norbat Skrevet 6. september 2008 Forfatter Del Skrevet 6. september 2008 Shoo: Oppdater MBAM og se om den finner noe (det ligger en liten registeroppføring som skal bort, men før noe manuelt så ser vi om MBAM fjerner den) Lenke til kommentar
magnusbe Skrevet 6. september 2008 Del Skrevet 6. september 2008 (endret) Eg var hjå far min i går kveld og prøvde å fiksa ei malwareinfeksjon. Eg har ikkje fått gjort alt eg burde, men kan nokon ta ein titt på denne Combofix-loggen, og sjå om det er noko eg må gjera? På førehand takk. ComboFix 08-09-04.09 - Administrator 2008-09-05 23:54:17.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1414 [GMT 2:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\All Users\Application Data\Adsl Software Limited C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080528221235321.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080609213649637.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080610233233765.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080612204912605.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080619180648364.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080626175134094.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080628002858383.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080701011433900.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080701153946097.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080725085915276.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080820003601974.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080822103121637.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080822152241434.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080828203625712.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080829161127951.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080830201432139.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080831130758132.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905011219305.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905174054242.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905193617843.log C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080905202810720.log C:\Documents and Settings\*******\Application Data\Microsoft\Internet Explorer\Quick Launch\PCPrivacyCleaner.lnk C:\Documents and Settings\*******\Cookies\*******@boecker_litteratur[2].txt C:\Documents and Settings\*******\Cookies\*******@clicktorrent[2].txt C:\Documents and Settings\*******\Cookies\*******@stl.p.a1.traceworks[2].txt C:\Documents and Settings\*******\Cookies\*******@web.checkm8[2].txt C:\Documents and Settings\*******\Desktop\Error Cleaner.url C:\Documents and Settings\*******\Desktop\Privacy Protector.url C:\Documents and Settings\*******\Desktop\Spyware&Malware Protection.url C:\Documents and Settings\*******\Favorites\Error Cleaner.url C:\Documents and Settings\*******\Favorites\Privacy Protector.url C:\Documents and Settings\*******\Favorites\Spyware&Malware Protection.url C:\Documents and Settings\***\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\****\Cookies\****@indextools[2].txt C:\Program Files\PCHealthCenter\[u]0[/u].exe C:\Program Files\PCHealthCenter\[u]0[/u].gif C:\Program Files\PCHealthCenter\1.exe C:\Program Files\PCHealthCenter\1.gif C:\Program Files\PCHealthCenter\1.ico C:\Program Files\PCHealthCenter\2.exe C:\Program Files\PCHealthCenter\2.gif C:\Program Files\PCHealthCenter\2.ico C:\Program Files\PCHealthCenter\3.exe C:\Program Files\PCHealthCenter\3.gif C:\Program Files\PCHealthCenter\4.exe C:\Program Files\PCHealthCenter\5.exe C:\Program Files\PCHealthCenter\7.exe C:\Program Files\PCHealthCenter\sc.html C:\Program Files\PCPrivacyCleaner C:\WINDOWS\dgksvbpn.dll C:\WINDOWS\exdo.exe C:\WINDOWS\gksraemq.dll C:\WINDOWS\privacy_danger C:\WINDOWS\privacy_danger\images\capt.gif C:\WINDOWS\privacy_danger\images\danger.jpg C:\WINDOWS\privacy_danger\images\down.gif C:\WINDOWS\privacy_danger\images\spacer.gif C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\efcAQGAt.dll C:\WINDOWS\system32\gxyjljbq.dll C:\WINDOWS\system32\Jkkmmnnn.ini C:\WINDOWS\system32\Jkkmmnnn.ini2 C:\WINDOWS\system32\nnnmmkkJ.dll C:\WINDOWS\system32\nvjgew.dll C:\WINDOWS\system32\pmnkkihH.dll C:\WINDOWS\system32\qbjljyxg.ini C:\WINDOWS\system32\sasxhmjv.dll C:\WINDOWS\vanwxemgner.dll C:\WINDOWS\xrdwbfgn.dll E:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 ))))))))))))))))))))))))))))))) . 2008-09-05 23:42 . 2008-09-05 23:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HPAppData 2008-09-05 23:23 . 2008-09-05 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Teleca 2008-09-05 23:22 . 2008-09-05 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons 2008-09-05 23:22 . 2008-09-05 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson 2008-09-05 20:58 . 2008-09-05 21:17 <DIR> d-------- C:\Documents and Settings\*******\Application Data\TmpRecentIcons 2008-09-05 20:44 . 2008-09-06 00:06 <DIR> d-------- C:\Program Files\PCHealthCenter 2008-09-05 20:44 . 2008-09-05 18:16 102,400 --a------ C:\WINDOWS\sxmaokgf.exe 2008-08-14 17:03 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-14 17:02 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 19:39 --------- d-----w C:\Program Files\Plaxo 2008-09-05 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8 2008-08-30 06:00 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-26 20:35 --------- d-----w C:\Documents and Settings\*******\Application Data\HPAppData 2008-08-11 05:12 --------- d-----w C:\Program Files\Apple Software Update 2008-08-04 19:04 --------- d-----w C:\Documents and Settings\*******\Application Data\Azureus 2008-08-04 19:03 --------- d-----w C:\Documents and Settings\*******\Application Data\Apple Computer 2008-08-04 17:05 --------- d-----w C:\Program Files\Azureus 2008-08-03 13:00 --------- d-----w C:\Program Files\iTunes 2008-08-03 13:00 --------- d-----w C:\Program Files\iPod 2008-08-03 12:59 --------- d-----w C:\Program Files\Bonjour 2008-08-03 12:54 --------- d-----w C:\Program Files\Safari 2008-07-21 18:35 --------- d-----w C:\Documents and Settings\*******\Application Data\HP 2008-07-20 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG 2008-07-20 16:21 --------- d-----w C:\Program Files\HP 2008-07-20 16:21 --------- d-----w C:\Program Files\Hewlett-Packard 2008-07-20 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY 2008-07-20 16:19 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard 2008-07-20 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant 2008-07-20 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP 2007-11-09 15:10 30,288 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll 2007-11-09 15:10 79,440 -c--a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll 2007-11-09 15:10 75,344 -c--a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll 2007-11-09 15:10 140,880 -c--a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll 2007-11-09 15:10 42,576 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll 2007-11-09 15:10 50,768 -c--a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll 2007-11-09 15:10 34,384 -c--a-w C:\Program Files\mozilla firefox\plugins\logging.dll 2007-11-09 15:11 685,648 -c--a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll 2007-11-09 15:11 30,288 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512] "CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112] "DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856] "Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-13 663552] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-28 185896] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384] "Telenorhjelpen"="C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064] "ftutil2"="ftutil2.dll" [2004-06-07 C:\WINDOWS\system32\ftutil2.dll] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 C:\WINDOWS\arpwrmsg.exe] "CTHelper"="CTHELPER.EXE" [2005-11-08 C:\WINDOWS\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2005-11-08 C:\WINDOWS\system32\CTXFIHLP.EXE] C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-01-02 27136] PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136] C:\Documents and Settings\***\Start Menu\Programs\Startup\ PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136] C:\Documents and Settings\****\Start Menu\Programs\Startup\ PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136] C:\Documents and Settings\********\Start Menu\Programs\Startup\ PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136] C:\Documents and Settings\*******\Start Menu\Programs\Startup\ PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-01-02 27136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520] Hurtigstart for Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll nvjgew.