Poster utskilt fra veiledertråden-2

norbat · 6. september 2008

Shoo:

Oppdater MBAM og se om den finner noe

(det ligger en liten registeroppføring som skal bort, men før noe manuelt så ser vi om MBAM fjerner den)

magnusbe · 6. september 2008

Eg var hjå far min i går kveld og prøvde å fiksa ei malwareinfeksjon. Eg har ikkje fått gjort alt eg burde, men kan nokon ta ein titt på denne Combofix-loggen, og sjå om det er noko eg må gjera?

På førehand takk.

ComboFix 08-09-04.09 - Administrator 2008-09-05 23:54:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1414 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080528221235321.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080609213649637.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080610233233765.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080612204912605.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080619180648364.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080626175134094.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080628002858383.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080701011433900.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080701153946097.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080725085915276.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080820003601974.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080822103121637.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080822152241434.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080828203625712.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080829161127951.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080830201432139.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080831130758132.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905011219305.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905174054242.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905193617843.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905202810720.log
C:\Documents and Settings\*******\Application Data\Microsoft\Internet Explorer\Quick Launch\PCPrivacyCleaner.lnk
C:\Documents and Settings\*******\Cookies\*******@boecker_litteratur[2].txt
C:\Documents and Settings\*******\Cookies\*******@clicktorrent[2].txt
C:\Documents and Settings\*******\Cookies\*******@stl.p.a1.traceworks[2].txt
C:\Documents and Settings\*******\Cookies\*******@web.checkm8[2].txt
C:\Documents and Settings\*******\Desktop\Error Cleaner.url
C:\Documents and Settings\*******\Desktop\Privacy Protector.url
C:\Documents and Settings\*******\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\*******\Favorites\Error Cleaner.url
C:\Documents and Settings\*******\Favorites\Privacy Protector.url
C:\Documents and Settings\*******\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\****\Cookies\****@indextools[2].txt
C:\Program Files\PCHealthCenter\[u]0[/u].exe
C:\Program Files\PCHealthCenter\[u]0[/u].gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\1.ico
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\2.ico
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sc.html
C:\Program Files\PCPrivacyCleaner
C:\WINDOWS\dgksvbpn.dll
C:\WINDOWS\exdo.exe
C:\WINDOWS\gksraemq.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\efcAQGAt.dll
C:\WINDOWS\system32\gxyjljbq.dll
C:\WINDOWS\system32\Jkkmmnnn.ini
C:\WINDOWS\system32\Jkkmmnnn.ini2
C:\WINDOWS\system32\nnnmmkkJ.dll
C:\WINDOWS\system32\nvjgew.dll
C:\WINDOWS\system32\pmnkkihH.dll
C:\WINDOWS\system32\qbjljyxg.ini
C:\WINDOWS\system32\sasxhmjv.dll
C:\WINDOWS\vanwxemgner.dll
C:\WINDOWS\xrdwbfgn.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-05 23:42 . 2008-09-05 23:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HPAppData
2008-09-05 23:23 . 2008-09-05 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-09-05 23:22 . 2008-09-05 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-09-05 23:22 . 2008-09-05 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2008-09-05 20:58 . 2008-09-05 21:17 <DIR> d-------- C:\Documents and Settings\*******\Application Data\TmpRecentIcons
2008-09-05 20:44 . 2008-09-06 00:06 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-09-05 20:44 . 2008-09-05 18:16 102,400 --a------ C:\WINDOWS\sxmaokgf.exe
2008-08-14 17:03 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 17:02 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 19:39 --------- d-----w C:\Program Files\Plaxo
2008-09-05 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-30 06:00 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-26 20:35 --------- d-----w C:\Documents and Settings\*******\Application Data\HPAppData
2008-08-11 05:12 --------- d-----w C:\Program Files\Apple Software Update
2008-08-04 19:04 --------- d-----w C:\Documents and Settings\*******\Application Data\Azureus
2008-08-04 19:03 --------- d-----w C:\Documents and Settings\*******\Application Data\Apple Computer
2008-08-04 17:05 --------- d-----w C:\Program Files\Azureus
2008-08-03 13:00 --------- d-----w C:\Program Files\iTunes
2008-08-03 13:00 --------- d-----w C:\Program Files\iPod
2008-08-03 12:59 --------- d-----w C:\Program Files\Bonjour
2008-08-03 12:54 --------- d-----w C:\Program Files\Safari
2008-07-21 18:35 --------- d-----w C:\Documents and Settings\*******\Application Data\HP
2008-07-20 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-07-20 16:21 --------- d-----w C:\Program Files\HP
2008-07-20 16:21 --------- d-----w C:\Program Files\Hewlett-Packard
2008-07-20 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-07-20 16:19 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-07-20 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-07-20 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-09 15:10 30,288 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 15:10 79,440 -c--a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 15:10 75,344 -c--a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2007-11-09 15:10 140,880 -c--a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2007-11-09 15:10 42,576 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2007-11-09 15:10 50,768 -c--a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-11-09 15:10 34,384 -c--a-w C:\Program Files\mozilla firefox\plugins\logging.dll
2007-11-09 15:11 685,648 -c--a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 15:11 30,288 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-28 185896]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"Telenorhjelpen"="C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"ftutil2"="ftutil2.dll" [2004-06-07 C:\WINDOWS\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 C:\WINDOWS\arpwrmsg.exe]
"CTHelper"="CTHELPER.EXE" [2005-11-08 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-11-08 C:\WINDOWS\system32\CTXFIHLP.EXE]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-01-02 27136]
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136]

C:\Documents and Settings\***\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136]

C:\Documents and Settings\****\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136]

C:\Documents and Settings\********\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136]

C:\Documents and Settings\*******\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Hurtigstart for Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll nvjgew.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Telenor\\Telenorhjelpen\\Telenor.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2006-04-11 2829696]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-16 1096704]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 468768]
S2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-08-31 243064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{67e9c832-5169-4425-938e-dbc36bcbff24} - C:\WINDOWS\system32\nvjgew.dll
BHO-{B0D6BBC1-6FE7-45E2-A32D-7C96E10877B4} - C:\WINDOWS\system32\nnnmmkkJ.dll
BHO-{B5D0BE4E-83F4-4320-BC40-D96FA1620811} - C:\WINDOWS\vanwxemgner.dll
BHO-{E07D22E1-CE3A-487F-B754-8044DBEDB049} - C:\WINDOWS\system32\pmnkkihH.dll
Toolbar-{6134A39A-C1EA-4E6F-B6D2-9ED5D9CC03B5} - C:\WINDOWS\gksraemq.dll
HKLM-Run-Telenor Online Start - C:\Program Files\Telenor\Online Start\Telenor.exe
HKLM-Run-26525885 - C:\WINDOWS\system32\gxyjljbq.dll
HKLM-Run-PCDrProfiler - (no file)
ShellExecuteHooks-{E07D22E1-CE3A-487F-B754-8044DBEDB049} - C:\WINDOWS\system32\pmnkkihH.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 -: HKLM-Main,Search Bar = hxxp://internetsearchservice.com/ie6.html
R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
R1 -: HKLM-Internet Explorer,SearchURL = hxxp://internetsearchservice.com
O8 -: &Google-søk - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Oversett engelsk ord - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 -: Koblinger bakover - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Lignende sider - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Øyeblikksbilde av siden i hurtigbufferen - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-09-06 00:07:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\hp\KBD\kbd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
.
**************************************************************************
.
Completion time: 2008-09-06 0:13:23 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-09-05 22:13:15

Pre-Run: 199,558,483,968 bytes free
Post-Run: 200,792,526,848 byte ledig

273 --- E O F --- 2008-08-15 01:09:07

Endret 6. september 2008 av magnusbe

norbat · 6. september 2008

Magnusbe:

Du er nesten i mål. Kjør også en rask skan med MBAM (se veiledningen i 1.post).

Post loggen fra den + en hjt-logg.

Shoo · 6. september 2008

Yes. Da var det gjort. Sjekk PM, norbat.

MBAM-logg:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.26

Database versjon: 1120

Windows 5.1.2600 Service Pack 2

06.09.2008 23:07:45

mbam-log-2008-09-06 (23-07-45).txt

Skanntype: Rask Skann

Objekter skannet: 41167

Tid tilbakelagt: 3 minute(s), 5 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 2

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_CLASSES_ROOT\qalkfxor.bqgw (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

(Ingen mistenkelige filer funnet)

HJT-logg:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:20:38, on 06.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\nvsvc32.exe

F:\Programmer\Alcohol 120\StarWind\StarWindService.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\System32\LVCOMSX.EXE

D:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\WINDOWS\system32\RUNDLL32.EXE

D:\WINDOWS\system32\ctfmon.exe

D:\Documents and Settings\shoo\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe

D:\Programfiler\MSN Messenger\usnsvc.exe

F:\mirc\mirc.exe

D:\Programfiler\Mozilla Firefox\firefox.exe

F:\Programmer\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - F:\Programmer\FlashFXP\IEFlash.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] D:\Programfiler\Fellesfiler\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sDFix] F:\Programmer\SDFix\SDFix\RunThis.bat /second

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] F:\Programmer\logitech\ManifestEngine.exe boot

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\shoo\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - D:\Microgaming\Poker\nordicbetMPP\MPPoker.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E3673845-A712-4C1B-994E-BD5B0CB0B836}: NameServer = 193.75.75.75,193.75.75.193

O17 - HKLM\System\CCS\Services\Tcpip\..\{E707344F-A344-4EBA-BCB1-CEFEBA1B5470}: NameServer = 193.75.75.75,193.75.75.193

O17 - HKLM\System\CS1\Services\Tcpip\..\{E3673845-A712-4C1B-994E-BD5B0CB0B836}: NameServer = 193.75.75.75,193.75.75.193

O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - F:\Programmer\Ares\chatServer.exe

O23 - Service: NMIndexingService - Nero AG - D:\Programfiler\Fellesfiler\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Programfiler\WinPcap\rpcapd.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Programmer\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 5572 bytes

norbat · 6. september 2008

Shoo:

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"pdoskegl"=-

Du behøver ikke å poste flere logger.

Du fjerner combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

Surf trygt.

Martin-sama · 7. september 2008

Mbam-Log

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.26

Database versjon: 1120

Windows 5.1.2600 Service Pack 2

07.09.2008 11:25:44

mbam-log-2008-09-07 (11-25-44).txt

Skanntype: Rask Skann

Objekter skannet: 41757

Tid tilbakelagt: 1 minute(s), 23 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\Programfiler\MSA\MSA.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

HJT-log

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:23:46, on 07.09.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe

C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\Opera\opera.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1044

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Root\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Root\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Root\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O15 - Trusted Zone: *.line6.net

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NBService - Nero AG - D:\Root\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 5430 bytes

ComboFix 08-09-05.02 - Martin H 2008-09-07 0:18:03.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1500 [GMT 2:00]

Running from: C:\Documents and Settings\Martin H\Skrivebord\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat

C:\Documents and Settings\Martin H\Programdata\Adobe\crc.dat

C:\WINDOWS\system32\mmx35578.dll

C:\WINDOWS\system32\wvUoMcDs.dll

----- BITS: Possible infected sites -----

http://pornotube30.net

.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))

.

2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Malwarebytes

2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-07 00:08 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-07 00:08 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-07 00:08 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico

2008-09-07 00:07 . 2008-09-07 00:07 <DIR> dr-h----- C:\Documents and Settings\Martin H\Siste

2008-09-07 00:06 . 2008-09-07 00:06 <DIR> d-------- C:\Programfiler\CCleaner

2008-09-07 00:04 . 2008-09-07 00:16 <DIR> d-------- C:\Programfiler\MSA

2008-09-07 00:04 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico

2008-09-06 23:47 . 2008-09-06 23:47 <DIR> d-------- C:\Programfiler\MSXML 4.0

2008-09-06 22:48 . 2008-09-06 22:51 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Ahead

2008-09-06 22:48 . 2008-09-06 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ahead

2008-09-06 22:46 . 2008-09-06 22:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead

2008-09-06 22:46 . 2008-09-06 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero

2008-09-06 22:29 . 2008-09-06 22:29 <DIR> d-------- C:\Programfiler\Lavasoft

2008-09-06 22:29 . 2008-09-06 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-09-06 22:28 . 2008-09-06 22:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-09-06 22:26 . 2008-09-06 22:28 19,153,264 --a------ C:\Programfiler\aaw2008.exe

2008-09-06 22:21 . 2008-09-06 22:21 <DIR> d-------- C:\Programfiler\Enigma Software Group

2008-08-29 16:29 . 2008-08-29 16:29 <DIR> d-------- C:\Programfiler\Sun

2008-08-24 13:21 . 2008-08-24 13:21 <DIR> d-------- C:\Programfiler\Opera

2008-08-24 13:15 . 2008-08-24 13:15 8,930,408 --a------ C:\Programfiler\Opera_952_10108_in.exe

2008-08-18 20:44 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2008-08-18 20:43 . 2008-08-18 20:43 <DIR> d-------- C:\Programfiler\Microsoft.NET

2008-08-18 20:42 . 2008-08-18 20:44 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-08-18 20:41 . 2008-08-20 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-08-16 23:46 . 2008-08-16 23:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-08-12 21:00 . 2008-08-12 21:00 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe

2008-08-07 13:20 . 2008-08-08 14:32 <DIR> d-------- C:\Documents and Settings\Olav & Margrethe\Programdata\LimeWire

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-05 18:21 --------- d-----w C:\Documents and Settings\Martin H\Programdata\uTorrent

2008-09-05 16:52 --------- d-----w C:\Documents and Settings\Martin H\Programdata\Skype

2008-08-29 14:29 --------- d-----w C:\Programfiler\Java

2008-08-13 22:39 --------- d-----w C:\Documents and Settings\Martin H\Programdata\LimeWire

2008-08-06 19:10 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-07-28 19:43 --------- d-----w C:\Programfiler\Windows Media Connect 2

2008-07-21 19:35 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-07-21 19:34 15,647,512 ----a-w C:\Programfiler\8-7_xp32_dd_65993.exe

2008-07-21 16:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-07-18 16:20 23,163,696 ----a-w C:\Programfiler\AdbeRdr812_nb_NO.exe

2008-07-17 16:27 --------- d--h--w C:\Documents and Settings\All Users\Programdata\CanonBJ

2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys

2008-06-21 08:36 15,501,152 ----a-w C:\Programfiler\8-6_xp32_dd_64783.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Adobe Reader Speed Launcher"="D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Olav & Margrethe\Start-meny\Programmer\Oppstart\

OneNote 2007 Screen Clipper and Launcher.lnk - D:\Root\Microsoft Office 2007\Office12\ONENOTEM.EXE [2007-08-24 101784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispSettingPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�Ý\†Ð=ŸàÛ±Þ"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"D:\\Root\\EA GAMES\\Battlefield 2\\BF2.exe"=

"D:\\Root\\LimeWire\\LimeWire.exe"=

"D:\\Root\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-08-19 100096]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2005-09-28 27392]

R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672]

R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 178913]

S3 L6TPortA;Service - Line 6 TonePort UX1;C:\WINDOWS\system32\Drivers\L6TPortA.sys [2005-09-28 392448]

.

- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\wvUoMcDs.dll

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Martin H\Programdata\Mozilla\Firefox\Profiles\kqoxkksn.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - tek.no

FF -: plugin - D:\Root\Adobe\Reader 8.0\Reader\browser\nppdf32.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-07 11:18:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe

C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe

.

**************************************************************************

.

Completion time: 2008-09-07 11:20:46 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-07 09:20:43

Pre-Run: 9,057,779,712 byte ledig

Post-Run: 10,498,002,944 byte ledig

145 --- E O F --- 2008-09-06 21:47:10

Malwarebytes' Anti-Malware 1.26

Database versjon: 1120

Windows 5.1.2600 Service Pack 2

07.09.2008 11:25:44

mbam-log-2008-09-07 (11-25-44).txt

Skanntype: Rask Skann

Objekter skannet: 41757

Tid tilbakelagt: 1 minute(s), 23 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\Programfiler\MSA\MSA.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

[/skul]

Combofix - Log