Chiobe Skrevet 1. august 2009 Del Skrevet 1. august 2009 Jeg har fått et eller flere virus/trojan som jeg ikke klarer å ta knekken på. Bruker XP 32bit, fullt oppdatert. Avg 8 free finner win32/cryptor i filen geyekrlgohamnb.dll Malwarebytes' Anti-Malware finner den samme filen, men identiserer den som trojan.tdss Har prøvd begge i sikkerhets modus ilag med SDfix, men ingen av programmene klarer å fjerne den. Og hvis de sier de klarer det, så finner de forsatt filen etter en restart. Har også prøvd å deaktivere systemgjenoppretting, siden noen på nettet mente at viruset/trojanen kansje brukte det for å gjenopprette seg selv. Så er det noe jeg kan prøve, som ikke koster penger, bortsett fra å formatere? Lenke til kommentar
Tosha0007 Skrevet 1. august 2009 Del Skrevet 1. august 2009 (endret) Hei, Prøv å køyr gjennom veiledninga og post logger her i din eigen tråd. Endret 1. august 2009 av tosha0007 Lenke til kommentar
Chiobe Skrevet 1. august 2009 Forfatter Del Skrevet 1. august 2009 (endret) Malwarebytes' Anti-Malware 1.39 Databaseversjon: 2540 Windows 5.1.2600 Service Pack 3 Skanntype: Rask Skann Objekter skannet: 81576 Klikk for å se/fjerne innholdet nedenfor Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: \\?\globalroot\systemroot\system32\geyekrlgohamnb.dll (Trojan.TDSS) -> Delete on reboot. Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: \\?\globalroot\systemroot\system32\geyekrlgohamnb.dll (Trojan.TDSS) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:43:51, on 01.08.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Klikk for å se/fjerne innholdet nedenfor Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Programfiler\Bonjour\mDNSResponder.exe C:\Programfiler\Digidesign\Drivers\MMERefresh.exe C:\Programfiler\Java\jre6\bin\jqs.exe C:\Programfiler\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Programfiler\Java\jre6\bin\jusched.exe C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Programfiler\Pidgin\pidgin.exe C:\Programfiler\uTorrent\uTorrent.exe C:\Programfiler\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <a href="http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank" rel="nofollow">http://go.microsoft.com/fwlink/?LinkId=69157</a> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <a href="http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" rel="nofollow">http://go.microsoft.com/fwlink/?LinkId=54896</a> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <a href="http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" rel="nofollow">http://go.microsoft.com/fwlink/?LinkId=54896</a> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank" rel="nofollow">http://go.microsoft.com/fwlink/?LinkId=69157</a> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Programfiler\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programfiler\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Programfiler\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Programfiler\Digidesign\Drivers\MMERefresh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [startCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FELLES~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Windows Search.lnk = C:\Programfiler\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <a href="http://www.update.microsoft.com/windowsupd...b?1232387719687" target="_blank" rel="nofollow">http://www.update.microsoft.com/windowsupd...b?1232387719687</a> O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programfiler\Fellesfiler\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Adobe Version Cue CS3 AdobeAdobeAlerter (AdobeAdobeAlerter) - Unknown owner - C:\WINDOWS\TEMP\pxucnymexn.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Programfiler\Digidesign\Drivers\MMERefresh.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Programfiler\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe O23 - Service: Automatiske oppdateringer (wuauserv) - Unknown owner - C:\WINDOWS\ Endret 1. august 2009 av Chiobe Lenke til kommentar
snippsat Skrevet 1. august 2009 Del Skrevet 1. august 2009 Se etter Trojan.TDSS her. Du stopper tjenesten ved å gjøre følgende: Gå til Kontrollpanel->System->Maskinvare->Enhetsbehandling Velg Vis->Vis skjulte enheter Klikk på plusstegnet framfor "Drivere som ikke er Plug and Play-kompatible" Bla deg ned til TDSSserv.sys, høyreklikk på fila og velg Deaktiver. Restart. Ny scann med MBAM. Se om du får kjør combofix og post loggen. Lenke til kommentar
Chiobe Skrevet 2. august 2009 Forfatter Del Skrevet 2. august 2009 Det finnes ingen TDSSserv.sys i den lista. Vet ikke om det har noe å gjøre med at jeg har kjørt et par runder med div program? Lenke til kommentar
Atiks Skrevet 2. august 2009 Del Skrevet 2. august 2009 (endret) Prøv å laste ned en ny sdfix ,og jeg tror at det er en passord stjerer trojan. Husk! å pakke opp sdfix filen i vanligmodus og der etter kjøre filen i sikkerhetsmodus. Endret 2. august 2009 av snippern Lenke til kommentar
snippsat Skrevet 2. august 2009 Del Skrevet 2. august 2009 Prøv å laste ned en ny sdfix ,og jeg tror at det er en passord stjerer trojan Når det gjelder verktøy som SDfix ser vi helts at loggen postes. Alle disse spesial vektøyene bør det gis korrekte instruksjoner til. Last ned SDFix til skrivebordet. Pakk det ut. Det vil som default opprette ei mappe i C:\SDFix Boot trykk f8 flere ganger,velg sikkerhetmodus. Kjør deretter RunThis.bat i SDfix-mappa. Følg veiledningen Det lages en rapport (Report.txt)kopiere og lim inn i posten din. Vet ikke om det har noe å gjøre med at jeg har kjørt et par runder med div program? Jo det så ut som MBAM fjernet den. Si litt om pcen kjører greit nå. Får du kjørt combofix gjør du det og poster loggen. Lenke til kommentar
Chiobe Skrevet 2. august 2009 Forfatter Del Skrevet 2. august 2009 SDFix: Version 1.240 Run by Administrator on 01.08.2009 at 21:33 Microsoft Windows XP [Versjon 5.1.2600] Klikk for å se/fjerne innholdet nedenfor Checking Services: Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files: Trojan Files Found: C:\-17443~1 - Deleted C:\WINDOWS\system32\L49EC.tmp.exe - Deleted Removing Temp Files ADS Check: Final Check: catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-01 21:54:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... disk error: C:\WINDOWS\system32\config\system, 1381 scanning hidden registry entries ... disk error: C:\WINDOWS\system32\config\software, 1381 disk error: C:\Documents and Settings\Eier\ntuser.dat, 1381 scanning hidden files ... disk error: C:\WINDOWS\ please note that you need administrator rights to perform deep scan Remaining Services: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"="C:\\Programfiler\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "C:\\Programfiler\\uTorrent\\uTorrent.exe"="C:\\Programfiler\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent" "C:\\Programfiler\\Google\\Google Talk\\googletalk.exe"="C:\\Programfiler\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk" "C:\\Programfiler\\Spotify\\spotify.exe"="C:\\Programfiler\\Spotify\\spotify.exe:*:Enabled:Spotify" "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"="C:\\Programfiler\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Programfiler\\Autodesk\\Backburner\\monitor.exe"="C:\\Programfiler\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor" "C:\\Programfiler\\Autodesk\\Backburner\\manager.exe"="C:\\Programfiler\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager" "C:\\Programfiler\\Autodesk\\Backburner\\server.exe"="C:\\Programfiler\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server" "C:\\Programfiler\\Autodesk\\3ds Max 2009\\3dsmax.exe"="C:\\Programfiler\\Autodesk\\3ds Max 2009\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2009 32-bit" "C:\\Programfiler\\Xming\\Xming.exe"="C:\\Programfiler\\Xming\\Xming.exe:*:Enabled:Xming X Server" "C:\\Programfiler\\mIRC\\mirc.exe"="C:\\Programfiler\\mIRC\\mirc.exe:*:Enabled:mIRC" "C:\\Programfiler\\NX Client for Windows\\nxclient.exe"="C:\\Programfiler\\NX Client for Windows\\nxclient.exe:*:Enabled:nxclient" "C:\\Programfiler\\NX Client for Windows\\bin\\nxssh.exe"="C:\\Programfiler\\NX Client for Windows\\bin\\nxssh.exe:*:Enabled:nxssh" "C:\\Documents and Settings\\Eier\\Skrivebord\\cs 1.6\\hl.exe"="C:\\Documents and Settings\\Eier\\Skrivebord\\cs 1.6\\hl.exe:*:Enabled:Half-Life Launcher" "C:\\Programfiler\\DC++\\DCPlusPlus.exe"="C:\\Programfiler\\DC++\\DCPlusPlus.exe:*:Enabled:DC++" "C:\\Programfiler\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"="C:\\Programfiler\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe:*:Enabled:Adobe After Effects CS3" "C:\\Programfiler\\VideoLAN\\VLC\\vlc.exe"="C:\\Programfiler\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player" "C:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call" "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Programfiler\\Fellesfiler\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Programfiler\\Fellesfiler\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server" "C:\\Programfiler\\Pidgin\\pidgin.exe"="C:\\Programfiler\\Pidgin\\pidgin.exe:*:Enabled:Pidgin" "C:\\Programfiler\\Overlord II\\Overlord2.exe"="C:\\Programfiler\\Overlord II\\Overlord2.exe:*:Enabled:Overlord II" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call" "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" Remaining Files: File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Tue 7 Apr 2009 223 ...H. --- "C:\Boot.BAK" Fri 8 May 2009 8,192 A.SHR --- "C:\BOOTSECT.BAK" Tue 15 Apr 2008 16 ...H. --- "C:\WINDOWS\system32\hpcasyd.dll" Mon 13 Apr 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 9 Feb 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sun 29 Mar 2009 888 ...HR --- "C:\Documents and Settings\Eier\Programdata\SecuROM\UserData\securom_v7_01.bak" Finished! Lenke til kommentar
snippsat Skrevet 2. august 2009 Del Skrevet 2. august 2009 Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programmet kjører. post logg C:\combofix.txt Lenke til kommentar
Chiobe Skrevet 2. august 2009 Forfatter Del Skrevet 2. august 2009 (endret) ComboFix 09-07-31.04 - Eier 02.08.2009 14:17.2.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.3326.2802 [GMT 2:00] Kjører fra: c:\documents and settings\Eier\Mine dokumenter\Nedlastinger\ComboFix.exe Command switches brukt :: c:\documents and settings\Eier\Mine dokumenter\Nedlastinger\WindowsXP-KB310994-SP2-Home-BootDisk-NOR.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} Klikk for å se/fjerne innholdet nedenfor PEV Error: AppFile PEV Error: DesktopFile PEV Error: DesktopFolder PEV Error: FavFile PEV Error: LocalAppDataFile PEV Error: LocalAppDataFolder PEV Error: LocalSettingsFile PEV Error: MenuFile PEV Error: MenuFolder PEV Error: PersonalFile PEV Error: ProgramsFile PEV Error: ProgramsFolder PEV Error: StartUpFile PEV Error: UserFile PEV Error: UserFolder ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\31596559.sys c:\windows\system32\drivers\geyekrmscaeoxl.sys c:\windows\system32\geyekrgrkstqtm.dat c:\windows\system32\geyekrjdlykhhu.dat c:\windows\system32\geyekrlgohamnb.dll c:\windows\system32\geyekrqcsmfdan.dll . ---- Forrige skanning ------- . c:\windows\system32\drivers\geyekrmscaeoxl.sys c:\windows\system32\geyekrgrkstqtm.dat c:\windows\system32\geyekrjdlykhhu.dat c:\windows\system32\geyekrlgohamnb.dll c:\windows\system32\geyekrqcsmfdan.dll . ((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSUPDATE -------\Service_31596559 -------\Service_geyekrrddtkcka -------\Service_31596559 ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-07-02 til 2009-08-02 ))))))))))))))))))))))))))))))))) . 2009-08-01 19:21 . 2009-08-01 19:21 -------- d-----w- c:\windows\ERUNT 2009-08-01 13:36 . 2009-08-01 14:12 81984 ----a-w- c:\windows\system32\bdod.bin 2009-08-01 13:23 . 2009-08-01 13:23 -------- d-----w- c:\documents and settings\Administrator\Programdata\Malwarebytes 2009-08-01 13:23 . 2009-08-01 14:12 -------- d-----w- c:\documents and settings\Administrator\Programdata\Bitdefender 2009-08-01 13:16 . 2009-08-01 13:16 -------- d-----w- c:\programfiler\BitDefender 2009-08-01 13:16 . 2009-08-01 14:12 -------- d-----w- c:\programfiler\Fellesfiler\BitDefender 2009-08-01 12:48 . 2009-08-01 19:54 -------- d-----w- C:\SDFix 2009-08-01 12:19 . 2009-08-01 12:19 -------- d-----w- c:\documents and settings\Eier\Programdata\Malwarebytes 2009-08-01 12:19 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-01 12:19 . 2009-08-01 12:19 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2009-08-01 12:19 . 2009-08-01 12:19 -------- d-----w- c:\docume~1\ALLUSE~1\PROGRA~1\Malwarebytes 2009-08-01 12:19 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-01 12:07 . 2009-08-02 11:35 -------- d--h--r- c:\documents and settings\Eier\Siste 2009-08-01 11:30 . 2009-08-01 11:30 -------- d-----r- c:\documents and settings\LocalService\Favoritter 2009-07-31 12:56 . 2009-07-31 13:01 -------- d-----w- c:\documents and settings\Eier\dwhelper 2009-07-31 10:02 . 2009-07-31 10:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-24 15:05 . 2009-07-24 15:05 -------- d-----w- c:\programfiler\CCleaner 2009-07-22 14:45 . 2009-07-22 14:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-07-21 11:34 . 2009-07-21 12:40 -------- d-----w- c:\programfiler\Trine 2009-07-16 20:41 . 2009-07-16 20:41 -------- d-----w- c:\programfiler\Aegisub 2009-07-16 20:37 . 2009-07-16 20:44 -------- d-----w- c:\documents and settings\Eier\Programdata\Aegisub 2009-07-16 20:06 . 2009-07-16 20:07 -------- d-----w- c:\programfiler\VisualSubSync 2009-07-16 19:48 . 2009-07-16 19:52 -------- d-----w- c:\programfiler\MKVtoolnix 2009-07-16 14:48 . 2009-07-16 14:50 -------- d-----w- c:\documents and settings\Eier\Programdata\TeraCopy 2009-07-16 14:48 . 2009-07-16 14:48 -------- d-----w- c:\programfiler\TeraCopy 2009-07-14 14:59 . 2009-07-14 14:59 -------- d-----w- c:\programfiler\MatroskaSplitter 2009-07-14 14:28 . 2009-07-30 18:41 -------- d-----w- c:\documents and settings\Eier\Programdata\vlc 2009-07-06 20:35 . 2009-07-06 20:35 -------- d-sh--w- c:\documents and settings\Eier\IECompatCache 2009-07-05 20:13 . 2009-07-05 20:13 -------- d-----w- c:\documents and settings\Eier\Programdata\DAZ 3D 2009-07-05 20:13 . 2009-07-05 20:13 -------- d-----w- c:\programfiler\Fellesfiler\DAZ . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-02 11:44 . 2009-03-23 16:47 -------- d-----w- c:\documents and settings\Eier\Programdata\.purple 2009-08-02 11:36 . 2009-02-08 13:48 -------- d-----w- c:\documents and settings\Eier\Programdata\uTorrent 2009-08-01 13:29 . 2008-04-15 11:00 511820 ----a-w- c:\windows\system32\perfh014.dat 2009-08-01 13:29 . 2008-04-15 11:00 106176 ----a-w- c:\windows\system32\perfc014.dat 2009-08-01 13:22 . 2009-08-01 13:16 -------- d-----w- c:\docume~1\ALLUSE~1\PROGRA~1\BitDefender 2009-08-01 12:58 . 