Treg PC - Diverse logger

HeiHemmelig · 19. juni 2009

Etter å ha merket at PC'en har gått litt tregere i det siste, har jeg bestemt meg for å poste noen logger for å se om det er noe galt med PC'en. Den har alltid gått litt tregt, så jeg vil se om det noe virus som gjør dette.

Hijackthis:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:29:08, on 19.06.2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\SPAMfighter\sfus.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\carpserv.exe

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\D-Link\Air Utility\AirCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\SPAMfighter\SFAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\Test.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.frisurf.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.frisurf.no/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.online.no:8080;ftp=proxy.online.no:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.frisurf.no/

O16 - DPF: aicc - http://elearn.datapower.no/online/cab/aicc.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe

O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe

--

End of file - 9081 bytes

Malware Antibytes' eller noe slikt:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.37

Databaseversjon: 2295

Windows 5.1.2600 Service Pack 2

17.06.2009 14:57:25

mbam-log-2009-06-17 (14-57-25).txt

Skanntype: Rask Skann

Objekter skannet: 91213

Tid tilbakelagt: 13 minute(s), 34 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 6

Filer infisert: 10

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

C:\Program Files\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\1.bin (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\History (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Settings (Adware.MyWay) -> Quarantined and deleted successfully.

Filer infisert:

c:\program files\MyWay\myBar\1.bin\MY2NS.EXE (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache0027B49.bin (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache0027D8E.bin (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache0027F97.bin (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache00BD302 (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache04ABC5A.bmp (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache04ABDF5.bmp (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Cache04ABF2B.bmp (Adware.MyWay) -> Quarantined and deleted successfully.

c:\program files\MyWay\myBar\Settings\prevcfg.htm (Adware.MyWay) -> Quarantined and deleted successfully.

c:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Til slutt så har jeg en logg som Avira Antivirus laget under den siste scannen min:

Klikk for å se/fjerne innholdet nedenfor

Avira AntiVir Personal

Report file date: 31. mai 2009 20:40

Scanning for 1439934 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: CPQ13668132152

Version information:

BUILD.DAT : 8.2.0.353 17048 Bytes 5/15/2009 12:02:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 12/1/2008 21:05:26

AVSCAN.DLL : 8.1.4.0 40705 Bytes 7/20/2008 22:08:28

LUKE.DLL : 8.1.4.5 164097 Bytes 7/20/2008 22:08:31

LUKERES.DLL : 8.1.4.0 12033 Bytes 7/20/2008 22:08:31

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:24:56

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 22:43:52

ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 20:01:29

ANTIVIR3.VDF : 7.1.4.37 382976 Bytes 5/29/2009 13:15:10

Engineversion : 8.2.0.180

AEVDF.DLL : 8.1.1.1 106868 Bytes 5/1/2009 20:54:46

AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/15/2009 17:01:39

AESCN.DLL : 8.1.2.3 127347 Bytes 5/15/2009 17:01:38

AERDL.DLL : 8.1.1.3 438645 Bytes 11/12/2008 19:28:57

AEPACK.DLL : 8.1.3.18 401783 Bytes 5/29/2009 13:15:14

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 21:16:57

AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/15/2009 17:01:35

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 21:16:52

AEGEN.DLL : 8.1.1.44 348532 Bytes 5/15/2009 17:01:31

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/17/2008 10:13:00

AECORE.DLL : 8.1.6.12 180599 Bytes 5/29/2009 13:15:12

AEBB.DLL : 8.1.0.3 53618 Bytes 10/17/2008 10:12:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/20/2008 22:08:28

AVPREF.DLL : 8.0.2.0 38657 Bytes 7/20/2008 22:08:28

AVREP.DLL : 8.0.0.3 155688 Bytes 4/28/2009 17:37:51

AVREG.DLL : 8.0.0.1 33537 Bytes 7/20/2008 22:08:28

AVARKT.DLL : 1.0.0.23 307457 Bytes 4/20/2008 16:04:36

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 7/20/2008 22:08:27

SQLITE3.DLL : 3.3.17.1 339968 Bytes 4/20/2008 16:04:43

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 7/20/2008 22:08:32

NETNT.DLL : 8.0.0.1 7937 Bytes 4/20/2008 16:04:42

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 7/20/2008 22:08:17

RCTEXT.DLL : 8.0.52.0 86273 Bytes 7/20/2008 22:08:17

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: 31. mai 2009 20:40

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'update.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'Residence.exe' - '1' Module(s) have been scanned

Scan process 'SonyTray.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'SFAgent.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'WZCSLDR.exe' - '1' Module(s) have been scanned

Scan process 'AirCFG.exe' - '1' Module(s) have been scanned

Scan process 'hpztsb04.exe' - '1' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned

Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned

Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned

Scan process 'ONETOUCH.EXE' - '1' Module(s) have been scanned

Scan process 'carpserv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sfus.exe' - '1' Module(s) have been scanned

Scan process 'mdm.exe' - '1' Module(s) have been scanned

Scan process 'HPWirelessMgr.exe' - '1' Module(s) have been scanned

Scan process 'HPConfig.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

46 processes with 46 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '71' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\Owner\Local Settings\Temp\JVM2.tmp

[0] Archive type: CAB (Microsoft)

--> a.class

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\Documents and Settings\Owner\Shared\bj ø rn rosenstr ø m het - best track ever.mp3

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

[NOTE] The file was deleted!

C:\Documents and Settings\Owner\Shared\cascada bad boy remix.mp3

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

[NOTE] The file was deleted!

C:\Documents and Settings\Owner\Shared\paradise da buzz.mp3

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

[NOTE] The file was deleted!

C:\SwSetup\Corel\Setup\bfix.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1099\A0097478.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

End of the scan: 31. mai 2009 23:19

Used time: 2:39:18 Hour(s)

The scan has been done completely.

6001 Scanning directories

299345 Files were scanned

5 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

5 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

299338 Files not concerned

7711 Archives were scanned

3 Warnings

5 Notes

Håper noen kan hjelpe meg med å forstå disse loggene.

Endret 1. juli 2009 av HeiHemmelig

Bruker-158599 · 22. juni 2009

malwarebytes fant masse, kan du oppdatere og ta en scann til?

Bruker-158599 · 22. juni 2009

Finner ikke noe spesielt i HJT loggen din. Hvorfor har du ikke brukt combofix?

HeiHemmelig · 30. juni 2009

Hei, beklager for sent svar, har vært på ferie. Grunnen til at jeg ikke har brukt Combofix, var det at på veiledningen så stod det at Combofix ikke kjører på et 64-bits OS. Da jeg ikke vet hva et 64-bits OS er for noe, så fant jeg ut at det kanskje var best å bruke Hijackthis, siden det virket som at det kunne funke på alle slags -bits OS ting. Jeg har også vært innpå andre slags forum, og sett at de bruker som regel alltid Hijackthis der, og jeg hadde heller aldri hørt om Combofix før.

Her er den nye Malware Antibytes' loggen:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.37

Databaseversjon: 2295

Windows 5.1.2600 Service Pack 2

30.06.2009 10:55:26

mbam-log-2009-06-30 (10-55-26).txt

Skanntype: Rask Skann

Objekter skannet: 92090

Tid tilbakelagt: 14 minute(s), 32 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

(Ingen mistenkelige filer funnet)

Jeg merker det at det går fortsatt lang tid for når jeg åpner Internet Explorer, men det er vel kanskje ikke på grunn av virus? På den andre PC'en vi har så går alt mye fortere, men det er vel kanskje på grunn av hardwaren? Jeg kan ingenting om dette, så håper noen her kan hjelpe meg.

Endret 30. juni 2009 av HeiHemmelig

Bruker-158599 · 30. juni 2009

Last ned Ccleaner gå på verktøy velg oppstart og post et bildet av hva du ser der. Dette hjelper vis pcen starter litt seint. Lurt å gjøre det da kan vi fjerne unødvendig oppstartsprogrammer.

Etter du har gjort det så går du på register og trykker "søk etter feil" og sikkerhetskopierer og sletter det den finner.

Det kan hende du må defragmentere også. Vi kommer tilbake til dette

Endret 31. juli 2010 av riskake90

raWrz · 30. juni 2009

Hei

du har noe som heter 32-bits windows (forskjellen mellom 32 bits og 64 bits windows: http://www.hardware.no/artikler/64-bit_avmystifisert/12781 )

1. men før vi fortsetter her:

Gå til http://windowsupdate.microsoft.com og last ned alle de "kritiske oppdateringene" for Windows. Dette vil tette igjen mange av sikkerhetshullene som angripere kan bruke til å få tilgang til maskinen din. Versjonen du har nå, ser ut til å være utdatert. (gjør det et parr ganger da du mangler en del oppdateringen ! )

2. når det er gjort så starter du MBAM - trykk på fanen oppdater - og trykk på knappen " Se etter oppdateringer ". hvis MBAM spør om og starte på nytt så trykker du på ja

3. Last ned Combofix (av sUBs), og legg det på Skrivebordet.

Kjør combofix.exe, og følg veiledningen.

Du vil under oppstart av combofix bli anbefalt å installere gjenopprettingskonsollen (om du ikke har den installert fra før). Det sier du ja til.
Du må ikke klikke på vinduet mens programmet kjører. Dette kan føre til at programmet fryser.

Hva gjør ComboFix:

- ComboFix er et multifix-program som er laget for å fjerne en hel del kjente infeksjoner, samt lager en logg/rapport som viser filer/prosesser/registeroppføringer som ligger på PC-en. Loggen kan avgjøre om det fortsatt ligger noe på PC-en som skal fjernes. Det kreves da at noen med erfaring kan lese loggen og fortelle hvordan man skal gå videre.

PS: Combofix vil blant ramse opp alle filer som har blitt opprettet den siste måneden, og kan i enkelte tilfeller også fortelle fullt navn og annen informasjon som kan betraktes som sensitiv. Av den grunn bør du gå gjennom loggen og se om du finner informasjon du ikke vil dele med alle, og sensurere det.

Post loggfilen fra Combofix (c:\combofix.txt)

Endret 30. juni 2009 av Submit

Bruker-158599 · 30. juni 2009

tenkte ikke på windows update. Følg det sumbit sier først også gjør du det jeg skrev.

HeiHemmelig · 1. juli 2009

Det har kommet opp sånn advarselmelding om at disse "real-time scanners" er aktive, og så står de videre at jeg må deaktivere de! Hvordan gjør jeg det, og må jeg deaktivere de? Det antivirusprogrammet som er listet opp er Avira Antivirus Personal Edition classic virus protection.

Endret 1. juli 2009 av HeiHemmelig

raWrz · 1. juli 2009

Hei

avira skrur du av ved og høyere klikke på avira ikonet nederst til høyere og kryss av AntiVir Guard enable (husk og skru den på etterpå )

HeiHemmelig · 1. juli 2009

Hei! Har nå tatt en scann ting med ComboFix, og fikk denne loggen;

Klikk for å se/fjerne innholdet nedenfor

ComboFix 09-06-29.07 - Owner 01.07.2009 13:31.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.236 [GMT 2:00]

Running from: c:\documents and settings\Owner\Desktop\Hemmelig.exe

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DE-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00F0-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-0101-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-0112-0D24-347CA8A3377C}

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\patch.exe

c:\windows\system32\P2P Networking

c:\windows\system32\P2P Networking\MARSHAL.DLL

.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))

.

2009-07-01 09:02 . 2009-07-01 09:02 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2009-07-01 09:01 . 2009-07-01 09:01 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2009-07-01 08:52 . 2009-07-01 08:52 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2009-07-01 08:48 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-07-01 08:47 . 2009-07-01 08:47 -------- d-----w- c:\windows\ie8updates

2009-07-01 08:45 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-07-01 08:45 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll

2009-07-01 08:45 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-01 08:45 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll

2009-07-01 08:41 . 2009-07-01 08:42 -------- dc-h--w- c:\windows\ie8

2009-06-30 08:59 . 2009-06-30 08:59 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-17 12:29 . 2009-06-17 12:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-06-17 12:29 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-17 12:29 . 2009-06-17 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-17 12:29 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-17 12:29 . 2009-06-30 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-01 08:54 . 2009-05-15 17:08 -------- d-----w- c:\program files\SPAMfighter

2009-06-30 09:04 . 2006-02-13 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition classic

2009-06-17 13:00 . 2008-07-27 16:01 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-06-15 20:10 . 2006-11-20 11:32 -------- d-----w- c:\program files\LimeWire

2009-06-01 16:44 . 2008-09-07 19:13 34 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat

2009-05-29 13:15 . 2006-02-13 11:55 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-05-29 13:15 . 2006-02-13 11:55 45400 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-05-29 13:15 . 2007-04-28 19:22 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-05-15 17:09 . 2009-05-15 17:09 -------- d-----w- c:\program files\Common Files\Application

2009-05-13 05:15 . 2004-08-23 18:32 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:44 . 2002-08-29 02:00 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-17 09:58 . 2002-08-29 02:00 1846656 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 15:11 . 2004-04-14 19:44 584192 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-02-26 180316]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-15 290816]

"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 36864]

"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]

"TV Now"="c:\program files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 282624]

"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]

"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 102400]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 634880]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2001-07-19 52736]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-15 196608]

"D-Link Air Utility"="c:\program files\D-Link\Air Utility\AirCFG.exe" [2003-11-04 2502656]

"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]

"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-20 266497]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"SPAMfighter Agent"="c:\program files\SPAMfighter\SFAgent.exe" [2009-03-12 326792]

"CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-05-21 4608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-10-1 151552]

Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-10-1 106496]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [13.02.2006 13:55 22360]

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [13.02.2006 13:55 45400]

R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [12.03.2009 10:44 184968]

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [12.04.2003 10:05 291328]

R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [12.04.2003 10:05 244608]

R3 NETDLWL;D-Link Air Wireless Adapter(DL) NT Driver;c:\windows\system32\drivers\NETDLWL.sys [14.11.2003 11:38 183680]

S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [12.04.2003 10:02 26112]

S3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [12.04.2003 10:02 16512]

S3 tridxp2;tridxp2;c:\windows\system32\drivers\tridxp2m.sys [22.04.2004 10:21 755456]

S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [25.12.2008 15:37 32000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-07-01 c:\windows\Tasks\Se etter oppdateringer for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 09:20]

2009-07-01 c:\windows\Tasks\User_Feed_Synchronization-{E6A96E89-88E4-4A3F-9F0C-71264C2D8B6D}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uDefault_Search_URL = hxxp://srch-us4nb.hpwis.com/

mSearch Bar = hxxp://srch-us4nb.hpwis.com/

uInternet Connection Wizard,ShellNext = hxxp://www.frisurf.no/

uInternet Settings,ProxyServer = http=proxy.online.no:8080;ftp=proxy.online.no:8080

uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: aicc - hxxp://elearn.datapower.no/online/cab/aicc.cab

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-01 13:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-07-01 13:42

ComboFix-quarantined-files.txt 2009-07-01 11:41

Pre-Run: 13 730 258 944 bytes free

Post-Run: 14 096 326 656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

156 --- E O F --- 2009-07-01 08:48

Merket det at når ComboFix kjørte så forsvant plutselig skrivebordet, og det eneste som stod igjen var bakgrunnsbildet! Er det normalt? Den begynte også å slette ting under scannen, uten mitt samtykke?

Bruker-158599 · 1. juli 2009

Hei! Har nå tatt en scann ting med ComboFix, og fikk denne loggen;

Klikk for å se/fjerne innholdet nedenfor

ComboFix 09-06-29.07 - Owner 01.07.2009 13:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.236 [GMT 2:00]

Running from: c:\documents and settings\Owner\Desktop\Hemmelig.exe

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DE-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00F0-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-0101-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-0112-0D24-347CA8A3377C}

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\patch.exe

c:\windows\system32\P2P Networking

c:\windows\system32\P2P Networking\MARSHAL.DLL

.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))

.

2009-07-01 09:02 . 2009-07-01 09:02 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2009-07-01 09:01 . 2009-07-01 09:01 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2009-07-01 08:52 . 2009-07-01 08:52 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2009-07-01 08:48 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-07-01 08:47 . 2009-07-01 08:47 -------- d-----w- c:\windows\ie8updates

2009-07-01 08:45 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-07-01 08:45 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll

2009-07-01 08:45 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-01 08:45 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll

2009-07-01 08:41 . 2009-07-01 08:42 -------- dc-h--w- c:\windows\ie8

2009-06-30 08:59 . 2009-06-30 08:59 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-17 12:29 . 2009-06-17 12:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-06-17 12:29 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-17 12:29 . 2009-06-17 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-17 12:29 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-17 12:29 . 2009-06-30 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-01 08:54 . 2009-05-15 17:08 -------- d-----w- c:\program files\SPAMfighter

2009-06-30 09:04 . 2006-02-13 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition classic

2009-06-17 13:00 . 2008-07-27 16:01 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-06-15 20:10 . 2006-11-20 11:32 -------- d-----w- c:\program files\LimeWire

2009-06-01 16:44 . 2008-09-07 19:13 34 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat

2009-05-29 13:15 . 2006-02-13 11:55 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-05-29 13:15 . 2006-02-13 11:55 45400 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-05-29 13:15 . 2007-04-28 19:22 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-05-15 17:09 . 2009-05-15 17:09 -------- d-----w- c:\program files\Common Files\Application

2009-05-13 05:15 . 2004-08-23 18:32 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:44 . 2002-08-29 02:00 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-17 09:58 . 2002-08-29 02:00 1846656 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 15:11 . 2004-04-14 19:44 584192 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-02-26 180316]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-15 290816]

"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 36864]

"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]

"TV Now"="c:\program files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 282624]

"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]

"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 102400]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 634880]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2001-07-19 52736]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-15 196608]

"D-Link Air Utility"="c:\program files\D-Link\Air Utility\AirCFG.exe" [2003-11-04 2502656]

"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]

"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-20 266497]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"SPAMfighter Agent"="c:\program files\SPAMfighter\SFAgent.exe" [2009-03-12 326792]

"CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-05-21 4608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-10-1 151552]

Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-10-1 106496]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [13.02.2006 13:55 22360]

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [13.02.2006 13:55 45400]

R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [12.03.2009 10:44 184968]

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [12.04.2003 10:05 291328]

R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [12.04.2003 10:05 244608]

R3 NETDLWL;D-Link Air Wireless Adapter(DL) NT Driver;c:\windows\system32\drivers\NETDLWL.sys [14.11.2003 11:38 183680]

S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [12.04.2003 10:02 26112]

S3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [12.04.2003 10:02 16512]

S3 tridxp2;tridxp2;c:\windows\system32\drivers\tridxp2m.sys [22.04.2004 10:21 755456]

S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [25.12.2008 15:37 32000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-07-01 c:\windows\Tasks\Se etter oppdateringer for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 09:20]

2009-07-01 c:\windows\Tasks\User_Feed_Synchronization-{E6A96E89-88E4-4A3F-9F0C-71264C2D8B6D}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uDefault_Search_URL = hxxp://srch-us4nb.hpwis.com/

mSearch Bar = hxxp://srch-us4nb.hpwis.com/

uInternet Connection Wizard,ShellNext = hxxp://www.frisurf.no/

uInternet Settings,ProxyServer = http=proxy.online.no:8080;ftp=proxy.online.no:8080

uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: aicc - hxxp://elearn.datapower.no/online/cab/aicc.cab

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-01 13:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-07-01 13:42

ComboFix-quarantined-files.txt 2009-07-01 11:41

Pre-Run: 13 730 258 944 bytes free

Post-Run: 14 096 326 656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

156 --- E O F --- 2009-07-01 08:48

Merket det at når ComboFix kjørte så forsvant plutselig skrivebordet, og det eneste som stod igjen var bakgrunnsbildet! Er det normalt? Den begynte også å slette ting under scannen, uten mitt samtykke?

skrivebordet kom tilbake? Det har skjedd meg også, blir borte i 1 min eller noen sekunder så er det tilbake.

raWrz · 1. juli 2009

Hei

combofix slettet disse filene:

c:\windows\patch.exe

c:\windows\system32\P2P Networking

c:\windows\system32\P2P Networking\MARSHAL.DLL

skriveborde (burde) komme tilbake når combofix er slettet (og det sletter du når jeg sier ifra )

raWrz · 1. juli 2009

Trykk Start - Alle Programmer - Tilbehør - Notisblokk

Kopier og Lim inn teksten i kodeboksen nedenfor, inn i Notisblokken:

Driver::
tridxp2m

Lagre det som CFScript på Skrivebordet

Dra CFScript over ComboFix.exe som ligger på Skrivebordet, slik animasjonen nedenfor viser.

Dette vil starte ComboFix igjen. Hvis maskinen ber om en omstart, lar du den gjøre det med én gang.

Post innholdet til ComboFix.txt inn i ditt neste svar på forumet.

(hvis du ikke greier det så sier du ifra og vi gjør det en annen vei )

HeiHemmelig · 2. juli 2009

Da jeg gjorde det over så fikk jeg tilbud om å oppdatere ComboFix, og da jeg gjorde det begynte den å kjøre en ny scan-ting. Det var vel kanskje meningen? Fikk også tilbake skrivebordet mitt etter scannen ja. Uansett, her er loggen:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 09-07-01.01 - Owner 02.07.2009 11:03.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.147 [GMT 2:00]

Running from: c:\documents and settings\Owner\Desktop\Hemmelig.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DE-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00F0-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-0101-0D24-347CA8A3377C}

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-0112-0D24-347CA8A3377C}

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))