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Telenor\\Telenorhjelpen\\Telenor.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704] R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2006-04-11 2829696] R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-16 1096704] R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 468768] S2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-08-31 243064] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - BHO-{67e9c832-5169-4425-938e-dbc36bcbff24} - C:\WINDOWS\system32\nvjgew.dll BHO-{B0D6BBC1-6FE7-45E2-A32D-7C96E10877B4} - C:\WINDOWS\system32\nnnmmkkJ.dll BHO-{B5D0BE4E-83F4-4320-BC40-D96FA1620811} - C:\WINDOWS\vanwxemgner.dll BHO-{E07D22E1-CE3A-487F-B754-8044DBEDB049} - C:\WINDOWS\system32\pmnkkihH.dll Toolbar-{6134A39A-C1EA-4E6F-B6D2-9ED5D9CC03B5} - C:\WINDOWS\gksraemq.dll HKLM-Run-Telenor Online Start - C:\Program Files\Telenor\Online Start\Telenor.exe HKLM-Run-26525885 - C:\WINDOWS\system32\gxyjljbq.dll HKLM-Run-PCDrProfiler - (no file) ShellExecuteHooks-{E07D22E1-CE3A-487F-B754-8044DBEDB049} - C:\WINDOWS\system32\pmnkkihH.dll . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 R0 -: HKLM-Main,Search Bar = hxxp://internetsearchservice.com/ie6.html R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms} R1 -: HKLM-Internet Explorer,SearchURL = hxxp://internetsearchservice.com O8 -: &Google-søk - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 -: &Oversett engelsk ord - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 -: Koblinger bakover - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 -: Lignende sider - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 -: Øyeblikksbilde av siden i hurtigbufferen - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2008-09-06 00:07:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehmsas.exe C:\WINDOWS\system32\CTXFISPI.EXE C:\hp\KBD\kbd.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe . ************************************************************************** . Completion time: 2008-09-06 0:13:23 - machine was rebooted [Administrator] ComboFix-quarantined-files.txt 2008-09-05 22:13:15 Pre-Run: 199,558,483,968 bytes free Post-Run: 200,792,526,848 byte ledig 273 --- E O F --- 2008-08-15 01:09:07 Endret 6. september 2008 av magnusbe Lenke til kommentar
norbat Skrevet 6. september 2008 Forfatter Del Skrevet 6. september 2008 Magnusbe: Du er nesten i mål. Kjør også en rask skan med MBAM (se veiledningen i 1.post). Post loggen fra den + en hjt-logg. Lenke til kommentar
Shoo Skrevet 6. september 2008 Del Skrevet 6. september 2008 Yes. Da var det gjort. Sjekk PM, norbat. MBAM-logg: Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.26 Database versjon: 1120 Windows 5.1.2600 Service Pack 2 06.09.2008 23:07:45 mbam-log-2008-09-06 (23-07-45).txt Skanntype: Rask Skann Objekter skannet: 41167 Tid tilbakelagt: 3 minute(s), 5 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 2 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_CLASSES_ROOT\qalkfxor.bqgw (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) HJT-logg: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:20:38, on 06.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\nvsvc32.exe F:\Programmer\Alcohol 120\StarWind\StarWindService.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\LVCOMSX.EXE D:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe D:\WINDOWS\SOUNDMAN.EXE D:\WINDOWS\system32\RUNDLL32.EXE D:\WINDOWS\system32\ctfmon.exe D:\Documents and Settings\shoo\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe D:\Programfiler\MSN Messenger\usnsvc.exe F:\mirc\mirc.exe D:\Programfiler\Mozilla Firefox\firefox.exe F:\Programmer\HJT\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - F:\Programmer\FlashFXP\IEFlash.dll O4 - HKLM\..\Run: [iMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\Programfiler\Fellesfiler\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sDFix] F:\Programmer\SDFix\SDFix\RunThis.bat /second O4 - HKCU\..\Run: [LogitechSoftwareUpdate] F:\Programmer\logitech\ManifestEngine.exe boot O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\shoo\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe" /c O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - D:\Microgaming\Poker\nordicbetMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E3673845-A712-4C1B-994E-BD5B0CB0B836}: NameServer = 193.75.75.75,193.75.75.193 O17 - HKLM\System\CCS\Services\Tcpip\..\{E707344F-A344-4EBA-BCB1-CEFEBA1B5470}: NameServer = 193.75.75.75,193.75.75.193 O17 - HKLM\System\CS1\Services\Tcpip\..\{E3673845-A712-4C1B-994E-BD5B0CB0B836}: NameServer = 193.75.75.75,193.75.75.193 O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - F:\Programmer\Ares\chatServer.exe O23 - Service: NMIndexingService - Nero AG - D:\Programfiler\Fellesfiler\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Programfiler\WinPcap\rpcapd.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Programmer\Alcohol 120\StarWind\StarWindService.exe -- End of file - 5572 bytes Lenke til kommentar
norbat Skrevet 6. september 2008 Forfatter Del Skrevet 6. september 2008 Shoo: Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "pdoskegl"=- Du behøver ikke å poste flere logger. Du fjerner combofix ved å skrive combofix /u i kjør-feltet (start->kjør) Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Surf trygt. Lenke til kommentar
Martin-sama Skrevet 7. september 2008 Del Skrevet 7. september 2008 Mbam-Log Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.26Database versjon: 1120 Windows 5.1.2600 Service Pack 2 07.09.2008 11:25:44 mbam-log-2008-09-07 (11-25-44).txt Skanntype: Rask Skann Objekter skannet: 41757 Tid tilbakelagt: 1 minute(s), 23 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\Programfiler\MSA\MSA.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully. HJT-log Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:23:46, on 07.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\RTHDCPL.EXE C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Messenger\msmsgs.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Opera\opera.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1044 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Root\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Root\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Root\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O15 - Trusted Zone: *.line6.net O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NBService - Nero AG - D:\Root\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 5430 bytes ComboFix 08-09-05.02 - Martin H 2008-09-07 0:18:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1500 [GMT 2:00] Running from: C:\Documents and Settings\Martin H\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Martin H\Programdata\Adobe\crc.dat C:\WINDOWS\system32\mmx35578.dll C:\WINDOWS\system32\wvUoMcDs.dll ----- BITS: Possible infected sites ----- http://pornotube30.net . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-07 00:08 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-07 00:08 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico 2008-09-07 00:07 . 2008-09-07 00:07 <DIR> dr-h----- C:\Documents and Settings\Martin H\Siste 2008-09-07 00:06 . 2008-09-07 00:06 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-07 00:04 . 2008-09-07 00:16 <DIR> d-------- C:\Programfiler\MSA 2008-09-07 00:04 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico 2008-09-06 23:47 . 2008-09-06 23:47 <DIR> d-------- C:\Programfiler\MSXML 4.0 2008-09-06 22:48 . 2008-09-06 22:51 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Ahead 2008-09-06 22:48 . 2008-09-06 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ahead 2008-09-06 22:46 . 2008-09-06 22:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-09-06 22:46 . 2008-09-06 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero 2008-09-06 22:29 . 2008-09-06 22:29 <DIR> d-------- C:\Programfiler\Lavasoft 2008-09-06 22:29 . 2008-09-06 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-09-06 22:28 . 2008-09-06 22:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-09-06 22:26 . 2008-09-06 22:28 19,153,264 --a------ C:\Programfiler\aaw2008.exe 2008-09-06 22:21 . 2008-09-06 22:21 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-29 16:29 . 2008-08-29 16:29 <DIR> d-------- C:\Programfiler\Sun 2008-08-24 13:21 . 2008-08-24 13:21 <DIR> d-------- C:\Programfiler\Opera 2008-08-24 13:15 . 2008-08-24 13:15 8,930,408 --a------ C:\Programfiler\Opera_952_10108_in.exe 2008-08-18 20:44 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-08-18 20:43 . 2008-08-18 20:43 <DIR> d-------- C:\Programfiler\Microsoft.NET 2008-08-18 20:42 . 2008-08-18 20:44 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-08-18 20:41 . 2008-08-20 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-08-16 23:46 . 2008-08-16 23:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-12 21:00 . 2008-08-12 21:00 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe 2008-08-07 13:20 . 2008-08-08 14:32 <DIR> d-------- C:\Documents and Settings\Olav & Margrethe\Programdata\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 18:21 --------- d-----w C:\Documents and Settings\Martin H\Programdata\uTorrent 2008-09-05 16:52 --------- d-----w C:\Documents and Settings\Martin H\Programdata\Skype 2008-08-29 14:29 --------- d-----w C:\Programfiler\Java 2008-08-13 22:39 --------- d-----w C:\Documents and Settings\Martin H\Programdata\LimeWire 2008-08-06 19:10 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-07-28 19:43 --------- d-----w C:\Programfiler\Windows Media Connect 2 2008-07-21 19:35 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-07-21 19:34 15,647,512 ----a-w C:\Programfiler\8-7_xp32_dd_65993.exe 2008-07-21 16:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-18 16:20 23,163,696 ----a-w C:\Programfiler\AdbeRdr812_nb_NO.exe 2008-07-17 16:27 --------- d--h--w C:\Documents and Settings\All Users\Programdata\CanonBJ 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-06-21 08:36 15,501,152 ----a-w C:\Programfiler\8-6_xp32_dd_64783.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\Olav & Margrethe\Start-meny\Programmer\Oppstart\ OneNote 2007 Screen Clipper and Launcher.lnk - D:\Root\Microsoft Office 2007\Office12\ONENOTEM.EXE [2007-08-24 101784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�Ý\†Ð=ŸàÛ±Þ"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "D:\\Root\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Root\\LimeWire\\LimeWire.exe"= "D:\\Root\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-08-19 100096] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2005-09-28 27392] R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672] R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 178913] S3 L6TPortA;Service - Line 6 TonePort UX1;C:\WINDOWS\system32\Drivers\L6TPortA.sys [2005-09-28 392448] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\wvUoMcDs.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Martin H\Programdata\Mozilla\Firefox\Profiles\kqoxkksn.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - tek.no FF -: plugin - D:\Root\Adobe\Reader 8.0\Reader\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 11:18:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe . ************************************************************************** . Completion time: 2008-09-07 11:20:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-07 09:20:43 Pre-Run: 9,057,779,712 byte ledig Post-Run: 10,498,002,944 byte ledig 145 --- E O F --- 2008-09-06 21:47:10 Malwarebytes' Anti-Malware 1.26 Database versjon: 1120 Windows 5.1.2600 Service Pack 2 07.09.2008 11:25:44 mbam-log-2008-09-07 (11-25-44).txt Skanntype: Rask Skann Objekter skannet: 41757 Tid tilbakelagt: 1 minute(s), 23 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\Programfiler\MSA\MSA.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully. [/skul] Combofix - Log Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-05.02 - Martin H 2008-09-07 0:18:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1500 [GMT 2:00] Running from: C:\Documents and Settings\Martin H\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Martin H\Programdata\Adobe\crc.dat C:\WINDOWS\system32\mmx35578.dll C:\WINDOWS\system32\wvUoMcDs.dll ----- BITS: Possible infected sites ----- http://pornotube30.net . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-07 00:08 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-07 00:08 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico 2008-09-07 00:07 . 2008-09-07 00:07 <DIR> dr-h----- C:\Documents and Settings\Martin H\Siste 2008-09-07 00:06 . 2008-09-07 00:06 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-07 00:04 . 2008-09-07 00:16 <DIR> d-------- C:\Programfiler\MSA 2008-09-07 00:04 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico 2008-09-06 23:47 . 2008-09-06 23:47 <DIR> d-------- C:\Programfiler\MSXML 4.0 2008-09-06 22:48 . 2008-09-06 22:51 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Ahead 2008-09-06 22:48 . 2008-09-06 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ahead 2008-09-06 22:46 . 2008-09-06 22:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-09-06 22:46 . 2008-09-06 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero 2008-09-06 22:29 . 2008-09-06 22:29 <DIR> d-------- C:\Programfiler\Lavasoft 2008-09-06 22:29 . 2008-09-06 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-09-06 22:28 . 2008-09-06 22:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-09-06 22:26 . 2008-09-06 22:28 19,153,264 --a------ C:\Programfiler\aaw2008.exe 2008-09-06 22:21 . 2008-09-06 22:21 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-29 16:29 . 2008-08-29 16:29 <DIR> d-------- C:\Programfiler\Sun 2008-08-24 13:21 . 2008-08-24 13:21 <DIR> d-------- C:\Programfiler\Opera 2008-08-24 13:15 . 2008-08-24 13:15 8,930,408 --a------ C:\Programfiler\Opera_952_10108_in.exe 2008-08-18 20:44 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-08-18 20:43 . 2008-08-18 20:43 <DIR> d-------- C:\Programfiler\Microsoft.NET 2008-08-18 20:42 . 2008-08-18 20:44 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-08-18 20:41 . 2008-08-20 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-08-16 23:46 . 2008-08-16 23:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-12 21:00 . 2008-08-12 21:00 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe 2008-08-07 13:20 . 2008-08-08 14:32 <DIR> d-------- C:\Documents and Settings\Olav & Margrethe\Programdata\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 18:21 --------- d-----w C:\Documents and Settings\Martin H\Programdata\uTorrent 2008-09-05 16:52 --------- d-----w C:\Documents and Settings\Martin H\Programdata\Skype 2008-08-29 14:29 --------- d-----w C:\Programfiler\Java 2008-08-13 22:39 --------- d-----w C:\Documents and Settings\Martin H\Programdata\LimeWire 2008-08-06 19:10 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-07-28 19:43 --------- d-----w C:\Programfiler\Windows Media Connect 2 2008-07-21 19:35 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-07-21 19:34 15,647,512 ----a-w C:\Programfiler\8-7_xp32_dd_65993.exe 2008-07-21 16:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-18 16:20 23,163,696 ----a-w C:\Programfiler\AdbeRdr812_nb_NO.exe 2008-07-17 16:27 --------- d--h--w C:\Documents and Settings\All Users\Programdata\CanonBJ 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-06-21 08:36 15,501,152 ----a-w C:\Programfiler\8-6_xp32_dd_64783.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\Olav & Margrethe\Start-meny\Programmer\Oppstart\ OneNote 2007 Screen Clipper and Launcher.lnk - D:\Root\Microsoft Office 2007\Office12\ONENOTEM.EXE [2007-08-24 101784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�Ý\†Ð=ŸàÛ±Þ"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "D:\\Root\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Root\\LimeWire\\LimeWire.exe"= "D:\\Root\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-08-19 100096] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2005-09-28 27392] R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672] R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 178913] S3 L6TPortA;Service - Line 6 TonePort UX1;C:\WINDOWS\system32\Drivers\L6TPortA.sys [2005-09-28 392448] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\wvUoMcDs.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Martin H\Programdata\Mozilla\Firefox\Profiles\kqoxkksn.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - tek.no FF -: plugin - D:\Root\Adobe\Reader 8.0\Reader\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 11:18:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe . ************************************************************************** . Completion time: 2008-09-07 11:20:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-07 09:20:43 Pre-Run: 9,057,779,712 byte ledig Post-Run: 10,498,002,944 byte ledig 145 --- E O F --- 2008-09-06 21:47:10 Virker som jeg ble kvitt det, stemmer det? Mbam-Log Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.26Database versjon: 1120 Windows 5.1.2600 Service Pack 2 07.09.2008 11:25:44 mbam-log-2008-09-07 (11-25-44).txt Skanntype: Rask Skann Objekter skannet: 41757 Tid tilbakelagt: 1 minute(s), 23 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\Programfiler\MSA\MSA.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully. HJT-log Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:23:46, on 07.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\RTHDCPL.EXE C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Messenger\msmsgs.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Opera\opera.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1044 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Root\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Root\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Root\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O15 - Trusted Zone: *.line6.net O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NBService - Nero AG - D:\Root\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 5430 bytes ComboFix 08-09-05.02 - Martin H 2008-09-07 0:18:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1500 [GMT 2:00] Running from: C:\Documents and Settings\Martin H\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Martin H\Programdata\Adobe\crc.dat C:\WINDOWS\system32\mmx35578.dll C:\WINDOWS\system32\wvUoMcDs.dll ----- BITS: Possible infected sites ----- http://pornotube30.net . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-07 00:08 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-07 00:08 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico 2008-09-07 00:07 . 2008-09-07 00:07 <DIR> dr-h----- C:\Documents and Settings\Martin H\Siste 2008-09-07 00:06 . 2008-09-07 00:06 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-07 00:04 . 2008-09-07 00:16 <DIR> d-------- C:\Programfiler\MSA 2008-09-07 00:04 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico 2008-09-06 23:47 . 2008-09-06 23:47 <DIR> d-------- C:\Programfiler\MSXML 4.0 2008-09-06 22:48 . 2008-09-06 22:51 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Ahead 2008-09-06 22:48 . 2008-09-06 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ahead 2008-09-06 22:46 . 2008-09-06 22:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-09-06 22:46 . 2008-09-06 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero 2008-09-06 22:29 . 2008-09-06 22:29 <DIR> d-------- C:\Programfiler\Lavasoft 2008-09-06 22:29 . 2008-09-06 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-09-06 22:28 . 2008-09-06 22:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-09-06 22:26 . 2008-09-06 22:28 19,153,264 --a------ C:\Programfiler\aaw2008.exe 2008-09-06 22:21 . 2008-09-06 22:21 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-29 16:29 . 2008-08-29 16:29 <DIR> d-------- C:\Programfiler\Sun 2008-08-24 13:21 . 2008-08-24 13:21 <DIR> d-------- C:\Programfiler\Opera 2008-08-24 13:15 . 2008-08-24 13:15 8,930,408 --a------ C:\Programfiler\Opera_952_10108_in.exe 2008-08-18 20:44 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-08-18 20:43 . 2008-08-18 20:43 <DIR> d-------- C:\Programfiler\Microsoft.NET 2008-08-18 20:42 . 2008-08-18 20:44 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-08-18 20:41 . 2008-08-20 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-08-16 23:46 . 2008-08-16 23:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-12 21:00 . 2008-08-12 21:00 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe 2008-08-07 13:20 . 2008-08-08 14:32 <DIR> d-------- C:\Documents and Settings\Olav & Margrethe\Programdata\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 18:21 --------- d-----w C:\Documents and Settings\Martin H\Programdata\uTorrent 2008-09-05 16:52 --------- d-----w C:\Documents and Settings\Martin H\Programdata\Skype 2008-08-29 14:29 --------- d-----w C:\Programfiler\Java 2008-08-13 22:39 --------- d-----w C:\Documents and Settings\Martin H\Programdata\LimeWire 2008-08-06 19:10 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-07-28 19:43 --------- d-----w C:\Programfiler\Windows Media Connect 2 2008-07-21 19:35 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-07-21 19:34 15,647,512 ----a-w C:\Programfiler\8-7_xp32_dd_65993.exe 2008-07-21 16:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-18 16:20 23,163,696 ----a-w C:\Programfiler\AdbeRdr812_nb_NO.exe 2008-07-17 16:27 --------- d--h--w C:\Documents and Settings\All Users\Programdata\CanonBJ 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-06-21 08:36 15,501,152 ----a-w C:\Programfiler\8-6_xp32_dd_64783.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\Olav & Margrethe\Start-meny\Programmer\Oppstart\ OneNote 2007 Screen Clipper and Launcher.lnk - D:\Root\Microsoft Office 2007\Office12\ONENOTEM.EXE [2007-08-24 101784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�Ý\†Ð=ŸàÛ±Þ"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "D:\\Root\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Root\\LimeWire\\LimeWire.exe"= "D:\\Root\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-08-19 100096] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2005-09-28 27392] R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672] R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 178913] S3 L6TPortA;Service - Line 6 TonePort UX1;C:\WINDOWS\system32\Drivers\L6TPortA.sys [2005-09-28 392448] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\wvUoMcDs.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Martin H\Programdata\Mozilla\Firefox\Profiles\kqoxkksn.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - tek.no FF -: plugin - D:\Root\Adobe\Reader 8.0\Reader\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 11:18:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe . ************************************************************************** . Completion time: 2008-09-07 11:20:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-07 09:20:43 Pre-Run: 9,057,779,712 byte ledig Post-Run: 10,498,002,944 byte ledig 145 --- E O F --- 2008-09-06 21:47:10 Malwarebytes' Anti-Malware 1.26 Database versjon: 1120 Windows 5.1.2600 Service Pack 2 07.09.2008 11:25:44 mbam-log-2008-09-07 (11-25-44).txt Skanntype: Rask Skann Objekter skannet: 41757 Tid tilbakelagt: 1 minute(s), 23 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\Programfiler\MSA\MSA.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully. [/skul] Combofix - Log Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-05.02 - Martin H 2008-09-07 0:18:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1500 [GMT 2:00] Running from: C:\Documents and Settings\Martin H\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Martin H\Programdata\Adobe\crc.dat C:\WINDOWS\system32\mmx35578.dll C:\WINDOWS\system32\wvUoMcDs.dll ----- BITS: Possible infected sites ----- http://pornotube30.net . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-07 00:08 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-07 00:08 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico 2008-09-07 00:07 . 2008-09-07 00:07 <DIR> dr-h----- C:\Documents and Settings\Martin H\Siste 2008-09-07 00:06 . 2008-09-07 00:06 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-07 00:04 . 2008-09-07 00:16 <DIR> d-------- C:\Programfiler\MSA 2008-09-07 00:04 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico 2008-09-06 23:47 . 2008-09-06 23:47 <DIR> d-------- C:\Programfiler\MSXML 4.0 2008-09-06 22:48 . 2008-09-06 22:51 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Ahead 2008-09-06 22:48 . 2008-09-06 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ahead 2008-09-06 22:46 . 2008-09-06 22:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-09-06 22:46 . 2008-09-06 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero 2008-09-06 22:29 . 2008-09-06 22:29 <DIR> d-------- C:\Programfiler\Lavasoft 2008-09-06 22:29 . 2008-09-06 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-09-06 22:28 . 2008-09-06 22:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-09-06 22:26 . 2008-09-06 22:28 19,153,264 --a------ C:\Programfiler\aaw2008.exe 2008-09-06 22:21 . 2008-09-06 22:21 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-29 16:29 . 2008-08-29 16:29 <DIR> d-------- C:\Programfiler\Sun 2008-08-24 13:21 . 2008-08-24 13:21 <DIR> d-------- C:\Programfiler\Opera 2008-08-24 13:15 . 2008-08-24 13:15 8,930,408 --a------ C:\Programfiler\Opera_952_10108_in.exe 2008-08-18 20:44 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-08-18 20:43 . 2008-08-18 20:43 <DIR> d-------- C:\Programfiler\Microsoft.NET 2008-08-18 20:42 . 2008-08-18 20:44 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-08-18 20:41 . 2008-08-20 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-08-16 23:46 . 2008-08-16 23:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-12 21:00 . 2008-08-12 21:00 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe 2008-08-07 13:20 . 2008-08-08 14:32 <DIR> d-------- C:\Documents and Settings\Olav & Margrethe\Programdata\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 18:21 --------- d-----w C:\Documents and Settings\Martin H\Programdata\uTorrent 2008-09-05 16:52 --------- d-----w C:\Documents and Settings\Martin H\Programdata\Skype 2008-08-29 14:29 --------- d-----w C:\Programfiler\Java 2008-08-13 22:39 --------- d-----w C:\Documents and Settings\Martin H\Programdata\LimeWire 2008-08-06 19:10 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-07-28 19:43 --------- d-----w C:\Programfiler\Windows Media Connect 2 2008-07-21 19:35 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-07-21 19:34 15,647,512 ----a-w C:\Programfiler\8-7_xp32_dd_65993.exe 2008-07-21 16:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-18 16:20 23,163,696 ----a-w C:\Programfiler\AdbeRdr812_nb_NO.exe 2008-07-17 16:27 --------- d--h--w C:\Documents and Settings\All Users\Programdata\CanonBJ 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-06-21 08:36 15,501,152 ----a-w C:\Programfiler\8-6_xp32_dd_64783.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\Olav & Margrethe\Start-meny\Programmer\Oppstart\ OneNote 2007 Screen Clipper and Launcher.lnk - D:\Root\Microsoft Office 2007\Office12\ONENOTEM.EXE [2007-08-24 101784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�Ý\†Ð=ŸàÛ±Þ"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "D:\\Root\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Root\\LimeWire\\LimeWire.exe"= "D:\\Root\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-08-19 100096] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2005-09-28 27392] R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672] R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 178913] S3 L6TPortA;Service - Line 6 TonePort UX1;C:\WINDOWS\system32\Drivers\L6TPortA.sys [2005-09-28 392448] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\wvUoMcDs.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Martin H\Programdata\Mozilla\Firefox\Profiles\kqoxkksn.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - tek.no FF -: plugin - D:\Root\Adobe\Reader 8.0\Reader\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 11:18:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe . ************************************************************************** . Completion time: 2008-09-07 11:20:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-07 09:20:43 Pre-Run: 9,057,779,712 byte ledig Post-Run: 10,498,002,944 byte ledig 145 --- E O F --- 2008-09-06 21:47:10 Virker som jeg ble kvitt det, stemmer det? *Fikk ikke postet alt i ett, her er resten. Combofix - Log Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-05.02 - Martin H 2008-09-07 0:18:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1500 [GMT 2:00] Running from: C:\Documents and Settings\Martin H\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Martin H\Programdata\Adobe\crc.dat C:\WINDOWS\system32\mmx35578.dll C:\WINDOWS\system32\wvUoMcDs.dll ----- BITS: Possible infected sites ----- http://pornotube30.net . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-07 00:08 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-07 00:08 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico 2008-09-07 00:07 . 2008-09-07 00:07 <DIR> dr-h----- C:\Documents and Settings\Martin H\Siste 2008-09-07 00:06 . 2008-09-07 00:06 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-07 00:04 . 2008-09-07 00:16 <DIR> d-------- C:\Programfiler\MSA 2008-09-07 00:04 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico 2008-09-06 23:47 . 2008-09-06 23:47 <DIR> d-------- C:\Programfiler\MSXML 4.0 2008-09-06 22:48 . 2008-09-06 22:51 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Ahead 2008-09-06 22:48 . 2008-09-06 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ahead 2008-09-06 22:46 . 2008-09-06 22:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-09-06 22:46 . 2008-09-06 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero 2008-09-06 22:29 . 2008-09-06 22:29 <DIR> d-------- C:\Programfiler\Lavasoft 2008-09-06 22:29 . 2008-09-06 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-09-06 22:28 . 2008-09-06 22:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-09-06 22:26 . 2008-09-06 22:28 19,153,264 --a------ C:\Programfiler\aaw2008.exe 2008-09-06 22:21 . 2008-09-06 22:21 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-29 16:29 . 2008-08-29 16:29 <DIR> d-------- C:\Programfiler\Sun 2008-08-24 13:21 . 2008-08-24 13:21 <DIR> d-------- C:\Programfiler\Opera 2008-08-24 13:15 . 2008-08-24 13:15 8,930,408 --a------ C:\Programfiler\Opera_952_10108_in.exe 2008-08-18 20:44 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-08-18 20:43 . 2008-08-18 20:43 <DIR> d-------- C:\Programfiler\Microsoft.NET 2008-08-18 20:42 . 2008-08-18 20:44 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-08-18 20:41 . 2008-08-20 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-08-16 23:46 . 2008-08-16 23:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-12 21:00 . 2008-08-12 21:00 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe 2008-08-07 13:20 . 2008-08-08 14:32 <DIR> d-------- C:\Documents and Settings\Olav & Margrethe\Programdata\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 18:21 --------- d-----w C:\Documents and Settings\Martin H\Programdata\uTorrent 2008-09-05 16:52 --------- d-----w C:\Documents and Settings\Martin H\Programdata\Skype 2008-08-29 14:29 --------- d-----w C:\Programfiler\Java 2008-08-13 22:39 --------- d-----w C:\Documents and Settings\Martin H\Programdata\LimeWire 2008-08-06 19:10 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-07-28 19:43 --------- d-----w C:\Programfiler\Windows Media Connect 2 2008-07-21 19:35 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-07-21 19:34 15,647,512 ----a-w C:\Programfiler\8-7_xp32_dd_65993.exe 2008-07-21 16:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-18 16:20 23,163,696 ----a-w C:\Programfiler\AdbeRdr812_nb_NO.exe 2008-07-17 16:27 --------- d--h--w C:\Documents and Settings\All Users\Programdata\CanonBJ 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-06-21 08:36 15,501,152 ----a-w C:\Programfiler\8-6_xp32_dd_64783.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\Olav & Margrethe\Start-meny\Programmer\Oppstart\ OneNote 2007 Screen Clipper and Launcher.lnk - D:\Root\Microsoft Office 2007\Office12\ONENOTEM.EXE [2007-08-24 101784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�Ý\†Ð=ŸàÛ±Þ"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "D:\\Root\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Root\\LimeWire\\LimeWire.exe"= "D:\\Root\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-08-19 100096] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2005-09-28 27392] R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672] R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 178913] S3 L6TPortA;Service - Line 6 TonePort UX1;C:\WINDOWS\system32\Drivers\L6TPortA.sys [2005-09-28 392448] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} - C:\WINDOWS\system32\wvUoMcDs.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Martin H\Programdata\Mozilla\Firefox\Profiles\kqoxkksn.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - tek.no FF -: plugin - D:\Root\Adobe\Reader 8.0\Reader\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 11:18:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexStoreSvr.exe . ************************************************************************** . Completion time: 2008-09-07 11:20:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-07 09:20:43 Pre-Run: 9,057,779,712 byte ledig Post-Run: 10,498,002,944 byte ledig 145 --- E O F --- 2008-09-06 21:47:10 Virker som jeg ble kvitt det, stemmer det? Lenke til kommentar
r2d290 Skrevet 7. september 2008 Del Skrevet 7. september 2008 Martin-sama Det ble fjernet litt, men det er litt igjen... Gå til http://virusscan.jotti.org , trykk på Browse, og last opp følgende fil til analyse: 8-7_xp32_dd_65993.exe Deretter trykker du på Submit. Godta at filen blir scannet. Til slutt kopierer du resultatet, og limer det inn i din neste post, så jeg kan se på den, og vurdere hva som må gjøres videre. Trykk Start - Alle Programmer - Tilbehør - Notisblokk Kopier og Lim inn teksten i kodeboksen nedenfor, inn i Notisblokken: File:: C:\WINDOWS\system32\2.ico C:\WINDOWS\system32\1.ico Folder:: C:\Programfiler\MSA Registry:: Lagre det som CFScript på Skrivebordet Dra CFScript over ComboFix.exe som ligger på Skrivebordet, slik animasjonen nedenfor viser. Dette vil starte ComboFix igjen. Hvis maskinen ber om en omstart, lar du den gjøre det med én gang. Post innholdet til ComboFix.txt inn i ditt neste svar på forumet. Lenke til kommentar
Martin-sama Skrevet 7. september 2008 Del Skrevet 7. september 2008 Takker for svar! Det skjedde ingenting etter jeg trykket submit på den filen! Men den filen er kun en innstallasjonsfil for en skjermdriver jeg selv lastet ned for en del uker siden. Har den noe å si? Her er ihvertfall resultatene fra Combofix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-09-05.02 - Martin H 2008-09-07 13:55:48.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1340 [GMT 2:00] Running from: C:\Documents and Settings\Martin H\Skrivebord\ComboFix.exe Command switches used :: C:\Documents and Settings\Martin H\Skrivebord\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Programfiler\MSA C:\WINDOWS\system32\1.ico C:\WINDOWS\system32\2.ico . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 11:23 . 2008-09-07 11:23 <DIR> d-------- C:\Programfiler\Trend Micro 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-07 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-09-07 00:08 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-07 00:08 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-07 00:07 . 2008-09-07 13:55 <DIR> dr-h----- C:\Documents and Settings\Martin H\Siste 2008-09-07 00:06 . 2008-09-07 00:06 <DIR> d-------- C:\Programfiler\CCleaner 2008-09-06 23:47 . 2008-09-06 23:47 <DIR> d-------- C:\Programfiler\MSXML 4.0 2008-09-06 22:48 . 2008-09-06 22:51 <DIR> d-------- C:\Documents and Settings\Martin H\Programdata\Ahead 2008-09-06 22:48 . 2008-09-06 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Ahead 2008-09-06 22:46 . 2008-09-06 22:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-09-06 22:46 . 2008-09-06 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Nero 2008-09-06 22:29 . 2008-09-06 22:29 <DIR> d-------- C:\Programfiler\Lavasoft 2008-09-06 22:29 . 2008-09-06 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-09-06 22:28 . 2008-09-06 22:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-09-06 22:26 . 2008-09-06 22:28 19,153,264 --a------ C:\Programfiler\aaw2008.exe 2008-09-06 22:21 . 2008-09-06 22:21 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-29 16:29 . 2008-08-29 16:29 <DIR> d-------- C:\Programfiler\Sun 2008-08-24 13:21 . 2008-08-24 13:21 <DIR> d-------- C:\Programfiler\Opera 2008-08-24 13:15 . 2008-08-24 13:15 8,930,408 --a------ C:\Programfiler\Opera_952_10108_in.exe 2008-08-18 20:44 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-08-18 20:43 . 2008-08-18 20:43 <DIR> d-------- C:\Programfiler\Microsoft.NET 2008-08-18 20:42 . 2008-08-18 20:44 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-08-18 20:41 . 2008-08-20 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-08-16 23:46 . 2008-08-16 23:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-12 21:00 . 2008-08-12 21:00 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe 2008-08-07 13:20 . 2008-08-08 14:32 <DIR> d-------- C:\Documents and Settings\Olav & Margrethe\Programdata\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 18:21 --------- d-----w C:\Documents and Settings\Martin H\Programdata\uTorrent 2008-09-05 16:52 --------- d-----w C:\Documents and Settings\Martin H\Programdata\Skype 2008-08-29 14:29 --------- d-----w C:\Programfiler\Java 2008-08-13 22:39 --------- d-----w C:\Documents and Settings\Martin H\Programdata\LimeWire 2008-08-06 19:10 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-08-06 19:10 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-07-28 19:43 --------- d-----w C:\Programfiler\Windows Media Connect 2 2008-07-21 19:35 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-07-21 19:34 15,647,512 ----a-w C:\Programfiler\8-7_xp32_dd_65993.exe 2008-07-21 16:36 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-18 16:20 23,163,696 ----a-w C:\Programfiler\AdbeRdr812_nb_NO.exe 2008-07-17 16:27 --------- d--h--w C:\Documents and Settings\All Users\Programdata\CanonBJ 2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-07-04 03:48 9,490,432 ----a-w C:\WINDOWS\system32\atioglx2.dll 2008-07-04 03:25 421,888 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2008-07-04 03:23 309,248 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2008-07-04 03:14 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2008-07-04 03:14 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2008-07-04 03:14 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2008-07-04 03:13 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2008-07-04 03:13 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2008-07-04 03:12 561,152 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2008-07-04 03:10 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2008-07-04 03:06 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2008-07-04 03:00 3,786,144 ----a-w C:\WINDOWS\system32\ati3duag.dll 2008-07-04 02:55 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2008-07-04 02:49 2,140,672 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2008-07-04 02:34 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll 2008-07-04 02:30 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll 2008-07-04 02:29 32,768 ----a-w C:\WINDOWS\system32\atiadlxx.dll 2008-07-04 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2008-07-04 02:25 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll 2008-07-04 02:22 565,248 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2008-07-03 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe 2008-06-26 20:31 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 15:41 658,944 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-21 08:36 15,501,152 ----a-w C:\Programfiler\8-6_xp32_dd_64783.exe 2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="D:\Root\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\Olav & Margrethe\Start-meny\Programmer\Oppstart\ OneNote 2007 Screen Clipper and Launcher.lnk - D:\Root\Microsoft Office 2007\Office12\ONENOTEM.EXE [2007-08-24 101784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "D:\\Root\\EA GAMES\\Battlefield 2\\BF2.exe"= "D:\\Root\\LimeWire\\LimeWire.exe"= "D:\\Root\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-08-19 100096] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2005-09-28 27392] R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672] R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 178913] S3 L6TPortA;Service - Line 6 TonePort UX1;C:\WINDOWS\system32\Drivers\L6TPortA.sys [2005-09-28 392448] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 13:56:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-07 13:57:01 ComboFix-quarantined-files.txt 2008-09-07 11:56:54 ComboFix2.txt 2008-09-07 09:20:47 Pre-Run: 10,359,918,592 byte ledig Post-Run: 10,347,823,104 byte ledig 144 --- E O F --- 2008-09-06 21:47:10 Lenke til kommentar
milkshake1 Skrevet 7. september 2008 Del Skrevet 7. september 2008 Malware: Malwarebytes' Anti-Malware 1.26 Database versjon: 1122 Windows 5.1.2600 Service Pack 3 07.09.2008 14:10:26 mbam-log-2008-09-07 (14-10-26).txt Skanntype: Rask Skann Objekter skannet: 54114 Tid tilbakelagt: 6 minute(s), 3 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 12 Registerverdier infisert: 1 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\bhonew.bho.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\ie.ieplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{16c65d96-ef19-4439-a6ea-f73a8bec4df0} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{43d65102-a7be-4c88-9737-44d2ad81394a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f65e955e-26c0-42ff-8ee2-443a05ea286a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{6549e485-c533-4e58-ba92-9fbcd2f6e839} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{43d65102-a7be-4c88-9737-44d2ad81394a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43d65102-a7be-4c88-9737-44d2ad81394a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f65e955e-26c0-42ff-8ee2-443a05ea286a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSN (Backdoor.Bot) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) Kva skal eg gjere no? Har lasta ned combofix.. Lenke til kommentar
norbat Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 milkshake1: Egen tråd Lenke til kommentar
r2d290 Skrevet 7. september 2008 Del Skrevet 7. september 2008 Martin-sama, Nei, da er den nok trygg Combofix-loggen ser fin ut, men er litt usikker på linja [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ"= Satser på innspill fra norbat om den Hvordan fungerer maskinen? Lenke til kommentar
magnusbe Skrevet 7. september 2008 Del Skrevet 7. september 2008 Magnusbe:Du er nesten i mål. Kjør også en rask skan med MBAM (se veiledningen i 1.post). Post loggen fra den + en hjt-logg. Takk for hjelp. Her er MBAM: Malwarebytes' Anti-Malware 1.26 Database versjon: 1122 Windows 5.1.2600 Service Pack 3 07.09.2008 16:12:08 mbam-log-2008-09-07 (16-12-08).txt Skanntype: Rask Skann Objekter skannet: 58580 Tid tilbakelagt: 5 minute(s), 4 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 6 Registerverdier infisert: 4 Registerfiler infisert: 18 Mapper infisert: 2 Filer infisert: 2 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_CURRENT_USER\SOFTWARE\{65de966d-11d1-4bb1-bf7e-b8a273514daf} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\PCPrivacyCleaner (Rogue.PCPrivacyCleaner) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\gksraemq.brql (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\gksraemq.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot. Registerfiler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\824223 (Trojan.BHO) -> Quarantined and deleted successfully. Filer infisert: C:\WINDOWS\sxmaokgf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Arne\Application Data\TmpRecentIcons\PCPrivacyCleaner.lnk (Rogue.Link) -> Quarantined and deleted successfully. HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:14:23, on 07.09.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Plaxo\3.14.0.44\PlaxoHelper_en.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Plaxo\3.14.0.44\PlaxoSysTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\eHome\ehmsas.exe C:\HP\KBD\KBD.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe c:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=64&bd=PAVILION&pf=desktop"]http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=64&bd=PAVILION&pf=desktop"]http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=64&bd=PAVILION&pf=desktop"]http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=64&bd=PAVILION&pf=desktop"]http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.startsida.no/"]http://www.startsida.no/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [Telenorhjelpen] "C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe" O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.14.0.44\PlaxoHelper_en.exe -a O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.14.0.44\PlaxoSysTray.exe O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &Google-søk - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Oversett engelsk ord - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Koblinger bakover - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Lignende sider - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Øyeblikksbilde av siden i hurtigbufferen - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: HP Utklippsbok - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart valgmetode - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Tilkoblingshjelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Tilkoblingshjelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=67633"]http://go.microsoft.com/fwlink/?linkid=67633[/url] O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - [url="http://www.symantec.com/techsupp/activedata/nprdtinf.cab"]http://www.symantec.com/techsupp/activedata/nprdtinf.cab[/url] O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [url="https://webdl.symantec.com/activex/symdlmgr.cab"]https://webdl.symantec.com/activex/symdlmgr.cab[/url] O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194810011453"]http://www.update.microsoft.com/microsoftu...b?1194810011453[/url] O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll nvjgew.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 13350 bytes Lenke til kommentar
Martin-sama Skrevet 7. september 2008 Del Skrevet 7. september 2008 Martin-sama, Nei, da er den nok trygg Combofix-loggen ser fin ut, men er litt usikker på linja [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�Ý\†Ð=ŸàÛ±Þ"= Satser på innspill fra norbat om den Hvordan fungerer maskinen? Okei Nå fungerer den fint synes jeg, igår kveld var det helt forferdelig, Pop-ups i ett sabla kjør. Får ikke det nå lenger i hvertfall! Tusen hjertelig takk for hjelp! Lenke til kommentar
norbat Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 Magnusbe: Da ser det fint ut. Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Behold gjerne MBAM Martin-sama: Klikk: Start->Kjør Skriv: regedit Bla deg til følgende plassering: HKey_Local_Machine\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Hva står det i høyre felt? Lenke til kommentar
Martin-sama Skrevet 7. september 2008 Del Skrevet 7. september 2008 Der er det to filer, en som heter (Standard) type REG_SZ Dataverdi ikke angitt. Den andre har et veldig rart navn; mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ og den står det ingenting om! Jøss, der gjorde jeg masse jeg ikke skjønte Lenke til kommentar
