Gaute65 Skrevet 7. desember 2009 Del Skrevet 7. desember 2009 Har en svensk kamerat som er plaget med at det dukker opp nye vinduer når han bruker IE eller FF. her er er combofix og hijackthis loggene. ComboFix 09-12-06.A3 - HP_Ägaren 2009-12-07 12:49.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.816 [GMT 1:00] Körs från: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255} AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187} . ((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) . c:\program\ATI Technologies\ATI.ACE\Core-Static\atIAcmxx.dll c:\windows\mouse.dll c:\windows\system32\ps2.bat c:\windows\system32\UTSCSI.EXE D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_UTSCSI -------\Service_UTSCSI (((((((((((((((((((((((( Filer Skapade från 2009-11-07 till 2009-12-07 )))))))))))))))))))))))))))))) . 2009-12-07 11:26 . 2009-12-07 11:26 -------- d-----w- c:\windows\Hewlett-Packard 2009-12-06 15:58 . 2009-12-06 15:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-12-06 14:26 . 2009-12-03 15:31 15880 ----a-w- c:\windows\system32\lsdelete.exe 2009-12-05 20:32 . 2009-12-05 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-12-03 18:43 . 2009-12-03 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-12-03 16:07 . 2009-12-03 16:07 -------- d-----w- c:\documents and settings\LocalService\Skrivbord 2009-12-03 15:38 . 2009-12-03 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-12-03 15:34 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-12-03 15:30 . 2009-12-03 15:30 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-12-03 15:30 . 2009-12-03 15:30 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-12-03 15:30 . 2009-12-03 15:30 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-12-03 15:30 . 2009-12-03 15:30 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-12-03 15:30 . 2009-12-03 15:30 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-12-03 15:28 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 15:28 . 2009-12-03 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-12-03 15:28 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-03 15:24 . 2009-12-03 15:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-12-03 15:24 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe 2009-12-03 15:23 . 2009-12-03 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-12-03 15:23 . 2009-12-03 15:23 -------- d-----w- c:\program\Lavasoft 2009-11-22 21:08 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll 2009-11-22 21:08 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll 2009-11-22 21:08 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe 2009-11-22 21:07 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll 2009-11-22 21:07 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv 2009-11-22 21:07 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll 2009-11-22 21:07 . 2009-11-22 21:07 4608 ----a-w- c:\windows\system32\w95inf32.dll 2009-11-22 21:07 . 2009-11-22 21:07 2272 ----a-w- c:\windows\system32\w95inf16.dll 2009-11-17 13:11 . 2009-11-17 13:11 129304 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_update_1_of_2.exe 2009-11-16 19:52 . 2009-11-16 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology 2009-11-16 19:52 . 2007-05-28 16:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys 2009-11-16 19:51 . 2007-08-08 10:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys 2009-11-16 19:51 . 2007-08-08 10:12 101120 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys 2009-11-16 19:51 . 2009-11-16 19:51 -------- d-----w- c:\program\Huawei Modems 2009-11-16 19:51 . 2009-11-16 19:51 69361 ----a-w- c:\windows\Huawei ModemsUninstall.exe 2009-11-16 13:52 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll 2009-11-16 13:52 . 2009-09-04 16:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll 2009-11-16 13:52 . 2009-09-04 16:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll 2009-11-16 13:52 . 2009-09-04 16:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll 2009-11-16 13:52 . 2009-09-04 16:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2009-11-16 13:52 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll 2009-11-16 13:52 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2009-11-15 13:43 . 2009-11-15 13:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-11-10 23:01 . 2009-11-11 00:45 -------- d-----w- C:\MP3 Musik . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-07 12:05 . 2009-09-27 10:02 40 ----a-w- c:\windows\system32\profile.dat 2009-12-07 11:26 . 2006-01-03 04:11 -------- d-----w- c:\program\HP 2009-12-07 11:26 . 2006-01-03 04:24 -------- d-----w- c:\program\Hewlett-Packard 2009-12-06 15:43 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-12-03 18:36 . 2009-11-07 02:13 -------- d-----w- c:\program\Delade filer\Wise Installation Wizard 2009-12-03 15:40 . 2006-01-03 04:35 -------- d-----w- c:\program\Google 2009-12-01 14:25 . 2006-01-03 04:38 -------- d-----w- c:\program\Delade filer\Symantec Shared 2009-11-26 19:55 . 2009-07-28 11:40 215104 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-11-26 19:44 . 2009-07-28 11:41 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-11-16 19:52 . 2004-11-29 16:42 83620 ----a-w- c:\windows\system32\perfc01D.dat 2009-11-16 19:52 . 2004-11-29 16:42 444322 ----a-w- c:\windows\system32\perfh01D.dat 2009-11-16 19:51 . 2006-01-03 04:24 -------- d--h--w- c:\program\InstallShield Installation Information 2009-11-07 02:14 . 2009-09-12 11:37 -------- d-----w- c:\program\DIFX 2009-11-07 02:13 . 2009-11-07 02:13 -------- d-----w- c:\program\AGEIA Technologies 2009-11-04 10:32 . 2009-11-04 10:34 737280 ----a-w- c:\windows\iun6002.exe 2009-10-20 19:51 . 2006-01-03 04:16 81640 ----a-w- c:\windows\HPHins08.dat 2009-10-17 20:43 . 2009-07-28 11:40 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-09-27 10:01 . 2006-01-03 04:38 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-09-27 10:01 . 2006-01-03 04:38 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-09-23 09:41 . 2009-09-23 09:41 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys 2009-09-13 18:00 . 2009-09-13 18:01 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-13 16:35 . 2009-09-13 16:35 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe 2009-09-11 14:19 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll . (((((((((((((((((((((((((((((((((( Startpunkter i registret ))))))))))))))))))))))))))))))))))))))))))))))) . . *Not* Tomma poster & legitima standardposter visas inte. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\spel\steam\steam.exe" [2009-10-24 1217808] "msnmsgr"="c:\program\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840] "ICQ"="c:\auxilliary\ICQ6.5\ICQ.exe" [2009-03-01 172792] "swg"="c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-19 68856] "MSMSGS"="c:\program\Messenger\msmsgs.exe" [2008-04-14 1695232] "SpybotSD TeaTimer"="c:\auxilliary\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "SUPERAntiSpyware"="c:\auxilliary\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648] "Skype"="c:\auxilliary\Skype\Phone\Skype.exe" [2009-10-09 25623336] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-09-13 149280] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "HPHUPD08"="c:\program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "Symantec NetDriver Monitor"="c:\program\SYMNET~1\SNDMon.exe" [2009-09-27 103816] "DAEMON Tools-1033"="c:\auxilliary\D-Tools\daemon.exe" [2004-08-22 81920] "WinampAgent"="c:\auxilliary\Winamp\winampa.exe" [2009-07-01 37888] "TkBellExe"="c:\program\Delade filer\Real\Update_OB\realsched.exe" [2006-01-03 180269] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "StartCCC"="c:\program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "ccApp"="c:\program\Delade filer\Symantec Shared\ccApp.exe" [2007-05-29 52840] "vptray"="c:\program\SYMANT~1\SYMANT~2\VPTray.exe" [2007-10-07 125368] "RTHDCPL"="RTHDCPL.EXE" [2008-11-18 17676288] "a-squared"="c:\auxilliary\A-SQUARED ANTI-MALWARE\a2guard.exe" [2009-11-05 3279192] "Malwarebytes Anti-Malware (reboot)"="c:\auxilliary\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\Default User\Start-meny\Program\Autostart\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136] c:\documents and settings\All Users\Start-meny\Program\Autostart\ BDARemote.lnk - c:\program\USB TV\EM28XX\BDARemote.exe [2009-9-12 81997] HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624] Microsoft Office.lnk - c:\auxilliary\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] Uppdateringsagent.lnk - c:\auxilliary\3\3Connect\AutoUpdateSrv.exe [2009-11-16 442368] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\auxilliary\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 13:21 548352 ----a-w- c:\auxilliary\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Auxilliary\\uTorrent\\uTorrent.exe"= "c:\\Spel\\Steam\\steamapps\\common\\hearts of iron 2 complete pack\\HoI2.exe"= "c:\\Spel\\Steam\\steamapps\\common\\hearts of iron 2 complete pack\\hoi2.bat"= "c:\\Spel\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "c:\\Auxilliary\\ICQ6.5\\ICQ.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Spel\\World in Conflict\\wic.exe"= "c:\\Spel\\World in Conflict\\wic_online.exe"= "c:\\Spel\\World in Conflict\\wic_ds.exe"= "c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Spel\\Battlefield 2\\BF2.exe"= "c:\\Spel\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Auxilliary\\Spotify\\spotify.exe"= "c:\\Spel\\Steam\\steamapps\\common\\hearts of iron 3\\hoi3game.exe"= "c:\\Spel\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"= "c:\\Spel\\Steam\\steamapps\\common\\mirrors edge\\Binaries\\MirrorsEdge.exe"= "c:\\Auxilliary\\Skype\\Phone\\Skype.exe"= R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-07-28 155136] R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-07-28 5248] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-03 64288] R1 SASDIFSV;SASDIFSV;c:\auxilliary\SUPERAntiSpyware\sasdifsv.sys [2009-11-23 9968] R1 SASKUTIL;SASKUTIL;c:\auxilliary\SUPERAntiSpyware\SASKUTIL.SYS [2009-11-23 74480] R2 a2AntiMalware;a-squared Anti-Malware Service;c:\auxilliary\a-squared Anti-Malware\a2service.exe [2009-12-03 1858144] R2 a2free;a-squared Free Service;c:\auxilliary\a-squared Free\a2service.exe [2009-12-02 1858144] R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-09-16 12672] R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\auxilliary\LogMeIn Hamachi\hamachi-2.exe [2009-10-09 1078664] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [2009-09-24 1184912] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\Delade filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-10-16 102448] R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2009-07-28 31872] R3 SASENUM;SASENUM;c:\auxilliary\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408] S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;c:\program\Symantec\LiveUpdate\AluSchedulerSvc.exe [2009-07-28 554352] S2 gupdate1ca742ccd6f7fe0;Google Update Service (gupdate1ca742ccd6f7fe0);c:\program\Google\Update\GoogleUpdate.exe [2009-12-03 133104] S3 SavRoam;SAVRoam;c:\program\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2007-10-07 116664] --- Övriga tjänster/drivrutiner i minnet --- *Deregistered* - mchInjDrv . ------- Extra genomsökning ------- . IE: E&xportera till Microsoft Excel - c:\auxill~1\MICROS~1\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\2ontfcxe.default\ FF - plugin: c:\auxilliary\VideoLAN\VLC\npvlc.dll FF - plugin: c:\program\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICY ---- c:\auxilliary\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\auxilliary\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se"); . - - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - - HKLM-Run-AtiPTA - atiptaxx.exe AddRemove-Final Fantasy VII - c:\windows\IsUninst.exe -fc:\spel\Final Fantasy VII\Uninst.isu AddRemove-Microsoft Interactive Training - c:\windows\IsUn041d.exe -fc:\windows\orun32.isu AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442 AddRemove-Thief2DeinstallKey - c:\windows\IsUninst.exe -fc:\spel\Thief2\lglass.u AddRemove-{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1 - c:\auxilliary\ConvertHelper\unins000.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-07 13:09 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A584369]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28 \Driver\ACPI -> ACPI.sys @ 0xb9f59cb8 \Driver\atapi -> 0x8a162f00 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a NDIS: Realtek RTL8102E Family PCI-E Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9e05bb0 PacketIndicateHandler -> NDIS.sys @ 0xb9e12a21 SendHandler -> NDIS.sys @ 0xb9df087b Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** . --------------------- DLLer som "laddats" under processer som körs --------------------- - - - - - - - > 'winlogon.exe'(844) c:\auxilliary\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2560) c:\windows\system32\eappcfg.dll c:\windows\system32\webcheck.dll . ------------------------ Andra processer som körs ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program\Delade filer\Symantec Shared\ccSetMgr.exe c:\program\Delade filer\Symantec Shared\ccEvtMgr.exe c:\program\Delade filer\Symantec Shared\ccProxy.exe c:\program\Symantec Client Security\Symantec Client Firewall\ISSVC.exe c:\program\Delade filer\Symantec Shared\SNDSrvc.exe c:\program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program\Symantec Client Security\Symantec AntiVirus\DefWatch.exe c:\program\Java\jre6\bin\jqs.exe c:\program\Delade filer\LightScribe\LSSrvc.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe c:\program\Symantec Client Security\Symantec Client Firewall\SymSPort.exe c:\windows\RTHDCPL.EXE c:\program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\system32\wdfmgr.exe c:\program\Delade filer\Symantec Shared\Security Center\SymWSC.exe c:\windows\system32\wbem\unsecapp.exe c:\program\HP\Digital Imaging\bin\hpqSTE08.exe c:\program\Delade filer\Symantec Shared\Security Center\SymSCUI.exe c:\program\Java\jre6\bin\jucheck.exe c:\program\Lavasoft\Ad-Aware\AAWTray.exe . ************************************************************************** . Sluttid: 2009-12-07 13:33 - datorn startades om. ComboFix-quarantined-files.txt 2009-12-07 12:33 Före genomsökningen: 111*074*717*696 byte ledigt Efter genomsökningen: 110*860*222*464 byte ledigt - - End Of File - - E975CED7D6106372993BF18DDECE4554 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:25:08, on 2009-12-07 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe C:\Program\Delade filer\Symantec Shared\ccProxy.exe C:\Program\Symantec Client Security\Symantec Client Firewall\ISSVC.exe c:\Program\Delade filer\Symantec Shared\SNDSrvc.exe C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Auxilliary\a-squared Anti-Malware\a2service.exe C:\Auxilliary\a-squared Free\a2service.exe C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Auxilliary\LogMeIn Hamachi\hamachi-2.exe C:\Program\Java\jre6\bin\jqs.exe C:\Program\Delade filer\LightScribe\LSSrvc.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program\Java\jre6\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\Program\HP\HP Software Update\HPWuSchd2.exe C:\Auxilliary\D-Tools\daemon.exe C:\Program\Delade filer\Real\Update_OB\realsched.exe C:\HP\KBD\KBD.EXE C:\Program\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program\Delade filer\Symantec Shared\ccApp.exe C:\Program\SYMANT~1\SYMANT~2\VPTray.exe C:\WINDOWS\RTHDCPL.EXE C:\AUXILLIARY\A-SQUARED ANTI-MALWARE\a2guard.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program\Windows Live\Messenger\msnmsgr.exe C:\Auxilliary\ICQ6.5\ICQ.exe C:\Program\Messenger\msmsgs.exe c:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe C:\Auxilliary\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Auxilliary\Skype\Phone\Skype.exe C:\Program\HP\Digital Imaging\bin\hpqtra08.exe C:\Auxilliary\3\3Connect\AutoUpdateSrv.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe c:\Program\HP\Digital Imaging\bin\hpqSTE08.exe c:\Program\Delade filer\Symantec Shared\Security Center\SymSCUI.exe C:\Program\Java\jre6\bin\jucheck.exe C:\Program\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\explorer.exe C:\Program\Google\Chrome\Application\chrome.exe C:\Program\Google\Chrome\Application\chrome.exe C:\Spel\Steam\Steam.exe C:\WINDOWS\system32\taskmgr.exe C:\Program\Google\Chrome\Application\chrome.exe C:\Auxilliary\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\AUXILL~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [HPHUPD08] c:\Program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Enterprise O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Auxilliary\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] C:\Auxilliary\Winamp\winampa.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StartCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [a-squared] "C:\AUXILLIARY\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60 O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Auxilliary\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Steam] "c:\spel\steam\steam.exe" -silent O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ICQ] "C:\Auxilliary\ICQ6.5\ICQ.exe" silent O4 - HKCU\..\Run: [swg] "C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Auxilliary\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Auxilliary\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Skype] "C:\Auxilliary\Skype\Phone\Skype.exe" /nosplash /minimized O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: BDARemote.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Auxilliary\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Uppdateringsagent.lnk = ? O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\AUXILL~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\AUXILL~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\AUXILL~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Auxilliary\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Auxilliary\ICQ6.5\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Auxilliary\SUPERAntiSpyware\SASWINLO.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Auxilliary\a-squared Anti-Malware\a2service.exe O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Auxilliary\a-squared Free\a2service.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1ca742ccd6f7fe0) (gupdate1ca742ccd6f7fe0) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Auxilliary\LogMeIn Hamachi\hamachi-2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program\Delade filer\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe -- End of file - 12406 bytes Lenke til kommentar
norbat Skrevet 7. desember 2009 Del Skrevet 7. desember 2009 Har vedkommende fortsatt problemer ettter at vedkommende har kjørt malwarebytes og combofix? Combofix-loggen viser noe ureglemetært med MBR (master boot record). Det betyr ikke at vedkommende har en rootkit-infeksjon, men jeg skal sjekke litt nærmere angående dette. Skal gi tilbakemelding. Lenke til kommentar
Gaute65 Skrevet 7. desember 2009 Forfatter Del Skrevet 7. desember 2009 Har vedkommende fortsatt problemer ettter at vedkommende har kjørt malwarebytes og combofix? Combofix-loggen viser noe ureglemetært med MBR (master boot record). Det betyr ikke at vedkommende har en rootkit-infeksjon, men jeg skal sjekke litt nærmere angående dette. Skal gi tilbakemelding. Det har han. er fortsatt plaget med popups. Lenke til kommentar
norbat Skrevet 7. desember 2009 Del Skrevet 7. desember 2009 Hvilket innhold har disse popupene? Lenke til kommentar
norbat Skrevet 7. desember 2009 Del Skrevet 7. desember 2009 (endret) Hent følgende prog, lagre det på skrivebordet: http://support.kaspersky.com/downloads/utils/tdsskiller.zip. Pakk ut programmet, dobbeltklikk på TDSSKiller.exe og la programmet kjøre. Når programmet er ferdig, tast en vilkårlig tast for å avslutte. Hvis du blir bedt om å restarte pc'n, gjøre det. Gjør deretter: Klikk Start->Kjør Skriv: cmd /c mbr.exe -t >log.txt&start; log.txt Det åpnes en logg som du poster (hvis loggen inneholder noe) sammen med en ny combofix-logg (kjør altså combofix på nytt) Endret 7. desember 2009 av norbat Lenke til kommentar
Lurken1 Skrevet 8. desember 2009 Del Skrevet 8. desember 2009 Hej, det är jag som hade problemen. Det som poppade upp var bara att fönstret ville gå till en internetsida med en nonsons adress. Jag körde programmet, dock i min iver glömde jag se till att fixa en log av bekymret. Men, jag hade två infekterade poster, en i minnet, och en på disken. De båda togs dock effektivt hand om av programmet. Så man får tacka dig så mycket =) Lenke til kommentar
norbat Skrevet 8. desember 2009 Del Skrevet 8. desember 2009 Hej, det är jag som hade problemen. Det som poppade upp var bara att fönstret ville gå till en internetsida med en nonsons adress. Jag körde programmet, dock i min iver glömde jag se till att fixa en log av bekymret. Men, jag hade två infekterade poster, en i minnet, och en på disken. De båda togs dock effektivt hand om av programmet. Så man får tacka dig så mycket =) För att kontrollera att allt är OK, hade det varit trevligt om du kunde köra ComboFix igen och postat loggen. mvh n Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå