Adversary Skrevet 6. oktober 2008 Del Skrevet 6. oktober 2008 Fikk beskjed om å sette inn Windows cden når sjekken er nesten ferdig, men pirat cd funka visst ikke så bra. Windows 1 - 0 Pirat .. Til en forandring Tenker jeg dropper det og formaterer når jeg har tid til det. Lenke til kommentar
Robert^ Skrevet 8. oktober 2008 Del Skrevet 8. oktober 2008 (endret) HijackThis logg Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:51, on 2008-10-08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Logitech\G-series Software\LGDCore.exe C:\Program Files\Logitech\G-series Software\LCDMon.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\QuickTime\QuickTimePlayer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe" O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?b1c66e1599a24771b94cc08c1f47abbd O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?b1c66e1599a24771b94cc08c1f47abbd O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Automatisk LiveUpdate-planlegging - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8179 bytes ComboFix logg Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1308 [GMT 2:00] Running from: C:\Documents and Settings\Robert\My Documents\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . I:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 ))))))))))))))))))))))))))))))) . 2008-10-08 00:01 . 2008-10-08 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg 2008-10-07 23:39 . 2008-10-07 23:39 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Malwarebytes 2008-10-07 23:38 . 2008-10-07 23:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-07 23:38 . 2008-10-07 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-07 23:38 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-07 23:38 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-07 23:24 . 2008-10-07 23:24 <DIR> d-------- C:\Program Files\Yahoo! 2008-10-07 23:23 . 2008-10-07 23:24 <DIR> d-------- C:\Program Files\CCleaner 2008-10-07 23:10 . 2008-10-07 23:10 <DIR> d-------- C:\Program Files\WoW-BurningCrusade-enGB-Slim-Installer 2008-10-07 22:55 . 2008-10-07 22:55 <DIR> d-------- C:\Logs 2008-10-07 16:37 . 2008-10-08 09:00 <DIR> d-------- C:\Program Files\World of Warcraft 2008-10-07 09:20 . 2008-10-07 13:05 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-10-06 18:14 . 2008-10-06 18:14 <DIR> d-------- C:\Program Files\OJOsoft 2008-10-06 18:14 . 2008-10-06 18:14 <DIR> d-------- C:\Program Files\Common Files\Common Share 2008-10-06 17:58 . 2008-10-07 23:16 <DIR> d-------- C:\Program Files\LD-Anime 2008-10-05 12:00 . 2008-10-07 16:54 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment 2008-09-29 18:16 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys 2008-09-29 18:16 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\dllcache\usbser.sys 2008-09-29 18:15 . 2008-09-29 18:15 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-09-29 18:15 . 2008-09-29 18:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf 2008-09-29 18:12 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2008-09-29 18:12 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2008-09-29 18:12 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys 2008-09-29 18:12 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-08 07:21 --------- d-----w C:\Documents and Settings\Robert\Application Data\OpenOffice.org2 2008-10-07 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-10-07 21:56 --------- d-----w C:\Program Files\Lavasoft 2008-10-07 21:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-10-07 21:07 --------- d-----w C:\Program Files\Valve 2008-10-06 16:08 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-10-03 10:26 --------- d-----w C:\Program Files\Sports Interactive 2008-09-03 15:14 --------- d-----w C:\Program Files\LimeWire 2008-07-19 05:08 719,872 ----a-w C:\WINDOWS\system32\devil.dll 2008-07-19 05:08 351,744 ----a-w C:\WINDOWS\system32\avisynth.dll 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll 2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2006-12-27 23:59 22,282,240 ----a-w C:\Documents and Settings\Robert\WoW-2.0.1.6180-to-0.0.3.6244-enGB-patch.exe 2006-07-19 23:37 11,870,207 ----a-w C:\Documents and Settings\Robert\WoW-1.11.2.5464-to-0.12.0.5496-enGB-patch.exe 2007-12-04 10:56 104 --sh--r C:\WINDOWS\system32\7D19478FE9.sys 2007-12-04 10:56 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-06 12:32 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 22:51 7323648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12 94208] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 12:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920] "Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 17:31 1122304] "Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 17:14 497152] "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-12-09 19:05 1115728] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-15 00:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 07:00 15360] C:\Documents and Settings\Robert\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 21:57:14 81920] OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-09-11 05:43:54 393216] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-06 12:32 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= Hadde noen orket å sett igjennom dette så hadde det vært fint. : ) Endret 8. oktober 2008 av Robert G Lenke til kommentar
norbat Skrevet 8. oktober 2008 Forfatter Del Skrevet 8. oktober 2008 (endret) Robert G: Ser fin ut dette. Var det bare en sjekk eller har du mistanke om noe? Du bør oppdatere Windows (via Windows Update), Java og Flash Playeren Endret 8. oktober 2008 av norbat Lenke til kommentar
Robert^ Skrevet 8. oktober 2008 Del Skrevet 8. oktober 2008 (endret) Robert G:Ser fin ut dette. Var det bare en sjekk eller har du mistanke om noe? Du bør oppdatere Windows (via Windows Update), Java og Flash Playeren Neida, var bare en sjekk dette. Takk skal du ha! :-) Endret 8. oktober 2008 av Robert G Lenke til kommentar
rubiTT Skrevet 8. oktober 2008 Del Skrevet 8. oktober 2008 Klikk for å se/fjerne innholdet nedenfor <Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:18:53, on 08.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Programfiler\Trend Micro\HijackThis\Test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skoleportalen.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skoleportalen.no R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.skoleportalen.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: InternetExplorer Class - {D1E45498-D865-4E91-A579-D0AAD8D3B5A4} - C:\Programfiler\Clue\Clue Add-in 7.0\Clue Addin.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: CCC.lnk = ? (User 'SYSTEM') O4 - .DEFAULT Startup: CCC.lnk = ? (User 'Default user') O4 - .DEFAULT User Startup: CCC.lnk = ? (User 'Default user') O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programfiler\PokerStars\PokerStarsUpdate.exe (file missing) O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182858104968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182934295515 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://81.31.231.17/activex/AMC.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hfk.vgs.no O17 - HKLM\Software\..\Telephony: DomainName = hfk.vgs.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hfk.vgs.no O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: 741ff93e382 - C:\WINDOWS\ O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programfiler\Hewlett-Packard\Shared\hpqWmiEx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: IviRegMgr - InterVideo - C:\Programfiler\Fellesfiler\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing) O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programfiler\Fellesfiler\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programfiler\Symantec AntiVirus\SavRoam.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programfiler\Fellesfiler\SureThing Shared\stllssvr.exe -- End of file - 7853 bytes > Takker for hjelp Lenke til kommentar
r2d290 Skrevet 8. oktober 2008 Del Skrevet 8. oktober 2008 Xyaon: Ser ikke noe i loggen din som kan tyde på malware. Var dette bare en sjekk, eller merker du problemer? Du har kjørende tre antivirusprogrammer (eller rester av dem): C:\Programfiler\Symantec AntiVirus\ C:\Programfiler\AVG C:\Programfiler\ESET\ESET NOD32 Antivirus Å ha mer enn ett antivirusprogram kjørende på PC-en kan skape uønskede konflikter, og frarådes på det sterkeste. Du bør avinstallere to av dem. Si ifra hvis det er noen du mener du ikke har, eller mener du har kvittet deg med. Du bør oppdatere Java Det er viktig å bruke den seneste versjonen av Java, siden tidligere versjoner kan inneholde sikkerhetshull som vil øke sansynligheten for at du blir infisert igjen. Det ser ut til at din verjson av Java er utdatert Oppdatere Java: Trykk på følgende link, og last ned nyeste versjon av Java:http://java.com/en/download/index.jsp [*]Gå til Start > Kontrollpanel > Legg til/fjern programmer. [*]Søk i listen over alle tidligere versjoner av Java (JRE, J2SE Runtime, J2RE osv.... ) Alle disse versjonene bør ha dette bildet foran: Velg alle du finner, og trykk på Fjern [*]Deretter installerer du den Java-versjonen som du lastet ned i starten. Fortell hvordan det gikk med oppdateringen, da problemer med oppdatering kan indikere flere malware på systemet ditt. Lenke til kommentar
rubiTT Skrevet 8. oktober 2008 Del Skrevet 8. oktober 2008 vell.. hadde den "antivirus 2009" som tydligvis er fjernet, men pcen er fortsatt så treig i vanlig modus at det ikke går an å bruke den (kjører i sikkerhetsmodus med nettverk nå), kan det ha noe med å gjøre at jeg har flere antivirus programmer? Lenke til kommentar
r2d290 Skrevet 8. oktober 2008 Del Skrevet 8. oktober 2008 (endret) Treghet kan skyldes flere antivirusprogram, ja. Men det kan også hende at HijackThis-loggen ikke viser alt... Etter at du har avinstallert alt utenom ett antivirusprogram, kan du følge veiledning på https://www.diskusjon.no/index.php?showtopic=998167&hl= og poste logger Endret 8. oktober 2008 av r2d290 Lenke til kommentar
rubiTT Skrevet 8. oktober 2008 Del Skrevet 8. oktober 2008 virket nå, avinstallerte avg og nod32.. takk for hjelpen Lenke til kommentar
zyx Skrevet 9. oktober 2008 Del Skrevet 9. oktober 2008 Kan noen ta en titt på loggene her: https://www.diskusjon.no/index.php?showtopic=1019648 Lenke til kommentar
rvenes Skrevet 9. oktober 2008 Del Skrevet 9. oktober 2008 Ok.... Har hatt ein pc her som har vore litt ute i offsiden. Fikk ikkje besøke windowsupdate, avg.com eller eset.com og sikkert mange fleire adresser med IE eller Firefox Har nå fått til å oppdatere AVG automagisk, og besøke windowsupdate... trur den er blitt bra. Hadde det vore min pc hadden den vore formatert for lengst... Ser det bra ut nuh? sjekkprogram.exe er hijackthis fila. Loggfiler: Først mbam loggen combofix loggen hijackhis loggen Malwarebytes' Anti-Malware 1.28 Database versjon: 1248 Windows 5.1.2600 Service Pack 3 10.10.2008 00:52:22 mbam-log-2008-10-10 (00-52-22).txt Skanntype: Rask Skann Objekter skannet: 43966 Tid tilbakelagt: 4 minute(s), 2 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 19 Registerverdier infisert: 0 Registerfiler infisert: 3 Mapper infisert: 4 Filer infisert: 17 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: C:\Programfiler\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot. Registernøkler infisert: HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0072afd (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: system32\ -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: C:\Programfiler\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Documents and Settings\euronics\Programdata\Antivir64 (Rogue.Antivir64) -> Quarantined and deleted successfully. Filer infisert: C:\Programfiler\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\AvatarSmallBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\CursorManiaBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Documents and Settings\euronics\Programdata\Antivir64\Antivir64.ini (Rogue.Antivir64) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\casino1.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\casino2.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\casino3.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully. ComboFix 08-10-08.05 - euronics 2008-10-10 0:59:37.1 - NTFSx86 * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\tdssadw.dll C:\WINDOWS\system32\TDSSerrors.log C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\tdssl.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdsspopup.dll C:\WINDOWS\system32\tdsspopup1.url C:\WINDOWS\system32\tdsspopup2.url C:\WINDOWS\system32\tdsspopup3.url C:\WINDOWS\system32\tdssserf.dll C:\WINDOWS\system32\tdssserf1.dll C:\WINDOWS\system32\tdssservers.dat C:\WINDOWS\system32\windows_update.exe C:\WINDOWS\system32\winsrc.dll.tmp C:\xcrashdump.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MYWEBSEARCHSERVICE -------\Service_MyWebSearchService ((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))) . 2008-10-10 00:46 . 2008-10-10 00:46 d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-10-10 00:46 . 2008-10-10 00:46 d-------- C:\Documents and Settings\euronics\Programdata\Malwarebytes 2008-10-10 00:46 . 2008-10-10 00:46 d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-10 00:46 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-10 00:46 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-10 00:43 . 2008-10-10 00:52 dr-h----- C:\Documents and Settings\euronics\Siste 2008-10-10 00:38 . 2008-10-10 00:38 d-------- C:\Programfiler\Yahoo! 2008-10-10 00:38 . 2008-10-10 00:40 d-------- C:\Programfiler\CCleaner 2008-10-09 22:53 . 2008-10-09 22:53 d--h----- C:\$AVG8.VAULT$ 2008-10-09 22:49 . 2008-10-09 22:51 d-------- C:\WINDOWS\system32\drivers\Avg 2008-10-09 22:49 . 2008-10-09 22:49 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-10-09 22:49 . 2008-10-09 22:49 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-10-09 22:49 . 2008-10-09 22:49 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-10-09 22:48 . 2008-10-09 22:48 d-------- C:\Programfiler\AVG 2008-10-09 22:48 . 2008-10-09 22:52 d-------- C:\Documents and Settings\All Users\Programdata\avg8 2008-10-08 23:13 . 2008-10-08 23:14 263 --a------ C:\WINDOWS\wininit.ini 2008-10-08 22:45 . 2008-10-08 22:45 d-------- C:\Programfiler\Spybot - Search & Destroy 2008-10-08 22:45 . 2008-10-10 00:42 d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy 2008-10-08 21:07 . 2008-10-08 21:07 d-------- C:\Documents and Settings\All Users\Programdata\Telenor 2008-10-08 21:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-10-04 20:33 . 2008-10-04 20:33 d-------- C:\WINDOWS\system32\no 2008-10-04 20:33 . 2008-10-04 20:33 d-------- C:\WINDOWS\system32\bits 2008-10-04 20:33 . 2008-10-04 20:33 d-------- C:\WINDOWS\l2schemas 2008-10-04 20:31 . 2008-10-04 20:34 d-------- C:\WINDOWS\ServicePackFiles 2008-10-04 20:24 . 2008-10-04 20:24 d-------- C:\WINDOWS\EHome 2008-09-13 13:28 . 2008-09-13 13:28 127 --a------ C:\WINDOWS\system32\MRT.INI . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-09 16:24 90,112 ----a-w C:\WINDOWS\DUMP2ac9.tmp 2008-10-08 19:07 --------- d-----w C:\Programfiler\Telenor 2008-10-08 19:04 --------- d-----w C:\Programfiler\MSN Messenger 2008-10-08 19:01 --------- d-----w C:\Programfiler\Java 2008-10-01 18:40 --------- d-----w C:\Documents and Settings\euronics\Programdata\AdobeUM 2008-09-19 07:50 --------- d-----w C:\Documents and Settings\euronics\Programdata\LimeWire 2008-09-12 15:13 --------- d-----w C:\Programfiler\Symantec 2008-09-12 14:15 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2008-08-31 16:42 --------- d-----w C:\Documents and Settings\euronics\Programdata\setup_1096_MTUzNXwzNXww_[1] . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-13 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-13 126976] "SoundMAXPnP"="C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544] "Apoint"="C:\Programfiler\Apoint2K\Apoint.exe" [2005-02-08 159744] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "hpWirelessAssistant"="C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624] "HP Software Update"="C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2005-05-27 98304] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952] "eabconfg.cpl"="C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816] "Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-09 1234712] "SoundMAX"="C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 860160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Mobilt bredb†nd.lnk - C:\Programfiler\Telenor\Mobilt bredb†nd\Mobilt bredb†nd.exe [2007-07-27 733184] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2004-10-13 16:04 278528 C:\Programfiler\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Telenor Online Start] --a------ 2006-11-30 14:51 178312 C:\Programfiler\Telenor\Online Start\Telenor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 2004-08-24 13:20 88363 C:\WINDOWS\AGRSMMSG.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "C:\\StubInstaller.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\Telenor\\Online Start\\Telenor.exe"= "C:\\Programfiler\\AVG\\AVG8\\avgemc.exe"= "C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-09 97928] R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-09 875288] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-09 231704] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-09 76040] R2 GtFlashSwitch;GtFlashSwitch;C:\Programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe [2007-02-09 176128] S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [ ] S3 Flash1;Flash1;C:\bios\wf\Flash1.sys [2004-12-02 3547] S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys [2007-04-14 122496] S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-04-14 8064] S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys [2007-04-14 37120] . Contents of the 'Scheduled Tasks' folder 2008-10-09 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job - C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20] . - - - - ORPHANS REMOVED - - - - Notify-2c19308f382 - C:\WINDOWS\system32\__c0085929.dat Notify-__c0072AFD - (no file) MSConfigStartUp-A00F6CC2C - C:\DOCUME~1\euronics\LOKALE~1\Temp\_A00F6CC2C.exe MSConfigStartUp-avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe MSConfigStartUp-My Web Search Bar Search Scope Monitor - C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe MSConfigStartUp-MyWebSearch Email Plugin - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe MSConfigStartUp-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\euronics\Programdata\Mozilla\Firefox\Profiles\epj327bf.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/webhp?complete=1&hl=en FF -: plugin - C:\Programfiler\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Programfiler\Mozilla Firefox\plugins\NPMyWebS.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-10 01:05:32 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe?????????3?3?6?3??????? ???B???????????????B???????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\wdfmgr.exe C:\Programfiler\Apoint2K\ApntEx.exe C:\Programfiler\Telenor\Mobilt bredbånd\Mobilt bredbånd.exe C:\Programfiler\HPQ\Shared\hpqwmi.exe C:\Programfiler\AVG\AVG8\avgrsx.exe C:\Programfiler\AVG\AVG8\avgrsx.exe . ************************************************************************** . Completion time: 2008-10-10 1:09:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-09 23:09:10 Pre-Run: 42,686,156,800 byte ledig Post-Run: 42,621,767,680 byte ledig 176 --- E O F --- 2008-10-08 18:57:39 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:49:55, on 10.10.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\SearchIndexer.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe C:\Programfiler\Apoint2K\Apoint.exe C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Programfiler\Apoint2K\Apntex.exe C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Telenor\Mobilt bredbånd\Mobilt bredbånd.exe C:\Programfiler\Windows Desktop Search\WindowsSearch.exe C:\Programfiler\HPQ\SHARED\HPQWMI.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\wuauclt.exe E:\sjekkeprogram.exe C:\WINDOWS\system32\wuauclt.exe -- End of file - 1654 bytes Lenke til kommentar
norbat Skrevet 10. oktober 2008 Forfatter Del Skrevet 10. oktober 2008 Cornel: Ser rimelig greit ut. Et par oppføringer skal vi allikevel fjerne: Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Filde:: C:\WINDOWS\DUMP2ac9.tmp Folder:: C:\Documents and Settings\euronics\Programdata\setup_1096_MTUzNXwzNXww_[1] Trenger ingen nye logger. Grunnen til oppdateringsproblemene skyldtes et rootkit som combofix fjernet. Om alt kjører ok, så kan du fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil i tillegg til å fjerne karantenefiler, også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Lenke til kommentar
Perazzi Skrevet 11. oktober 2008 Del Skrevet 11. oktober 2008 (endret) Kan noen ta en kikk på loggfilene? Hijack This loggen klarte jeg ikke å laste opp, fikk en feilmelding.. Det er denne: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:36:36, on 11.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe D:\Programfiler\Rainlendar\Rainlendar.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Opera\Opera.exe C:\Programfiler\AVG\AVG8\avgui.exe C:\WINDOWS\explorer.exe C:\Programfiler\Malwarebytes' Anti-Malware\mbam.exe C:\Programfiler\Trend Micro\micro\HijackThis.exe C:\WINDOWS\system32\cmd.execf R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: .security O4 - Startup: Rainlendar.lnk = D:\Programfiler\Rainlendar\Rainlendar.exe O4 - Global Startup: .security O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 4585 bytes ComboFix.txt mbam_log_2008_10_11__20_39_22_.txt Endret 11. oktober 2008 av iggipop Lenke til kommentar
norbat Skrevet 11. oktober 2008 Forfatter Del Skrevet 11. oktober 2008 Kjør MBAM igjen og merk av det den finner Restart KJør Combofix på nytt og post loggen sammen med MBAM-loggen. Lenke til kommentar
Perazzi Skrevet 11. oktober 2008 Del Skrevet 11. oktober 2008 (endret) Her kommer de to loggene, fikk en feilmedling når jeg skulle slette de to forrige loggfilene så jeg måtte poste et nytt innlegg.. Hmm, hvorfor får jeg ikke lastet opp combofix loggen? Får feilmeldingen: "Opplasting feilet. Du har ikke lov til å laste opp denne filtypen". Her er den ihvertfall: ComboFix 08-10-11.01 - volvoRsport 2008-10-11 23:05:13.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1663 [GMT 2:00] Running from: C:\Documents and Settings\volvoRsport\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 ))))))))))))))))))))))))))))))) . 2008-10-11 20:26 . 2008-10-11 20:26 <DIR> d-------- C:\Documents and Settings\volvoRsport\Programdata\Malwarebytes 2008-10-11 20:25 . 2008-10-11 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-11 20:15 . 2008-10-11 20:47 <DIR> dr-h----- C:\Documents and Settings\volvoRsport\Siste 2008-10-11 13:06 . 2008-10-11 19:59 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP 2008-10-11 13:02 . 2008-10-11 13:05 <DIR> d-------- C:\Programfiler\Secure PC Solutions 2008-10-11 12:58 . 2008-10-11 20:36 <DIR> d-------- C:\Programfiler\Trend Micro 2008-10-10 20:40 . 2008-10-10 20:40 <DIR> d-------- C:\Programfiler\Lavasoft 2008-10-10 20:40 . 2008-10-10 20:40 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-10-10 13:51 . 2008-10-10 21:41 <DIR> d-------- C:\Programfiler\guhaqdc 2008-10-10 13:51 . 2008-10-11 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\gngnaxyb 2008-09-25 22:42 . 2008-09-25 22:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-11 17:58 --------- d-----w C:\Programfiler\Google 2008-08-29 11:32 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-25 09:23 --------- d-----w C:\Programfiler\Sun 2008-08-25 09:23 --------- d-----w C:\Programfiler\Java . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-09-30 4603904] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-09-30 86016] "RemoteControl"="C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712] "SoundMan"="SOUNDMAN.EXE" [2004-12-01 C:\WINDOWS\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2004-09-30 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\volvoRsport\Start-meny\Programmer\Oppstart\ .security [2008-10-10 0] Rainlendar.lnk - D:\Programfiler\Rainlendar\Rainlendar.exe [2005-03-01 118784] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ .security [2008-10-10 0] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= "C:\\Programfiler\\AVG\\AVG8\\avgemc.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 76040] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\volvoRsport\Programdata\Mozilla\Firefox\Profiles\zguipqwt.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.no . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-11 23:07:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-11 23:09:16 ComboFix-quarantined-files.txt 2008-10-11 21:09:05 Pre-Run: 48 501 506 048 byte ledig Post-Run: 48,493,780,992 byte ledig 95 --- E O F --- 2008-02-12 15:46:35 mbam_log_2008_10_11__22_53_40_.txt Endret 11. oktober 2008 av iggipop Lenke til kommentar
norbat Skrevet 11. oktober 2008 Forfatter Del Skrevet 11. oktober 2008 Bruk utforsker til å finne følgende to mapper og slett de: C:\Programfiler\guhaqdc C:\Documents and Settings\All Users\Programdata\gngnaxyb Post deretter en ny HJT-logg Lenke til kommentar
dj_vega Skrevet 12. oktober 2008 Del Skrevet 12. oktober 2008 (endret) Hei, dette er min HJT log: Logfile of HijackThis v1.99.1 Scan saved at 15:23:31, on 12.10.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Fellesfiler\Pure Networks Shared\Platform\nmsrvc.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\uTorrent\uTorrent.exe C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe C:\Programfiler\DAEMON Tools Lite\daemon.exe C:\Programfiler\Last.fm\LastFM.exe C:\Programfiler\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\System32\TuneUpDefragService.exe C:\Programfiler\Windows Live\Messenger\msnmsgr.exe C:\Programfiler\Winamp\winamp.exe C:\Programfiler\EvilLyrics\EvilLyrics.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [speed Driver] sbthost.exe O4 - HKLM\..\RunServices: [speed Driver] sbthost.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [uTorrent] "C:\Programfiler\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programfiler\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [steam] "C:\Programfiler\Steam\Steam.exe" -silent O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Programfiler\Fellesfiler\Pure Networks Shared\Platform\puresp3.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FELLES~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Programfiler\Fellesfiler\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe Noe spess dere ser? Endret 12. oktober 2008 av dj_vega Lenke til kommentar
norbat Skrevet 12. oktober 2008 Forfatter Del Skrevet 12. oktober 2008 Hei, dette er min HJT log: ..... Post loggen i tråden din Lenke til kommentar
dj_vega Skrevet 12. oktober 2008 Del Skrevet 12. oktober 2008 Hei, dette er min HJT log: ..... Post loggen i tråden din Ok, men det var SNIPPSNAPP så villeg at jeg skulle posten den her men ok. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå