MBAM & Combofix logger

[Necm]

Her er loggene jeg fikk:

 

ComboFix:

 

 

ComboFix 09-03-06.02 - Nuno 2009-03-07 16:54:10.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1044.18.3066.833 [GMT 1:00]

Kjører fra: c:\users\Nuno\Documents\ComboFix.exe

AV: F-Secure Client Security 7.10 *On-access scanning enabled* (Updated)

* Opprettet nytt gjenopprettingspunkt

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\program files\Acer\Acer Bio Protection\PwdFilter.dll

 

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-02-07 til 2009-03-07 )))))))))))))))))))))))))))))))))

.

 

2009-03-07 15:10 . 2009-03-07 15:10 <DIR> d-------- c:\users\All Users\Malwarebytes

2009-03-07 15:10 . 2009-03-07 15:10 <DIR> d-------- c:\programdata\Malwarebytes

2009-03-07 15:10 . 2009-03-07 15:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-07 15:10 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys

2009-03-07 15:10 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys

2009-03-07 14:15 . 2007-12-11 18:52 356,352 --a------ c:\windows\System32\NVUNINST.EXE

2009-03-07 13:26 . 2009-03-07 13:26 23,600 --a------ c:\windows\System32\drivers\TVICHW32.SYS

2009-03-07 13:10 . 2009-03-07 13:10 <DIR> d-------- c:\program files\CCleaner

2009-03-05 18:38 . 2009-03-05 18:38 <DIR> d-------- c:\program files\Nvidia Omega Drivers

2009-03-05 18:38 . 2009-03-05 18:38 472,576 --a------ c:\windows\Nvidia Omega Drivers v1.169.25 Uninstall.exe

2009-03-05 18:11 . 2009-03-05 18:11 42 --a------ c:\windows\System32\RegistryEasy.lie

2009-03-04 17:29 . 2009-03-04 17:29 <DIR> d-------- c:\program files\AML Products

2009-03-04 17:29 . 2002-01-05 06:48 974,848 --a------ c:\windows\System32\mfc70.dll

2009-03-04 17:29 . 2000-05-22 16:58 608,448 --a------ c:\windows\System32\comctl32.ocx

2009-03-04 17:29 . 2002-01-05 05:40 487,424 --a------ c:\windows\System32\msvcp70.dll

2009-03-04 15:29 . 2009-03-04 15:40 <DIR> d-------- c:\program files\RegistryFix7

2009-03-04 15:22 . 2009-03-07 14:31 <DIR> d-------- c:\program files\Registry Easy

2009-03-04 15:03 . 2009-03-04 15:03 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live

2009-03-04 14:34 . 2009-03-07 12:43 <DIR> d-------- c:\program files\Windows Live Safety Center

2009-02-16 01:18 . 2008-12-05 05:32 428,544 --a------ c:\windows\System32\EncDec.dll

2009-02-16 01:18 . 2008-12-05 05:32 293,376 --a------ c:\windows\System32\psisdecd.dll

2009-02-16 01:18 . 2008-12-05 05:31 217,088 --a------ c:\windows\System32\psisrndr.ax

2009-02-16 01:18 . 2008-12-05 05:31 177,664 --a------ c:\windows\System32\mpg2splt.ax

2009-02-16 01:18 . 2008-12-05 05:31 80,896 --a------ c:\windows\System32\MSNP.ax

2009-02-13 14:21 . 2009-01-15 04:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb

2009-02-13 14:21 . 2009-01-15 07:11 827,392 --a------ c:\windows\System32\wininet.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-05 17:31 --------- d---a-w c:\programdata\TEMP

2009-03-03 21:36 152,540 ----a-w c:\users\All Users\nvModes.dat

2009-03-03 21:36 152,540 ----a-w c:\programdata\nvModes.dat

2009-02-14 02:00 --------- d-----w c:\program files\Windows Mail

2009-01-29 18:07 --------- d-----w c:\program files\Vuze

2009-01-18 20:37 --------- d-----w c:\programdata\FLEXnet

2009-01-13 15:25 --------- d-----w c:\program files\Audacity

2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]

@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"

[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]

2008-03-04 22:38 121392 --a------ c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 c:\windows\System32\oobefldr.dll]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-04-23 397312]

"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-04 526896]

"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-03-07 544768]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]

"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-06 34040]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-21 13535776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-21 92704]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]

"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-07-02 821768]

"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]

"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-09-06 3607040]

"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-05-12 147456]

"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-05-12 167936]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2007-08-27 182952]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2007-08-27 895600]

"RtHDVCpl"="RtHDVCpl.exe" [2008-04-28 c:\windows\RtHDVCpl.exe]

 

c:\users\Nuno\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

My_AutoWarkey_Script.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2007-07-19 238080]

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-02-12 723496]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]

2008-09-06 14:06 2972160 c:\program files\Acer\Acer Bio Protection\WinNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{B6051962-7D73-45A1-9CFD-BE8B0DC18E1B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{632D7F2F-3368-433C-BC82-BEEBC85B2CE6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{AE486E5B-CAA7-45DA-A614-2439214DF94A}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector

"{42BC922D-4629-472D-ACB3-DB7948474B9D}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe

"{72573D8C-0B0C-4322-8C33-5CC2979816F0}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe

"{11A501BD-9B9E-4131-8603-6C40CC64202B}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe

"{4CE2D410-3349-4AC9-A606-AF886F6709D8}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe

"{93FEE32D-478C-47DA-8174-426759FA1488}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe

"{63B888DE-2E09-46EE-9CA6-FDCBD120FC66}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe

"{3589AA2A-6B64-4477-A118-C4AA3964CA3D}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe

"{881D8811-F28E-4234-8066-61DC595985BF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{54C6CC02-A563-42AC-85BE-4A31008507F0}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus

"UDP Query User{509715F1-78E4-41FE-B2D3-2D11DEF71FF5}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus

"{2660F3B7-8678-410E-96A8-D78756B9B9FF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

"{EED064E0-05A4-4F58-8A8F-6F822D951D82}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

"{8A51FE7B-B0E3-45C9-AAB2-CA85B78D3127}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes

"{225D9BBA-B78B-4390-8D58-A8D99806E5C1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

"{3BFB7627-0863-4C3C-9E5F-EF44E6527240}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire

"{D1C75246-973F-4DF4-A873-4B873EDAADAA}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

"TCP Query User{7FC8F1B8-20DF-4319-8FC0-5BB56783CD54}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III

"UDP Query User{458993C2-101C-4E5C-8981-0E18CE73D008}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III

"TCP Query User{0559BE0E-C7FF-4434-AD50-AA1BBA20FEE3}c:\\windows\\system32\\dplaysvr.exe"= UDP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper

"UDP Query User{FFD4BC5B-2E1E-4B48-A888-999EBF1E3EC7}c:\\windows\\system32\\dplaysvr.exe"= TCP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper

"{AB084728-0C88-496D-A8A7-6E582D592D57}"= c:\program files\Skype\Phone\Skype.exe:Skype

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)

 

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\System32\drivers\AlfaFF.sys [2008-09-06 43184]

R1 FSES;F-Secure Email Scanning Driver;c:\windows\System32\drivers\fses.sys [2008-09-25 34736]

R1 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2008-09-25 69136]

R1 fsvista;F-Secure Vista Support Driver;c:\program files\F-Secure\Anti-Virus\minifilter\fsvista.sys [2008-09-25 12912]

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]

R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-04-20 24576]

R2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [2008-09-06 3471360]

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-06 50424]

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-03-28 210432]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2008-09-25 62064]

R3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [2008-04-21 81296]

R3 NETw5v32;Intel® Wireless WiFi Link-kortdriver for Windows Vista 32-bit;c:\windows\System32\drivers\NETw5v32.sys [2008-04-21 3658752]

R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [2007-03-28 43008]

S3 A310;AVerMedia A310 DVB-T;c:\windows\System32\drivers\AVerA310USB.sys [2008-04-20 25856]

S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\System32\drivers\AVerA310Cap.sys [2008-04-20 42880]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [2008-09-25 39792]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [2008-09-25 25200]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{397f829f-c860-11dd-928f-001e68a1cafb}]

\shell\AutoRun\command - wd_windows_tools\WDSetup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bd1ecb9-7ddc-11dd-972e-001e68a1cafb}]

\shell\AutoRun\command - WD_Windows_Tools\Setup.exe

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

 

2009-03-04 c:\windows\Tasks\Schedule Task Weekly.job

- c:\program files\Registry Easy\RE.exe [2009-03-03 17:28]

 

2008-09-06 c:\windows\Tasks\Se etter oppdateringer for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

.

- - - - TOMME PEKERE FJERNET - - - -

 

HKLM-Run-eRecoveryService - (no file)

 

 

.

------- Tilleggsskanning -------

.

mStart Page = hxxp://no.intl.acer.yahoo.com

uInternet Settings,ProxyOverride = *.local

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send bilde til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send side til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-07 17:02:42

Windows 6.0.6001 Service Pack 1 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'Explorer.exe'(3476)

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll

c:\windows\system32\btmmhook.dll

c:\windows\System32\SysHook.dll

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

c:\windows\system32\btncopy.dll

c:\program files\AskSBar\bar\1.bin\ASKSBAR.DLL

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\windows\System32\nvvsvc.exe

c:\windows\System32\audiodg.exe

c:\windows\System32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

c:\program files\F-Secure\Anti-Virus\fsgk32st.exe

c:\program files\F-Secure\common\FSMA32.EXE

c:\program files\F-Secure\Anti-Virus\fsgk32.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\acer\Mobility Center\MobilityService.exe

c:\program files\Acer\Acer Bio Protection\CompPtcVUI.exe

c:\windows\System32\rundll32.exe

c:\program files\F-Secure\Anti-Virus\fssm32.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\System32\conime.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\ehome\ehmsas.exe

c:\users\Nuno\AppData\Local\Temp\RtkBtMnt.exe

c:\program files\Acer\Acer Bio Protection\PwdBank.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\F-Secure\common\FSLAUNCH.EXE

c:\windows\System32\wbem\WMIADAP.exe

c:\windows\System32\dllhost.exe

.

**************************************************************************

.

Tidspunkt ferdig: 2009-03-07 17:05:32 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-03-07 16:05:23

 

Pre-Run: 17 084 051 456 byte ledig

Post-Run: 16,741,691,392 byte ledig

 

223 --- E O F --- 2009-03-05 08:20:54

 

 

 

MBAM:

 

Malwarebytes' Anti-Malware 1.34

Databaseversjon: 1825

Windows 6.0.6001 Service Pack 1

 

07.03.2009 15:24:13

mbam-log-2009-03-07 (15-24-13).txt

 

Skanntype: Rask Skann

Objekter skannet: 62746

Tid tilbakelagt: 5 minute(s), 19 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Users\Nuno\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.0xe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

 

 

Tips?

[norbat]

- og problemet er?