2009-02-08 16:31 -------- d---a-w- c:\docume~1\ALLUSE~1\PROGRA~1\TEMP 2009-08-01 11:00 . 2009-04-22 23:37 -------- d-----w- c:\programfiler\Microsoft Silverlight 2009-07-30 17:28 . 2009-04-01 12:27 -------- d-----w- c:\documents and settings\Eier\Programdata\gtk-2.0 2009-07-24 16:15 . 2009-02-07 17:56 -------- d-----w- c:\docume~1\ALLUSE~1\PROGRA~1\avg8 2009-07-18 11:54 . 2009-02-07 11:00 604480 ----a-w- c:\documents and settings\Eier\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2009-07-12 18:02 . 2009-06-09 06:17 -------- d-----w- c:\programfiler\Warrior Epic 2009-07-12 17:59 . 2009-03-23 16:46 -------- d-----w- c:\programfiler\Pidgin 2009-07-12 17:59 . 2009-03-23 16:46 -------- d-----w- c:\programfiler\Fellesfiler\GTK 2009-07-07 07:17 . 2009-02-07 17:56 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-07-04 08:19 . 2009-02-07 17:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-07-04 08:19 . 2009-02-07 17:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-03 17:01 . 2008-04-15 11:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-30 18:42 . 2009-06-30 18:34 -------- d-----w- c:\programfiler\Overlord II 2009-06-30 18:34 . 2009-01-20 09:42 -------- d--h--w- c:\programfiler\InstallShield Installation Information 2009-06-18 06:42 . 2009-06-18 06:09 -------- d-----w- c:\documents and settings\Eier\Programdata\DigitalCute 2009-06-16 14:43 . 2008-04-15 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:43 . 2008-04-15 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-14 16:08 . 2009-02-08 17:34 -------- d-----w- c:\docume~1\ALLUSE~1\PROGRA~1\Avid Media Composer 2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\programfiler\Adobe Media Player 2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\programfiler\Fellesfiler\Adobe AIR 2009-06-12 17:29 . 2009-06-12 17:29 -------- d-----w- c:\programfiler\Flash Movie Player 2009-06-12 03:10 . 2009-06-12 03:10 -------- d-----w- c:\programfiler\Fellesfiler\DirectX 2009-06-12 03:07 . 2009-04-22 23:37 -------- d-----w- c:\programfiler\Windows Desktop Search 2009-06-12 03:04 . 2009-04-19 03:09 -------- d-----w- c:\programfiler\Fellesfiler\Wise Installation Wizard 2009-06-12 02:59 . 2009-04-19 03:09 -------- d-----w- c:\programfiler\AGEIA Technologies 2009-06-04 16:25 . 2009-01-19 17:52 -------- d-----w- c:\programfiler\Fellesfiler\Adobe 2009-06-04 16:24 . 2009-06-04 16:24 -------- d-----w- c:\programfiler\Fellesfiler\Control Panels 2009-06-04 16:23 . 2009-06-04 16:23 -------- d-----w- c:\docume~1\ALLUSE~1\PROGRA~1\ALM 2009-06-04 16:14 . 2009-02-08 15:58 -------- d-----w- c:\programfiler\QuickTime 2009-06-04 15:44 . 2009-06-04 15:44 -------- d-----w- c:\programfiler\Bonjour 2009-06-04 15:40 . 2009-06-04 15:40 -------- d-----w- c:\programfiler\Fellesfiler\Macrovision Shared 2009-06-03 19:11 . 2008-04-15 11:00 1294336 ----a-w- c:\windows\system32\quartz.dll 2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll 2009-05-07 15:34 . 2008-04-15 11:00 346112 ----a-w- c:\windows\system32\localspl.dll 2009-07-17 09:05 . 2009-02-07 10:59 137208 ----a-w- c:\programfiler\mozilla firefox\components\brwsrcmp.dll . ------- Sigcheck ------- [-] 2009-01-06 10:53 1573376 3F8D90D6F8109035CF796073BA850617 c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-01_20.31.11 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-02 12:32 . 2009-08-02 12:32 16384 c:\windows\temp\Perflib_Perfdata_6d4.dat + 2009-08-02 12:16 . 2009-08-02 12:16 16384 c:\windows\temp\Perflib_Perfdata_10c.dat + 2009-07-21 11:45 . 2009-08-02 11:27 32768 c:\windows\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat - 2009-07-21 11:45 . 2009-08-01 20:15 32768 c:\windows\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat + 2009-07-21 11:45 . 2009-08-02 11:27 16384 c:\windows\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat - 2009-07-21 11:45 . 2009-08-01 20:15 16384 c:\windows\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat + 2009-07-21 11:45 . 2009-08-02 11:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-07-21 11:45 . 2009-08-01 20:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-04 1948440] "WinampAgent"="c:\programfiler\Winamp\winampa.exe" [bU] "DigidesignMMERefresh"="c:\programfiler\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824] "QuickTime Task"="c:\programfiler\QuickTime\QTTask.exe" [2009-01-05 413696] "SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "StartCCC"="c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-17 61440] "Acrobat Assistant 8.0"="c:\programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 624248] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-20 16384512] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] c:\docume~1\ALLUSE~1\START-~1\PROGRA~1\Oppstart\ Windows Search.lnk - c:\programfiler\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-04 08:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave3"=Digi32.dll "MIDI3"=diomidi.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= "c:\\Programfiler\\uTorrent\\uTorrent.exe"= "c:\\Programfiler\\Spotify\\spotify.exe"= "c:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "c:\\Programfiler\\Autodesk\\Backburner\\monitor.exe"= "c:\\Programfiler\\Autodesk\\Backburner\\manager.exe"= "c:\\Programfiler\\Autodesk\\Backburner\\server.exe"= "c:\\Programfiler\\Autodesk\\3ds Max 2009\\3dsmax.exe"= "c:\\Programfiler\\mIRC\\mirc.exe"= "c:\\Programfiler\\NX Client for Windows\\nxclient.exe"= "c:\\Programfiler\\NX Client for Windows\\bin\\nxssh.exe"= "c:\\Programfiler\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"= "c:\\Programfiler\\VideoLAN\\VLC\\vlc.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Programfiler\\Fellesfiler\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "c:\\Programfiler\\Pidgin\\pidgin.exe"= "c:\\Programfiler\\Overlord II\\Overlord2.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5900:TCP"= 5900:TCP:vnc5900 "5800:TCP"= 5800:TCP:vnc5800 "16001:TCP"= 16001:TCP:any name "6000:TCP"= 6000:TCP:any name "177:UDP"= 177:UDP:any name "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07.02.2009 19:56 335752] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07.02.2009 19:56 298776] R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [08.02.2009 19:31 16400] R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\programfiler\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [10.03.2008 01:04 65536] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [31.10.2008 20:52 93184] S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?] S2 AdobeAdobeAlerter;Adobe Version Cue CS3 AdobeAdobeAlerter;c:\windows\TEMP\pxucnymexn.exe service --> c:\windows\TEMP\pxucnymexn.exe service [?] S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\programfiler\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24.11.2008 23:31 29263712] S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [19.01.2009 18:47 10304] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Tilleggsskanning ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html FF - ProfilePath - c:\docume~1\Eier\PROGRA~1\Mozilla\Firefox\Profiles\95mdlv54.default\ FF - plugin: c:\programfiler\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\programfiler\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\programfiler\Mozilla Firefox\plugins\np-mswmp.dll ---- FIREFOX POLICIES ---- c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-02 14:33 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- LÅSTE REGISTERNØKLER --------------------- [HKEY_USERS\S-1-5-21-1614895754-879983540-682003330-1003\Software\SecuROM\License information*] "datasecu"=hex:9d,ef,ab,c1,98,aa,40,11,60,0a,31,1c,a2,71,76,4d,fd,72,d3,2e,0b, 76,8c,fd,45,7f,da,37,53,66,12,54,90,45,a7,4b,c8,ef,89,74,7c,be,03,16,d5,01,\ "rkeysecu"=hex:6b,5d,95,f7,1e,6d,25,42,8e,6e,75,99,f3,42,2d,17 . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'winlogon.exe'(956) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2480) c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andre Kjørende Prosesser ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe c:\programfiler\Bonjour\mDNSResponder.exe c:\programfiler\Java\jre6\bin\jqs.exe c:\programfiler\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\programfiler\AVG\AVG8\avgrsx.exe c:\windows\system32\searchindexer.exe c:\windows\system32\wbem\wmiapsrv.exe c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Tidspunkt ferdig: 2009-08-02 14:37 - maskinen ble startet på nytt ComboFix-quarantined-files.txt 2009-08-02 12:37 Pre-Run: 58 916 618 240 byte ledig Post-Run: 58 779 799 552 byte ledig WindowsXP-KB310994-SP2-Home-BootDisk-NOR.exe ; ;Warning: Boot.ini is used on Windows XP and earlier operating systems. ;Warning: Use BCDEDIT.exe to modify Windows Vista boot options. ; [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /NOEXECUTE=OPTIN /FASTDETECT /USEPMTIMER 338 --- E O F --- 2009-07-31 11:45 Edit: Ser ut som combofix tok knekken på problemet, for verken avg eller malwarebytes finner det lengre. Endret 2. august 2009 av Chiobe Lenke til kommentar
snippsat Skrevet 2. august 2009 Del Skrevet 2. august 2009 Kopiere fet tekst under bildet->åpne notisblokk og lim inn. Lagre på skrivebordet som CFScript.txt Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt File:: c:\windows\TEMP\pxucnymexn.exe Driver:: AdobeAdobeAlerter Lenke til kommentar
Chiobe Skrevet 2. august 2009 Forfatter Del Skrevet 2. august 2009 ComboFix 09-08-01.06 - Eier 02.08.2009 15:21.3.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.3326.2402 [GMT 2:00] Kjører fra: c:\documents and settings\Eier\Skrivebord\ComboFix.exe Command switches brukt :: c:\documents and settings\Eier\Skrivebord\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Opprettet nytt gjenopprettingspunkt Klikk for å se/fjerne innholdet nedenfor FILE :: "c:\windows\TEMP\pxucnymexn.exe" . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ADOBEADOBEALERTER -------\Service_AdobeAdobeAlerter ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-07-02 til 2009-08-02 ))))))))))))))))))))))))))))))))) . 2009-08-01 19:21 . 2009-08-01 19:21 -------- d-----w- c:\windows\ERUNT 2009-08-01 13:36 . 2009-08-01 14:12 81984 ----a-w- c:\windows\system32\bdod.bin 2009-08-01 13:23 . 2009-08-01 13:23 -------- d-----w- c:\documents and settings\Administrator\Programdata\Malwarebytes 2009-08-01 13:23 . 2009-08-01 14:12 -------- d-----w- c:\documents and settings\Administrator\Programdata\Bitdefender 2009-08-01 13:16 . 2009-08-01 14:12 -------- d-----w- c:\programfiler\Fellesfiler\BitDefender 2009-08-01 12:48 . 2009-08-01 19:54 -------- d-----w- C:\SDFix 2009-08-01 12:19 . 2009-08-01 12:19 -------- d-----w- c:\documents and settings\Eier\Programdata\Malwarebytes 2009-08-01 12:19 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-01 12:19 . 2009-08-01 12:19 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2009-08-01 12:19 . 2009-08-01 12:19 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes 2009-08-01 12:19 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-01 12:07 . 2009-08-02 13:18 -------- d--h--r- c:\documents and settings\Eier\Siste 2009-08-01 11:30 . 2009-08-01 11:30 -------- d-----r- c:\documents and settings\LocalService\Favoritter 2009-07-31 12:56 . 2009-07-31 13:01 -------- d-----w- c:\documents and settings\Eier\dwhelper 2009-07-31 10:02 . 2009-07-31 10:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-24 15:05 . 2009-07-24 15:05 -------- d-----w- c:\programfiler\CCleaner 2009-07-22 14:45 . 2009-07-22 14:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-07-21 11:34 . 2009-07-21 12:40 -------- d-----w- c:\programfiler\Trine 2009-07-19 12:36 . 2009-07-19 12:36 2141 ----a-w- c:\documents and settings\Eier\Programdata\.purple\certificates\x509\tls_peers\omega.contacts.msn.com 2009-07-19 11:44 . 2009-07-04 08:19 2301208 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avguiadv.dll 2009-07-19 11:44 . 2009-07-04 08:19 353048 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgxch32.dll 2009-07-16 20:41 . 2009-07-16 20:41 -------- d-----w- c:\programfiler\Aegisub 2009-07-16 20:37 . 2009-07-16 20:44 -------- d-----w- c:\documents and settings\Eier\Programdata\Aegisub 2009-07-16 20:06 . 2009-07-16 20:07 -------- d-----w- c:\programfiler\VisualSubSync 2009-07-16 19:48 . 2009-07-16 19:52 -------- d-----w- c:\programfiler\MKVtoolnix 2009-07-16 14:48 . 2009-07-16 14:50 -------- d-----w- c:\documents and settings\Eier\Programdata\TeraCopy 2009-07-16 14:48 . 2009-07-16 14:48 -------- d-----w- c:\programfiler\TeraCopy 2009-07-14 14:59 . 2009-07-14 14:59 -------- d-----w- c:\programfiler\MatroskaSplitter 2009-07-14 14:28 . 2009-07-30 18:41 -------- d-----w- c:\documents and settings\Eier\Programdata\vlc 2009-07-11 10:01 . 2009-07-11 10:01 2095 ----a-w- c:\documents and settings\Eier\Programdata\.purple\certificates\x509\tls_peers\login.live.com 2009-07-07 07:18 . 2009-07-07 07:17 2054424 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgcorex.dll 2009-07-07 07:18 . 2009-07-07 07:17 3403032 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgui.exe 2009-07-07 07:18 . 2009-07-04 08:19 327688 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgldx86.sys 2009-07-07 07:18 . 2009-07-07 07:17 2167576 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgresf.dll 2009-07-07 07:18 . 2009-07-04 08:19 1204504 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgabout.dll 2009-07-07 07:18 . 2009-07-04 08:19 3298072 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\setup.exe 2009-07-07 07:18 . 2009-07-04 08:19 337176 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avglogx.dll 2009-07-07 07:18 . 2009-07-04 08:19 829208 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgcfgx.dll 2009-07-07 07:16 . 2009-07-04 08:19 1454360 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgupd.dll 2009-07-07 07:16 . 2009-07-04 08:19 1085208 ----a-w- c:\documents and settings\All Users\Programdata\avg8\update\backup\avgupd.exe 2009-07-06 20:35 . 2009-07-06 20:35 -------- d-sh--w- c:\documents and settings\Eier\IECompatCache 2009-07-05 20:13 . 2009-05-11 18:38 4608 ----a-w- c:\documents and settings\Eier\Programdata\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\w9xpopen.exe 2009-07-05 20:13 . 2009-05-11 18:38 36 ----a-w- c:\documents and settings\Eier\Programdata\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\DzCreateExPFiles-V4.bat 2009-07-05 20:13 . 2009-05-11 18:38 348160 ----a-w- c:\documents and settings\Eier\Programdata\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\MSVCR71.dll 2009-07-05 20:13 . 2009-05-11 18:38 2341923 ----a-w- c:\documents and settings\Eier\Programdata\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\DzCreateExPFiles.exe 2009-07-05 20:13 . 2009-07-05 20:13 -------- d-----w- c:\documents and settings\Eier\Programdata\DAZ 3D 2009-07-05 20:13 . 2009-07-05 20:13 -------- d-----w- c:\programfiler\Fellesfiler\DAZ . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-02 13:18 . 2009-03-23 16:47 -------- d-----w- c:\documents and settings\Eier\Programdata\.purple 2009-08-02 13:17 . 2009-02-08 13:48 -------- d-----w- c:\documents and settings\Eier\Programdata\uTorrent 2009-08-02 13:10 . 2009-04-01 12:27 -------- d-----w- c:\documents and settings\Eier\Programdata\gtk-2.0 2009-08-01 13:29 . 2008-04-15 11:00 511820 ----a-w- c:\windows\system32\perfh014.dat 2009-08-01 13:29 . 2008-04-15 11:00 106176 ----a-w- c:\windows\system32\perfc014.dat 2009-08-01 13:22 . 2009-08-01 13:16 -------- d-----w- c:\documents and settings\All Users\Programdata\BitDefender 2009-08-01 12:58 . 2009-02-08 16:31 -------- d---a-w- c:\documents and settings\All Users\Programdata\TEMP 2009-08-01 11:00 . 2009-04-22 23:37 -------- d-----w- c:\programfiler\Microsoft Silverlight 2009-07-24 16:15 . 2009-02-07 17:56 -------- d-----w- c:\documents and settings\All Users\Programdata\avg8 2009-07-18 11:54 . 2009-02-07 11:00 604480 ----a-w- c:\documents and settings\Eier\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2009-07-14 14:28 . 2009-04-01 12:29 1 ----a-w- c:\documents and settings\Eier\Programdata\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2009-07-12 18:02 . 2009-06-09 06:17 -------- d-----w- c:\programfiler\Warrior Epic 2009-07-12 17:59 . 2009-03-23 16:46 -------- d-----w- c:\programfiler\Pidgin 2009-07-12 17:59 . 2009-03-23 16:46 -------- d-----w- c:\programfiler\Fellesfiler\GTK 2009-07-07 07:17 . 2009-02-07 17:56 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-07-04 08:19 . 2009-02-07 17:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-07-04 08:19 . 2009-02-07 17:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-03 17:01 . 2008-04-15 11:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-30 18:42 . 2009-06-30 18:34 -------- d-----w- c:\programfiler\Overlord II 2009-06-30 18:34 . 2009-01-20 09:42 -------- d--h--w- c:\programfiler\InstallShield Installation Information 2009-06-18 06:42 . 2009-06-18 06:09 -------- d-----w- c:\documents and settings\Eier\Programdata\DigitalCute 2009-06-16 14:43 . 2008-04-15 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:43 . 2008-04-15 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-14 16:08 . 2009-02-08 17:34 -------- d-----w- c:\documents and settings\All Users\Programdata\Avid Media Composer 2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\programfiler\Adobe Media Player 2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\programfiler\Fellesfiler\Adobe AIR 2009-06-12 17:34 . 2009-06-12 17:35 38208 ----a-w- c:\documents and settings\Eier\Programdata\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-06-12 17:29 . 2009-06-12 17:29 -------- d-----w- c:\programfiler\Flash Movie Player 2009-06-12 03:10 . 2009-06-12 03:10 -------- d-----w- c:\programfiler\Fellesfiler\DirectX 2009-06-12 03:07 . 2009-04-22 23:37 -------- d-----w- c:\programfiler\Windows Desktop Search 2009-06-12 03:04 . 2009-04-19 03:09 -------- d-----w- c:\programfiler\Fellesfiler\Wise Installation Wizard 2009-06-12 02:59 . 2009-04-19 03:09 -------- d-----w- c:\programfiler\AGEIA Technologies 2009-06-11 04:56 . 2009-03-28 21:28 1878984 ----a-w- c:\documents and settings\Eier\Programdata\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2009-06-04 16:25 . 2009-01-19 17:52 -------- d-----w- c:\programfiler\Fellesfiler\Adobe 2009-06-04 16:24 . 2009-06-04 16:24 -------- d-----w- c:\programfiler\Fellesfiler\Control Panels 2009-06-04 16:23 . 2009-06-04 16:23 -------- d-----w- c:\documents and settings\All Users\Programdata\ALM 2009-06-04 16:14 . 2009-02-08 15:58 -------- d-----w- c:\programfiler\QuickTime 2009-06-04 15:44 . 2009-06-04 15:44 -------- d-----w- c:\programfiler\Bonjour 2009-06-04 15:40 . 2009-06-04 15:40 -------- d-----w- c:\programfiler\Fellesfiler\Macrovision Shared 2009-06-03 19:11 . 2008-04-15 11:00 1294336 ----a-w- c:\windows\system32\quartz.dll 2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll 2009-05-07 15:34 . 2008-04-15 11:00 346112 ----a-w- c:\windows\system32\localspl.dll 2009-07-17 09:05 . 2009-02-07 10:59 137208 ----a-w- c:\programfiler\mozilla firefox\components\brwsrcmp.dll . ------- Sigcheck ------- [-] 2009-01-06 10:53 1573376 3F8D90D6F8109035CF796073BA850617 c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-01_20.31.11 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-02 13:33 . 2009-08-02 13:33 16384 c:\windows\temp\Perflib_Perfdata_65c.dat + 2009-07-21 11:45 . 2009-08-02 11:27 32768 c:\windows\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat - 2009-07-21 11:45 . 2009-08-01 20:15 32768 c:\windows\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat + 2009-07-21 11:45 . 2009-08-02 11:27 16384 c:\windows\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat - 2009-07-21 11:45 . 2009-08-01 20:15 16384 c:\windows\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat + 2009-07-21 11:45 . 2009-08-02 11:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-07-21 11:45 . 2009-08-01 20:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-04 1948440] "WinampAgent"="c:\programfiler\Winamp\winampa.exe" [bU] "DigidesignMMERefresh"="c:\programfiler\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824] "QuickTime Task"="c:\programfiler\QuickTime\QTTask.exe" [2009-01-05 413696] "SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "StartCCC"="c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-17 61440] "Acrobat Assistant 8.0"="c:\programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 624248] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-20 16384512] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ Windows Search.lnk - c:\programfiler\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-04 08:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave3"=Digi32.dll "MIDI3"=diomidi.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= "c:\\Programfiler\\uTorrent\\uTorrent.exe"= "c:\\Programfiler\\Spotify\\spotify.exe"= "c:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "c:\\Programfiler\\Autodesk\\Backburner\\monitor.exe"= "c:\\Programfiler\\Autodesk\\Backburner\\manager.exe"= "c:\\Programfiler\\Autodesk\\Backburner\\server.exe"= "c:\\Programfiler\\Autodesk\\3ds Max 2009\\3dsmax.exe"= "c:\\Programfiler\\mIRC\\mirc.exe"= "c:\\Programfiler\\NX Client for Windows\\nxclient.exe"= "c:\\Programfiler\\NX Client for Windows\\bin\\nxssh.exe"= "c:\\Programfiler\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"= "c:\\Programfiler\\VideoLAN\\VLC\\vlc.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Programfiler\\Fellesfiler\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "c:\\Programfiler\\Pidgin\\pidgin.exe"= "c:\\Programfiler\\Overlord II\\Overlord2.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5900:TCP"= 5900:TCP:vnc5900 "5800:TCP"= 5800:TCP:vnc5800 "16001:TCP"= 16001:TCP:any name "6000:TCP"= 6000:TCP:any name "177:UDP"= 177:UDP:any name "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07.02.2009 19:56 335752] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07.02.2009 19:56 298776] R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [08.02.2009 19:31 16400] R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\programfiler\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [10.03.2008 01:04 65536] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [31.10.2008 20:52 93184] S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?] S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\programfiler\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24.11.2008 23:31 29263712] S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [19.01.2009 18:47 10304] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Tilleggsskanning ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html FF - ProfilePath - c:\documents and settings\Eier\Programdata\Mozilla\Firefox\Profiles\95mdlv54.default\ FF - plugin: c:\programfiler\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\programfiler\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\programfiler\Mozilla Firefox\plugins\np-mswmp.dll ---- FIREFOX POLICIES ---- c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-02 15:34 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- LÅSTE REGISTERNØKLER --------------------- [HKEY_USERS\S-1-5-21-1614895754-879983540-682003330-1003\Software\SecuROM\License information*] "datasecu"=hex:9d,ef,ab,c1,98,aa,40,11,60,0a,31,1c,a2,71,76,4d,fd,72,d3,2e,0b, 76,8c,fd,45,7f,da,37,53,66,12,54,90,45,a7,4b,c8,ef,89,74,7c,be,03,16,d5,01,\ "rkeysecu"=hex:6b,5d,95,f7,1e,6d,25,42,8e,6e,75,99,f3,42,2d,17 . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'winlogon.exe'(956) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2556) c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andre Kjørende Prosesser ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe c:\programfiler\Bonjour\mDNSResponder.exe c:\programfiler\Java\jre6\bin\jqs.exe c:\programfiler\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\programfiler\AVG\AVG8\avgrsx.exe c:\windows\system32\searchindexer.exe c:\windows\system32\wbem\wmiapsrv.exe c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\programfiler\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Tidspunkt ferdig: 2009-08-02 15:39 - maskinen ble startet på nytt ComboFix-quarantined-files.txt 2009-08-02 13:39 ComboFix2.txt 2009-08-02 12:48 Pre-Run: 58 621 902 848 byte ledig Post-Run: 58 578 178 048 byte ledig 318 --- E O F --- 2009-07-31 11:45 Lenke til kommentar
snippsat Skrevet 2. august 2009 Del Skrevet 2. august 2009 Ser bra ut. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Sjekk om software er oppdatert Secunia Surf trygt. Lenke til kommentar
Chiobe Skrevet 2. august 2009 Forfatter Del Skrevet 2. august 2009 Takker for all hjelp. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå