBAP;Service for M-Audio Audiophile (WDM);c:\windows\system32\DRIVERS\mausbap.sys [2008-03-14 143624]

S3 USBNP4X4;M-Audio Audiophile USB Midi;c:\windows\system32\drivers\usbnp4x4.sys [2008-03-14 29000]

 

 

--- Andre tjenester/drivere lastet i minnet ---

 

*NewlyCreated* - DEFAULTLIB

*Deregistered* - AegisP

*Deregistered* - AFD

*Deregistered* - ALG

*Deregistered* - AmdLLD

*Deregistered* - Ati HotKey Poller

*Deregistered* - ATI Smart

*Deregistered* - atitray

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - CryptSvc

*Deregistered* - defaultlib

*Deregistered* - Dhcp

*Deregistered* - dmio

*Deregistered* - dmload

*Deregistered* - dmserver

*Deregistered* - Dnscache

*Deregistered* - eq2soft

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fastfat

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - hotcore3

*Deregistered* - HTTP

*Deregistered* - HTTPFilter

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - Kbdclass

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - LanmanWorkstation

*Deregistered* - mnmdd

*Deregistered* - Mouclass

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - netmantow

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - rdpdr

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - SASDIFSV

*Deregistered* - SASKUTIL

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - softyinforwow1

*Deregistered* - Spooler

*Deregistered* - sptd

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - swenum

*Deregistered* - Tcpip

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - Update

*Deregistered* - upnphost

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - WZCSVC

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

netmantow

softyinforwow1

eq2soft

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://mit.forum.dk/login.aspx?returnUrl=http%3a%2f%2fmail.forum.dk%2f

uInternet Settings,ProxyServer = 76.176.120.172:3128

IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab

FF - ProfilePath -

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-23 01:35:08

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\defaultlib]

"ServiceDll"="c:\windows\system32\u12387559.dll"

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

@Allowed: (Read) (Administrators)

"AB141C35E9F4BF344B9FC010BB17F68A"=""

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(640)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Tidspunkt ferdig: 2009-02-23 1:36:27 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-02-23 00:36:24

ComboFix2.txt 2009-02-23 00:20:01

ComboFix3.txt 2009-02-22 23:58:31

ComboFix4.txt 2009-02-22 20:28:40

ComboFix5.txt 2009-02-23 00:32:32

 

Pre-Run: 12 422 844 416 bytes free

Post-Run: 12,411,437,056 bytes free

 

302

 

[raWrz]

Last ned Avenger (av Swandog469), og lagre det på Skrivebordet

• Pakk ut avenger.exe fra Zip-filen, og lagre den på Skrivebordet
  
• Kjør avenger.exe ved å dobbelklikke på fila
  
• Kopier hele innholdet i den siterte boksen nedenfor, og lim det inn i avenger-vinduet:
  

Files to delete:

c:\windows\system32\200921954.dll

c:\windows\system32\comsa32.sys

c:\windows\system32\tpszxyd.sys

:\windows\system32\u1237180.dll

c:\windows\system32\u12323456.dll

c:\windows\system32\atlsystem78877.exe

c:\windows\system32\atlsystem169261.exe

c:\windows\system32\atlsystem159661.exe

c:\windows\system32\u02385924.dll

c:\windows\system32\u02334320.dll

c:\windows\system32\u222239053.dll

c:\windows\system32\u222289051.dll

c:\windows\system32\atlsystem53077.exe

c:\windows\system32\u202276532.dll

c:\windows\system32\u202210928.dll

c:\windows\system32\u182290613.dll

c:\windows\system32\u18223599.dll

c:\windows\system32\u172232855.dll

c:\windows\system32\u172282850.dll

c:\windows\system32\u152285923.dll

c:\windows\system32\u152231219.dll

c:\windows\system32\u22262541.dll

c:\windows\system32\u2229337.dll

c:\windows\system32\u22242141.dll

c:\windows\system32\u22292136.dll

c:\windows\system32\u12242119.dll

c:\windows\system32\u12290614.dll

c:\windows\system32\u02271818.dll

c:\windows\system32\u02218714.dll

c:\windows\system32\u02281215.dll

c:\windows\system32\u02210911.dll

c:\windows\system32\u02281232.dll

c:\windows\system32\u02257827.dll

c:\windows\system32\u212165630.dll

c:\windows\system32\u212114053.dll

c:\windows\system32\u212159351.dll

c:\windows\system32\u212110929.dll

c:\windows\system32\der9879928.dll

c:\windows\system32\der6619988.dll

• Trykk på "Execute"-knappen
  
• Svar Ja til å kjøre scriptet og Ja til å la avenger restarte pc'n. Hvis ikke pc-en restartes automatisk, gjør du det manuelt.
  
• Etter restart vil det sprette opp en logg. Post denne loggen i din neste post.
  

[k-orm]

Virket ikke å komme noen vei med ComboFix Mistenker rootkit.

 

Avenger logg:

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

 

Error: file "c:\windows\system32\200921954.dll" not found!

Deletion of file "c:\windows\system32\200921954.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

 

File "c:\windows\system32\comsa32.sys" deleted successfully.

File "c:\windows\system32\tpszxyd.sys" deleted successfully.

File "c:\windows\system32\u1237180.dll" deleted successfully.

File "c:\windows\system32\u12323456.dll" deleted successfully.

File "c:\windows\system32\atlsystem78877.exe" deleted successfully.

File "c:\windows\system32\atlsystem169261.exe" deleted successfully.

File "c:\windows\system32\atlsystem159661.exe" deleted successfully.

File "c:\windows\system32\u02385924.dll" deleted successfully.

File "c:\windows\system32\u02334320.dll" deleted successfully.

File "c:\windows\system32\u222239053.dll" deleted successfully.

File "c:\windows\system32\u222289051.dll" deleted successfully.

File "c:\windows\system32\atlsystem53077.exe" deleted successfully.

File "c:\windows\system32\u202276532.dll" deleted successfully.

File "c:\windows\system32\u202210928.dll" deleted successfully.

File "c:\windows\system32\u182290613.dll" deleted successfully.

File "c:\windows\system32\u18223599.dll" deleted successfully.

File "c:\windows\system32\u172232855.dll" deleted successfully.

File "c:\windows\system32\u172282850.dll" deleted successfully.

File "c:\windows\system32\u152285923.dll" deleted successfully.

File "c:\windows\system32\u152231219.dll" deleted successfully.

File "c:\windows\system32\u22262541.dll" deleted successfully.

File "c:\windows\system32\u2229337.dll" deleted successfully.

File "c:\windows\system32\u22242141.dll" deleted successfully.

File "c:\windows\system32\u22292136.dll" deleted successfully.

File "c:\windows\system32\u12242119.dll" deleted successfully.

File "c:\windows\system32\u12290614.dll" deleted successfully.

File "c:\windows\system32\u02271818.dll" deleted successfully.

File "c:\windows\system32\u02218714.dll" deleted successfully.

File "c:\windows\system32\u02281215.dll" deleted successfully.

File "c:\windows\system32\u02210911.dll" deleted successfully.

File "c:\windows\system32\u02281232.dll" deleted successfully.

File "c:\windows\system32\u02257827.dll" deleted successfully.

File "c:\windows\system32\u212165630.dll" deleted successfully.

File "c:\windows\system32\u212114053.dll" deleted successfully.

File "c:\windows\system32\u212159351.dll" deleted successfully.

File "c:\windows\system32\u212110929.dll" deleted successfully.

File "c:\windows\system32\der9879928.dll" deleted successfully.

File "c:\windows\system32\der6619988.dll" deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

Herlig å se 'deleted successfully' i loggen

[raWrz]

der ble de borte

finner mbam de filene? og post en ny combofix (må bare være sikker )

[k-orm]

Ser ut som de to dll-filene som avenger ikke slettet i sted er her fortsatt.

 

ComboFix logg:

 

ComboFix 09-02-21.01 - user 2009-02-23 2:01:03.10 - NTFSx86

Kjører fra: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches brukt :: c:\documents and settings\user\Desktop\CFScript.txt

 

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\200923558.dll

 

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-23 til 2009-02-23 )))))))))))))))))))))))))))))))))

.

 

2009-02-23 01:36 . 2009-02-23 01:36 86,016 --a------ c:\windows\system32\u1231255.dll

2009-02-23 01:35 . 2009-02-23 01:35 77,824 --a------ c:\windows\system32\u12387559.dll

2009-02-13 12:45 . 2009-02-13 23:42 <DIR> d-------- c:\windows\SxsCaPendDel

2009-02-10 02:11 . 2009-02-10 02:11 <DIR> d-------- c:\program files\Defraggler

2009-02-10 01:58 . 2009-02-10 01:58 <DIR> d-------- c:\documents and settings\user\Application Data\Media Player Classic

2009-02-09 00:22 . 2009-02-09 00:22 <DIR> d-------- c:\documents and settings\user\Application Data\dvdcss

2009-02-07 19:51 . 2009-02-07 19:51 <DIR> d-------- c:\program files\Spotify

2009-02-07 19:51 . 2009-02-22 21:03 <DIR> d-------- c:\documents and settings\user\Application Data\Spotify

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-23 00:49 --------- d-----w c:\documents and settings\user\Application Data\.purple

2009-02-22 15:09 --------- d-----w c:\documents and settings\user\Application Data\uTorrent

2009-02-21 23:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-21 23:42 --------- d-----w c:\program files\SpywareBlaster

2009-02-21 23:19 --------- d-----w c:\program files\PeerGuardian2

2009-02-13 22:57 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-13 11:45 --------- d-----w c:\program files\OpenOffice.org 3

2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 01:09 --------- d-----w c:\program files\CCleaner

2009-02-08 19:56 --------- d-----w c:\documents and settings\user\Application Data\IEPro

2009-01-18 23:23 --------- d-----w c:\program files\Kazaa Lite Resurrection

2009-01-18 23:13 --------- d-----w c:\documents and settings\user\Application Data\Kazaa Lite

2009-01-18 16:50 --------- d-----w c:\documents and settings\user\Application Data\Malwarebytes

2009-01-18 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-12 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy

2009-01-12 00:52 --------- d-----w c:\program files\WorldOfGooDemo

2009-01-01 13:12 --------- d-----w c:\program files\MediaMonkey

2008-12-31 16:28 --------- d-----w c:\program files\SUPERAntiSpyware

2008-12-31 16:28 --------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com

2008-12-31 16:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-30 22:51 --------- d-----w c:\program files\Opera

.

 

((((((((((((((((((((((((((((( SnapShot@2009-02-22_ 2.39.26.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2001-08-31 14:57:22 240,640 ----a-w c:\windows\system32\msrstart.exe

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Task Killer"="c:\program files\Task Killer\TaskKiller.exe" [2007-11-04 221696]

"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2008-10-20 45603]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amd_dc_opt"="c:\program files\AMD Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]

"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

 

c:\documents and settings\user\Start Menu\Programs\Startup\

hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [5/16/2007 2:04:42 AM 1249280]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi2"= usbnp4x4.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

 

R2 netmantow;Network Connections.;c:\windows\System32\svchost.exe [2008-04-14 14336]

R2 softyinforwow1;Sysmtens;c:\windows\System32\svchost.exe [2008-04-14 14336]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-11-18 7808]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-03-07 38448]

S1 atitray;atitray;c:\program files\ATI Tray Tools\atitray.sys [2007-05-22 18088]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]

S2 eq2soft;Service Eset;c:\windows\System32\svchost.exe [2008-04-14 14336]

S3 MAUSBAP;Service for M-Audio Audiophile (WDM);c:\windows\system32\DRIVERS\mausbap.sys [2008-03-14 143624]

S3 USBNP4X4;M-Audio Audiophile USB Midi;c:\windows\system32\drivers\usbnp4x4.sys [2008-03-14 29000]

 

 

--- Andre tjenester/drivere lastet i minnet ---

 

*Deregistered* - AegisP

*Deregistered* - AFD

*Deregistered* - ALG

*Deregistered* - AmdLLD

*Deregistered* - Ati HotKey Poller

*Deregistered* - ATI Smart

*Deregistered* - atitray

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - CryptSvc

*Deregistered* - Dhcp

*Deregistered* - dmio

*Deregistered* - dmload

*Deregistered* - dmserver

*Deregistered* - Dnscache

*Deregistered* - eq2soft

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fastfat

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - hotcore3

*Deregistered* - HTTP

*Deregistered* - HTTPFilter

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - Kbdclass

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - LanmanWorkstation

*Deregistered* - mnmdd

*Deregistered* - Mouclass

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - netmantow

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - rdpdr

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - SASDIFSV

*Deregistered* - SASKUTIL

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - softyinforwow1

*Deregistered* - Spooler

*Deregistered* - sptd

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - swenum

*Deregistered* - Tcpip

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - Update

*Deregistered* - upnphost

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - WZCSVC

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

netmantow

softyinforwow1

eq2soft

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://mit.forum.dk/login.aspx?returnUrl=http%3a%2f%2fmail.forum.dk%2f

uInternet Settings,ProxyServer = 76.176.120.172:3128

IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab

FF - ProfilePath -

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-23 02:03:22

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

@Allowed: (Read) (Administrators)

"AB141C35E9F4BF344B9FC010BB17F68A"=""

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(640)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Tidspunkt ferdig: 2009-02-23 2:04:41 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-02-23 01:04:39

ComboFix2.txt 2009-02-23 00:36:27

ComboFix3.txt 2009-02-23 00:20:01

ComboFix4.txt 2009-02-22 23:58:31

ComboFix5.txt 2009-02-23 01:00:51

 

Pre-Run: 12 419 817 472 bytes free

Post-Run: 12,410,093,568 bytes free

 

257

 

[raWrz]

bruk avenger :

samme metode som istadd bare bruk denne:

 

Files to delete:

c:\windows\system32\u1231255.dll

c:\windows\system32\u12387559.dll

[k-orm]

Ser ut som det endelig er forsvunnet

MBAM finner ingen ting og Avenger sier 'deleted successfully':

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

File "c:\windows\system32\u1231255.dll" deleted successfully.

File "c:\windows\system32\u12387559.dll" deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

Tusen takk for hjelpen. Nå kan jeg legge meg