Poster utskilt fra veiledertråden-2

r2d290 · 31. august 2008

hmm, var dette litt vanskelig?

Shoo · 31. august 2008

Ja.. Dette var veldig vanskelig.. Jeg fikk overført Combofix til minnebrikke, men når jeg prøver å kjøre Combofix, får jeg beskjeden:

"Combofix has detected the presence of rootkit activity and needs to reboot the machine"

Jeg restarter. Prøver å kjøre Combofix igjen. Det samme skjer. Er nå i sikkermodus, men det samme skjer der også..

...

Noen ideer?

Her er forresten HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:20: VIRUS ALERT!, on 31.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Safe mode with network support

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\WgaTray.exe

D:\WINDOWS\system32\cmd.exe

D:\327882R2FWJFW\NirCmd.cfexe

D:\Programfiler\Mozilla Firefox\firefox.exe

F:\Programmer\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

F3 - REG:win.ini: run="D:\Documents and Settings\shoo\Programdata\Adobe\Manager.exe"

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: D - {27D48478-816D-3ED6-9403-A5BED5A77B89} - D:\WINDOWS\system32\mmx24871.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - F:\Programmer\FlashFXP\IEFlash.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] D:\Programfiler\Fellesfiler\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [pbmini] "F:\Programmer\PodcastbarMini\PodcastBarMiniStater.exe" -hide

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] F:\Programmer\logitech\ManifestEngine.exe boot

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - D:\Microgaming\Poker\nordicbetMPP\MPPoker.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab

O17 -

Endret 31. august 2008 av Shoo

norbat · 31. august 2008

Shoo:

Last ned Malwarebytes Anti-Malware til skrivebordet.

Kjør og installer programmet. Velg Norsk-språk

La programmet oppdatere seg og velg å kjør en 'hurtig systemskann', klikk Skann.

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

Klikk på Vis resultat-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

Det vil deretter åpnes en logg i notisblokk. Den kan du kopiere og poste. Ønsker også å se SAS-loggen (preferences->statistics/logs)

Shoo · 31. august 2008

Ok. Den fant jo en goood del.. Her er loggen:

Malwarebytes' Anti-Malware 1.25

Database versjon: 1062

Windows 5.1.2600 Service Pack 2

18:31:26 31.08.2008

mbam-log-08-31-2008 (18-31-26).txt

Skanntype: Rask Skann

Objekter skannet: 39718

Tid tilbakelagt: 2 minute(s), 32 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 5

Registerverdier infisert: 1

Registerfiler infisert: 17

Mapper infisert: 0

Filer infisert: 16

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27d48478-816d-3ed6-9403-a5bed5a77b89} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{27d48478-816d-3ed6-9403-a5bed5a77b89} (Trojan.BHO) -> Quarantined and deleted successfully.

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Agent) -> Data: d:\documents and settings\shoo\programdata\adobe\manager.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-649-6478953-23525) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

D:\WINDOWS\eoae.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

D:\WINDOWS\Help\jtlbcthx.exe (Adware.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Help\jzjsqrrn.exe (Adware.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Help\rbkelkrk.exe (Adware.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Help\slnqelxw.exe (Adware.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Help\xktzqkhs.exe (Adware.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

D:\Documents and Settings\shoo\Programdata\Adobe\Manager.exe (Trojan.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\system32\mmx24871.dll (Trojan.BHO) -> Quarantined and deleted successfully.

norbat · 31. august 2008

Etter at du har restartet pc'n, laster du ned ny combofix. Kjør programmet og post loggen når den er ferdig.

Fint om du kunne ha postet loggen fra SAS også.

Endret 31. august 2008 av norbat

Shoo · 31. august 2008

ComboFix-loggen ble noe voldelig stor, så jeg lastet den opp. Les den ved å klikke her!

Her er SAS-loggen:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 08/31/2008 at 05:03 PM

Application Version : 4.20.1046

Core Rules Database Version : 3552

Trace Rules Database Version: 1540

Scan type : Quick Scan

Total Scan Time : 01:22:43

Memory items scanned : 277

Memory threats detected : 1

Registry items scanned : 363

Registry threats detected : 52

File items scanned : 54036

File threats detected : 10

Adware.Vundo-Variant/J

D:\WINDOWS\RQBMVPSO.DLL

Trojan.Net-MSV/VPS-Variant

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}

HKCR\CLSID\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}

HKCR\CLSID\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}\InprocServer32

HKCR\CLSID\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}\InprocServer32#ThreadingModel

HKCR\CLSID\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}\ProgID

HKCR\CLSID\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}\Programmable

HKCR\CLSID\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}\TypeLib

HKCR\CLSID\{F1197F0F-791F-40EE-A6D1-48EC2F2A776F}\VersionIndependentProgID

HKCR\QXK.Olive

HKCR\TypeLib\{3E157927-C27E-4612-AAD9-7CAFA240DCF3}

HKCR\TypeLib\{3E157927-C27E-4612-AAD9-7CAFA240DCF3}\1.0

HKCR\TypeLib\{3E157927-C27E-4612-AAD9-7CAFA240DCF3}\1.0\win32

HKCR\TypeLib\{3E157927-C27E-4612-AAD9-7CAFA240DCF3}\1.0\FLAGS

HKCR\TypeLib\{3E157927-C27E-4612-AAD9-7CAFA240DCF3}\1.0\HELPDIR

D:\WINDOWS\RODQGPVLRDO.DLL

HKCR\Interface\{91758E92-E3A9-40B9-980C-104E6429085D}

HKCR\Interface\{91758E92-E3A9-40B9-980C-104E6429085D}\ProxyStubClsid

HKCR\Interface\{91758E92-E3A9-40B9-980C-104E6429085D}\ProxyStubClsid32

HKCR\Interface\{91758E92-E3A9-40B9-980C-104E6429085D}\TypeLib

HKCR\Interface\{91758E92-E3A9-40B9-980C-104E6429085D}\TypeLib#Version

HKCR\Interface\{B392B1A7-122E-4039-BA50-E2A2B39593B5}

HKCR\Interface\{B392B1A7-122E-4039-BA50-E2A2B39593B5}\ProxyStubClsid

HKCR\Interface\{B392B1A7-122E-4039-BA50-E2A2B39593B5}\ProxyStubClsid32

HKCR\Interface\{B392B1A7-122E-4039-BA50-E2A2B39593B5}\TypeLib

HKCR\Interface\{B392B1A7-122E-4039-BA50-E2A2B39593B5}\TypeLib#Version

Trojan.Unclassified/QALKFXOR

HKLM\Software\Microsoft\Internet Explorer\Toolbar#{0332D733-727D-4859-B5FD-1696BB11D1D1}

HKCR\CLSID\{0332D733-727D-4859-B5FD-1696BB11D1D1}

HKCR\CLSID\{0332D733-727D-4859-B5FD-1696BB11D1D1}\InprocServer32

HKCR\CLSID\{0332D733-727D-4859-B5FD-1696BB11D1D1}\InprocServer32#ThreadingModel

HKCR\CLSID\{0332D733-727D-4859-B5FD-1696BB11D1D1}\ProgID

HKCR\CLSID\{0332D733-727D-4859-B5FD-1696BB11D1D1}\Programmable

HKCR\CLSID\{0332D733-727D-4859-B5FD-1696BB11D1D1}\TypeLib

HKCR\CLSID\{0332D733-727D-4859-B5FD-1696BB11D1D1}\VersionIndependentProgID

HKCR\qalkfxor.1

HKCR\qalkfxor

HKCR\TypeLib\{964A3DC9-B2B9-4975-8D18-9AEE4CA86C8C}

HKCR\TypeLib\{964A3DC9-B2B9-4975-8D18-9AEE4CA86C8C}\1.0

HKCR\TypeLib\{964A3DC9-B2B9-4975-8D18-9AEE4CA86C8C}\1.0\win32

HKCR\TypeLib\{964A3DC9-B2B9-4975-8D18-9AEE4CA86C8C}\1.0\FLAGS

HKCR\TypeLib\{964A3DC9-B2B9-4975-8D18-9AEE4CA86C8C}\1.0\HELPDIR

D:\WINDOWS\QALKFXOR.DLL

HKCR\Interface\{AEF1158C-F936-4D39-88FB-A68215CBA7D5}

HKCR\Interface\{AEF1158C-F936-4D39-88FB-A68215CBA7D5}\ProxyStubClsid

HKCR\Interface\{AEF1158C-F936-4D39-88FB-A68215CBA7D5}\ProxyStubClsid32

HKCR\Interface\{AEF1158C-F936-4D39-88FB-A68215CBA7D5}\TypeLib

HKCR\Interface\{AEF1158C-F936-4D39-88FB-A68215CBA7D5}\TypeLib#Version

Browser Hijacker.Internet Explorer Settings Hijack

HKU\S-1-5-21-1202660629-1364589140-839522115-1003\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Desktop Hijacker.AboutYourPrivacy

D:\Documents and Settings\shoo\Skrivebord\Error Cleaner.url

D:\Documents and Settings\shoo\Skrivebord\Privacy Protector.url

D:\Documents and Settings\shoo\Skrivebord\Spyware&Malware Protection.url

D:\Documents and Settings\shoo\Favoritter\Error Cleaner.url

D:\Documents and Settings\shoo\Favoritter\Privacy Protector.url

D:\Documents and Settings\shoo\Favoritter\Spyware&Malware Protection.url

Trojan.Net-MU/Gen

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#uninstallString

Trojan.Dropper/Gen

D:\WINDOWS\RVOELBXT.EXE

Endret 31. august 2008 av Shoo

norbat · 31. august 2008

Shoo:

Vi tar en runde til:

Last ned SDFix.exe, legg det på skrivebordet.

Kjør SDFix. Det vil bli opprettet en egen mappe c:\SDFix

Restart pc'n i sikker modus (tapp F8 under oppstart)

Kjør RunThis.bat som ligger i SDFix-mappa. Følg veiledningen.

Det vil lages en rapport som du poster. Hvis ikke loggen kommer automatisk, så skal den finnes i SDFix-mappa som Report.txt

Vertical^ · 31. august 2008

Spirit99:
Se der ja. Etter en restart, prøv å kjør combofix (fra normal tilstand).

Det som er problemet er at ComboFix aldri starter :\ Kommer opp en liten rute der det står Combofix, og den laster. Og etter det skjer det ikke noe...

norbat · 31. august 2008

Kunne du restartet pc i sikker modus og prøvd å kjøre combofix derfra?

hjomland · 31. august 2008

Vil først og fremst takke for en fantastisk jobb og en uunnværlig tråd. Har ikke gått igjennom alle postene men lurer på om det er mulig å få anbefalt et virusprogram? Om det holder å bruke f.eks. AVG eller lignende i gratisversjon eller om man skal kjøpe en fullversjon og eventuelt hvilken?

På forhånd takk

Hans-Jakob

norbat · 31. august 2008

AVG 8 (gratisversjonen) er et godt anti-program og står seg godt mot de ulike betalversjonene som finnes. AVG har ogse en god antimalware-scanner (tidligere ewido).

Ta gjerne en titt i Sikkerhetsguiden. Der finner du mer om anti-programmer.

r2d290 · 31. august 2008

av-comparatives.org

Trykk på "comparatives", og velg mai-testen.

Der får du en oversikt. På forumet pleier vi å anbefale Avira (gratis, og har samme database som fullversjon).

ja, ble litt dobbelposting

edit: rettet opp fra com til org

Endret 31. august 2008 av r2d290

norbat · 31. august 2008

av-comparatives.org er riktig adresse.

stoebakk · 2. september 2008

Har tatt over ei maskin på jobben, og ble møtt av det hyggelige oppstartsvinduet til System Antivirus 2008. Klarte å få lukket programmet (tror jeg) ved hjelp av Oppgavebehandling (kjører vanlig Windows XP Professional), og har deretter fulgt instruksjonene i post 1.

Dermed sitter jeg igjen med følgende tre logger:

HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:54:02, on 02.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\Programfiler\WIDCOMM\Bluetooth-programvare\bin\btwdins.exe

C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe

C:\Programfiler\M-Audio Fast Track\GBInst.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

C:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Programfiler\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\WINDOWS\TEMP\QV328F.EXE

C:\Programfiler\Trend Micro\OfficeScan Client\TmPfw.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programfiler\HPQ\IAM\bin\asghost.exe

C:\Programfiler\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe

C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe

C:\Programfiler\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Programfiler\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Programfiler\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\Programfiler\HPQ\SHARED\HPQWMI.exe

C:\Programfiler\Skype\Phone\Skype.exe

C:\Programfiler\Windows Media Player\WMPNSCFG.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\Programfiler\Skype\Plugin Manager\skypePM.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Trend Micro\HijackThis\cm.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smp.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.68.1:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 1.1.1.1;*.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Programfiler\HPQ\IAM\Bin\ItIeAddIN.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [updateManager] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule

O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [WatchDog] C:\Programfiler\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Programfiler\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Antivirus] C:\Programfiler\SAV\sav.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1

O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Free WebSite Tools.lnk = ?

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: DVD Check.lnk = C:\Programfiler\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Send til &Bluetooth - C:\Programfiler\WIDCOMM\Bluetooth-programvare\btsendto_ie_ctx.htm

O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?74ec10b2943b413fa238a117a4528ead

O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?74ec10b2943b413fa238a117a4528ead

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O15 - Trusted Zone: http://www.adobe.com

O15 - Trusted Zone: *.adobe.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.smp.no/admin/activeX/saxfile.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: OneCard - C:\Programfiler\HPQ\IAM\Bin\AsWlnPkg.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Programfiler\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programfiler\WIDCOMM\Bluetooth-programvare\bin\btwdins.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Programfiler\M-Audio Fast Track\GBInst.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\SHARED\HPQWMI.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\bin\ONRSD.EXE

O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScanNT Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\TmPfw.exe

--

End of file - 14276 bytes

SuperAntiSpyWare:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 09/02/2008 at 09:37 AM

Application Version : 4.20.1046

Core Rules Database Version : 3553

Trace Rules Database Version: 1542

Scan type : Quick Scan

Total Scan Time : 00:27:53

Memory items scanned : 508

Memory threats detected : 0

Registry items scanned : 494

Registry threats detected : 1

File items scanned : 14586

File threats detected : 1

Rogue.AntiVirus 2008

HKU\S-1-5-21-2925948677-253827628-1650297128-500\Software\Microsoft\Windows\CurrentVersion\Run#Antivirus [ C:\Programfiler\SAV\sav.exe ]

Trojan.Unclassified/C00-WL/A

C:\WINDOWS\SYSTEM32\__C00F3139.DAT

ComboFix:

ComboFix 08-09-01.01 - Administrator 2008-09-02 9:48:21.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1410 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator\Skrivebord\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\__c0046FC1.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))

.

2008-09-02 09:07 . 2008-09-02 09:07 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-09-02 09:07 . 2008-09-02 09:07 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-09-02 09:07 . 2008-09-02 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-09-02 09:07 . 2008-09-02 09:07 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\SUPERAntiSpyware.com

2008-09-02 09:03 . 2008-09-02 09:03 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste

2008-09-02 09:00 . 2008-09-02 09:00 <DIR> d-------- C:\Programfiler\CCleaner

2008-09-01 11:19 . 2008-09-01 11:19 0 --a------ C:\WINDOWS\nsreg.dat

2008-08-26 13:49 . 2008-08-26 13:49 <DIR> d-------- C:\Programfiler\Norton Security Scan

2008-08-25 07:22 . 2008-08-25 07:23 10,752 --a------ C:\WINDOWS\DCEBoot.exe

2008-08-14 10:51 . 2008-08-14 10:51 <DIR> d-------- C:\Programfiler\SAV

2008-08-14 10:51 . 2008-08-13 19:10 168,448 --a------ C:\WINDOWS\system32\sav.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-02 07:44 --------- d-----w C:\Documents and Settings\Administrator\Programdata\Skype

2008-09-02 06:50 --------- d-----w C:\Documents and Settings\Administrator\Programdata\skypePM

2008-09-01 13:56 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-08-29 12:27 --------- d-----w C:\Programfiler\FotoStation 4.5

2008-07-09 07:59 --------- d-----w C:\Programfiler\Microsoft SQL Server

2008-03-25 13:13 32 ----a-w C:\Documents and Settings\All Users\Programdata\ezsid.dat

2007-07-22 00:03 3,089 -c--a-w C:\Programfiler\Fellesfiler\cfgbak.tgb

2007-06-09 09:13 23,176 -c--a-w C:\Documents and Settings\Administrator\Programdata\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="C:\Programfiler\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 16:53 307200]

"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]

"WMPNSCFG"="C:\Programfiler\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:46 204288]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-22 12:15 344064]

"UpdateManager"="C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 01:05 122939]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 14:12 102492]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 14:11 692316]

"eabconfg.cpl"="C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24 290816]

"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 20:12 17920]

"Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2005-01-14 13:21 233534]

"hpWirelessAssistant"="C:\Programfiler\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 13:40 790528]

"WatchDog"="C:\Programfiler\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 18:44 184320]

"Adobe Version Cue CS2"="C:\Programfiler\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]

"Acrobat Assistant 7.0"="C:\Programfiler\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

"OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 01:43 702072]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

"Antivirus"="C:\Programfiler\SAV\sav.exe" [2008-08-13 19:40 399360]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 12:12 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360]

C:\Documents and Settings\Administrator\Start-meny\Programmer\Oppstart\

Free WebSite Tools.lnk - C:\Documents and Settings\Administrator\Programdata\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2008-04-25 12:48:02 372224]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-05-24 12:34:30 25214]

Adobe Gamma.lnk - C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

BTTray.lnk - C:\Programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe [2005-05-31 14:29:16 577597]

DVD Check.lnk - C:\Programfiler\InterVideo\DVD Check\DVDCheck.exe [2006-05-24 09:47:01 184320]

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

VPN Client.lnk - C:\WINDOWS\Installer\{2D448D0B-20D5-4CD6-84F7-DB9868CB5F6C}\Icon3E5562ED7.ico [2008-03-28 16:24:32 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 16:28 352256 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2004-11-10 02:19 38912 C:\Programfiler\HPQ\IAM\Bin\AsWlnPkg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Cisco Systems VPN Client.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Cisco Systems VPN Client.lnk

backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Free WebSite Tools.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Free WebSite Tools.lnk

backup=C:\WINDOWS\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^VPN Client.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\VPN Client.lnk

backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\StubInstaller.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"=

"C:\\Programfiler\\Quark\\QuarkCopyDesk 3.0\\QuarkCopyDesk Passport.exe"=

"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"62515:UDP"= 62515:UDP:Cisco VPN Service

R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 10:00]

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]

R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 14:30]

S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys [2004-08-31 15:57]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);C:\Programfiler\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]

S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\bin\ONRSD.EXE [2002-04-26 19:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Cognizance REG_MULTI_SZ ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3d827dc-9ebf-11dc-b7d6-0015003956e3}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

Notify-__c0050053 - (no file)

MSConfigStartUp-TgbVpn - C:\Programfiler\TheGreenBow\TheGreenBow VPN\VpnConf.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Administrator\Programdata\Mozilla\Firefox\Profiles\h11idkcg.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.smp.no

FF -: plugin - C:\Programfiler\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll

FF -: plugin - C:\Programfiler\iTunes\Mozilla Plugins\npitunes.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-02 09:57:20

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe?????????2?7?6?2??P???? ?d?B?????????????hLC????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\scardsvr.exe

C:\Programfiler\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\Programfiler\WIDCOMM\Bluetooth-programvare\bin\btwdins.exe

C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe

C:\Programfiler\M-Audio Fast Track\GBInst.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Trend Micro\OfficeScan Client\NTRtScan.exe

C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

C:\Programfiler\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Programfiler\Trend Micro\OfficeScan Client\TmListen.exe

C:\Programfiler\Windows Media Player\wmpnetwk.exe

C:\Programfiler\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\WINDOWS\Temp\QV328F.EXE

C:\Programfiler\Trend Micro\OfficeScan Client\TmPfw.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Programfiler\HPQ\IAM\Bin\asghost.exe

C:\Programfiler\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Programfiler\HPQ\Shared\hpqwmi.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\Programfiler\Skype\Plugin Manager\skypePM.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2008-09-02 10:03:54 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-02 08:03:46

Pre-Run: 40,722,214,912 byte ledig

Post-Run: 40,617,680,896 byte ledig

190 --- E O F --- 2008-08-13 06:41:57

Vet at man kanskje ikke bør tukle sjøl med bedrifts-PCer, men IT-ansvarlig har visst fri i dag. Så jeg tenkte å se om jeg klarte å fikse dette selv - om noen har gode råd å komme med?

norbat · 2. september 2008

stoebakk:

Du er nesten i mål.

Fortsett med følgende:

Last ned Malwarebytes Anti-Malware til skrivebordet.

Kjør og installer programmet. Velg Norsk-språk

La programmet oppdatere seg og velg å kjør en 'hurtig systemscan', klikk Skann.

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

Klikk på 'Vis resultat'-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

Det vil deretter åpnes en logg i notisblokk. Den kopiere du og poster sammen med ny hjt-logg.

stoebakk · 2. september 2008

Anti-Malware:

Malwarebytes' Anti-Malware 1.26

Database versjon: 1103

Windows 5.1.2600 Service Pack 2

02.09.2008 12:44:58

mbam-log-2008-09-02 (12-44-57).txt

Skanntype: Rask Skann

Objekter skannet: 48220

Tid tilbakelagt: 5 minute(s), 57 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 1

Registerfiler infisert: 1

Mapper infisert: 0

Filer infisert: 5

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\Programfiler\SAV\sav.exe (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sav.cpl (Rogue.SystemAntivirus2008) -> Quarantined and deleted successfully.

C:\Programfiler\SAV\sav.cpl (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.

C:\Programfiler\SAV\sav0.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.

C:\Programfiler\SAV\sav1.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:56:00, on 02.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programfiler\HPQ\IAM\bin\asghost.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\Programfiler\WIDCOMM\Bluetooth-programvare\bin\btwdins.exe

C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe

C:\Programfiler\M-Audio Fast Track\GBInst.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

C:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe

C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe

C:\Programfiler\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Programfiler\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Programfiler\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\Programfiler\Skype\Phone\Skype.exe

C:\Programfiler\Windows Media Player\WMPNSCFG.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe

C:\Programfiler\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\WINDOWS\TEMP\QH4DE4.EXE

C:\Programfiler\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\Programfiler\Trend Micro\OfficeScan Client\TmPfw.exe

C:\Programfiler\HPQ\SHARED\HPQWMI.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programfiler\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jucheck.exe

C:\WINDOWS\system32\ctfmon.exe