norbat Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 Martin-sama: Ok. Vi lar bare oppføringen få være i fred. Antar alt fungerer som normalt? Du bør fjerne combofix. Det gjør du ved å skrive combofix /u i kjør-feltet (start-kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Behold gjerne MBAM da dette er et av de beste prog. for malwarefjerning. Surf trygt. (PS. Neste gang du får ett eller annen rammel, så oppretter du din egen tråd da det er bedre for oss som supporterer ) Lenke til kommentar
magnusbe Skrevet 7. september 2008 Del Skrevet 7. september 2008 Magnusbe: Da ser det fint ut. Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Mange takk! Lenke til kommentar
Martin-sama Skrevet 7. september 2008 Del Skrevet 7. september 2008 Martin-sama:Ok. Vi lar bare oppføringen få være i fred. Antar alt fungerer som normalt? Du bør fjerne combofix. Det gjør du ved å skrive combofix /u i kjør-feltet (start-kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Behold gjerne MBAM da dette er et av de beste prog. for malwarefjerning. Surf trygt. (PS. Neste gang du får ett eller annen rammel, så oppretter du din egen tråd da det er bedre for oss som supporterer ) Mange takk altså! Skal gjøre mitt beste på å surfe trygt. Lenke til kommentar
GLN Skrevet 12. september 2008 Del Skrevet 12. september 2008 Etter en god stund uten norton aktivert(pga latskap, og dårlig tilgang til visa) så sjekker jeg bare at systemet ikke er overfult av trojaner. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:57:55, on 12.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: E:\WINDOWS2\System32\smss.exe E:\WINDOWS2\system32\winlogon.exe E:\WINDOWS2\system32\services.exe E:\WINDOWS2\system32\lsass.exe E:\WINDOWS2\system32\svchost.exe E:\WINDOWS2\System32\svchost.exe E:\WINDOWS2\system32\svchost.exe E:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe E:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe E:\WINDOWS2\Explorer.EXE E:\WINDOWS2\system32\spoolsv.exe e:\programfiler\fellesfiler\logishrd\lvmvfm\LVPrcSrv.exe E:\WINDOWS2\SOUNDMAN.EXE E:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe E:\WINDOWS2\system32\RUNDLL32.EXE E:\Programfiler\iTunes\iTunesHelper.exe E:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe E:\Programfiler\Fellesfiler\LogiShrd\LComMgr\Communications_Helper.exe E:\Programfiler\Logitech\QuickCam\Quickcam.exe E:\WINDOWS2\system32\LVCOMSX.EXE E:\Programfiler\Logitech\Video\LogiTray.exe E:\Programfiler\Corel\Corel Snapfire\Corel Photo Downloader.exe E:\Programfiler\PowerISO\PWRISOVM.EXE E:\Programfiler\Adobe\Photoshop Elements 6.0\apdproxy.exe E:\WINDOWS2\system32\rundll32.exe E:\Programfiler\Netropa\Multimedia Keyboard\MMKeybd.exe E:\WINDOWS2\system32\ctfmon.exe E:\Programfiler\Creative\Sync Manager Unicode\CTSyncU.exe E:\Programfiler\Logitech\Video\FxSvr2.exe E:\Programfiler\Netropa\Multimedia Keyboard\TrayMon.exe E:\Programfiler\Netropa\Onscreen Display\OSD.exe E:\Programfiler\Netropa\Multimedia Keyboard\nhksrv.exe E:\Programfiler\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe E:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe E:\WINDOWS2\system32\CTsvcCDA.exe E:\Programfiler\Fellesfiler\LogiShrd\LVCOMSER\LVComSer.exe E:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe E:\WINDOWS2\system32\nvsvc32.exe E:\WINDOWS2\system32\svchost.exe E:\DOCUME~1\DRANC~1.DRA\LOKALE~1\Temp\bwgo0000c0ee.exe E:\Programfiler\Canon\CAL\CALMAIN.exe E:\Programfiler\Fellesfiler\LogiShrd\LVCOMSER\LVComSer.exe E:\WINDOWS2\system32\wscntfy.exe E:\Programfiler\Fellesfiler\Logishrd\LQCVFX\COCIManager.exe E:\WINDOWS2\System32\svchost.exe E:\Programfiler\iPod\bin\iPodService.exe E:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe E:\Programfiler\MSN Messenger\msnmsgr.exe E:\Programfiler\MSN Messenger\usnsvc.exe E:\WINDOWS2\system32\wuauclt.exe E:\Programfiler\Mozilla Firefox\firefox.exe E:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - E:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Programfiler\BitComet\tools\BitCometBHO_1.1.9.24.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: Norton-verktøylinjen - {90222687-F593-4738-B738-FBEE9C7B26DF} - E:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS2\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "E:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS2\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "E:\Programfiler\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "E:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "E:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Programfiler\Fellesfiler\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "E:\Programfiler\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] E:\WINDOWS2\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Programfiler\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] E:\Programfiler\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [Corel Photo Downloader] E:\Programfiler\Corel\Corel Snapfire\Corel Photo Downloader.exe O4 - HKLM\..\Run: [Windows Taskmanager] svchost.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Programfiler\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programfiler\Adobe\Photoshop Elements 6.0\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [symantec PIF AlertEng] "E:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [NeroFilterCheck] E:\Programfiler\Fellesfiler\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Programfiler\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS2\system32\ctfmon.exe O4 - HKCU\..\Run: [CTSyncU.exe] "E:\Programfiler\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [LogitechSoftwareUpdate] E:\Programfiler\Logitech\Video\ManifestEngine.exe boot O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [NVIDIA nTune] "E:\Programfiler\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS2\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS2\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS2\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS2\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: Adobe Gamma.lnk = E:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Adobe Gamma.lnk = E:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = E:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Programfiler\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Programfiler\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Programfiler\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - E:\Programfiler\BitComet\tools\BitCometBHO_1.1.9.24.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programfiler\Messenger\msmsgs.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - E:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - E:\Programfiler\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Programfiler\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - E:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - E:\Programfiler\Fellesfiler\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS2\system32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - E:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - E:\Programfiler\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - E:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: LVCOMSer - Logitech Inc. - E:\Programfiler\Fellesfiler\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - e:\programfiler\fellesfiler\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - E:\Programfiler\Fellesfiler\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Programfiler\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: NMIndexingService - Nero AG - E:\Programfiler\Fellesfiler\Nero\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS2\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - E:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 11081 bytes Lenke til kommentar
norbat Skrevet 12. september 2008 Forfatter Del Skrevet 12. september 2008 Pirja: Det er ikke overfullt med trojanere, men det er rester etter noe bugs så kjør gjennom punkt 2 i veiledningen (se 1.post). Loggene poster du i en egen tråd som du oppretter ved å klikke Nytt Emne-knappen Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå