Mistenksom svchost og mystisk fil i windows mappen. Logger her

[Thor.]

Etter en youtube-video fra en betrodd bruker fikk jeg muligens infisert maskinen min.

 

Brukeren heter JetlagJad (youtube.com/user/JetlagJad) og har postet massevis av mariovideoer. Han virker som en gjenomsnittelig gamer med mange av de samme interessene som mange andre og jeg fant ingenting suspekt ved denne brukeren inntil igår. Jeg så en video om en keygenerator han publiserte. Dum som jeg var ville teste denne selv om jeg allerede hadde MW2 på min egen Steam konto. Jeg prøvde da denne på en "tullekonto" for å se om den fungerte, noe den selvfølgelig ikke gjorde. Idag begynte AVG-en min å lyse rødt og varslet om følgende fil:

C:\Users\Thor\AppData\Roaming\Microsoft\svchost.exe

 

Jeg gikk rett til topicen "Veiledning: Hjelp til å få fjernet malware (virus, trojanere, spyware...)" og fulgte instruksene der. Her er loggene:

 

 

MBAM:

 

 

Malwarebytes' Anti-Malware 1.44

Databaseversjon: 3826

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

 

05.03.2010 17:57:37

mbam-log-2010-03-05 (17-57-37).txt

 

Skanntype: Rask Skann

Objekter skannet: 99911

Tid tilbakelagt: 2 minute(s), 12 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 1

Registerverdier infisert: 0

Registerfiler infisert: 1

Mapper infisert: 0

Filer infisert: 2

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{xq4q8xwr-ykip-cjl7-9fme-qqvay4sot6ja} (Generic.Bot.H) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Windows\0L8YN.exe (Generic.Bot.H) -> Quarantined and deleted successfully.

C:\Users\Thor\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

 

 

 

*restart*

 

Hijcakthis

(tekst med strek igjennom er fjernet)

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:13:37, on 05.03.2010

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

 

Running processes:

D:\Spill\Steam\Steam.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Program Files (x86)\uTorrent\uTorrent.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe

C:\Program Files (x86)\AVG\AVG9\avgtray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Logitech\G35\G35.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\Program Files (x86)\Opera\opera.exe

C:\Program Files (x86)\Spotify\spotify.exe

C:\Windows\Notepad2.exe

C:\Windows\SysWOW64\notepad.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SMTTB2009 - {B6E23FC8-6890-4844-9F4F-0A2C5CE95A6C} - C:\Program Files (x86)\Audio Tools Factory Toolbar\tbcore3.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Audio Tools Factory Toolbar - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files (x86)\Audio Tools Factory Toolbar\tbcore3.dll

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Logitech G35] C:\Program Files (x86)\Logitech\G35\G35.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [steam] "d:\spill\steam\steam.exe" -silent

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202

O13 - Gopher Prefix:

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark SystemInfo) - http://service.futuremark.com/gom/receiver/tc/FMSI.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: PermissionResearch - Unknown owner - C:\Program Files (x86)\PermissionResearch\prservice.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\Windows\UnsignedThemesSvc.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 8787 bytes

 

 

 

 

Scan gjort av dds.scr (bruker Win7 64 bit)

 

 

 

DDS (Ver_09-12-01.01) - NTFSX64

Run by Thor at 18:11:33,14 on 05.03.2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.8190.6352 [GMT 1:00]

 

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Program Files (x86)\AVG\AVG9\avgchsva.exe

C:\Program Files (x86)\AVG\AVG9\avgrsa.exe

C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\UnsignedThemesSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

D:\Spill\Steam\Steam.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\uTorrent\uTorrent.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe

C:\Program Files (x86)\AVG\AVG9\avgtray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Logitech\G35\G35.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Program Files (x86)\Opera\opera.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Spotify\spotify.exe

C:\Windows\Notepad2.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\taskeng.exe

C:\Users\Thor\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

mLocal Page = c:\windows\syswow64\blank.htm

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files (x86)\orbitdownloader\orbitcth.dll

BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: SMTTB2009 Class: {b6e23fc8-6890-4844-9f4f-0a2c5ce95a6c} - c:\program files (x86)\audio tools factory toolbar\tbcore3.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll

TB: Audio Tools Factory Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files (x86)\audio tools factory toolbar\tbcore3.dll

uRun: [steam] "d:\spill\steam\steam.exe" -silent

uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background

uRun: [uTorrent] "c:\program files (x86)\utorrent\uTorrent.exe"

uRun: [DAEMON Tools Lite] "c:\program files (x86)\daemon tools lite\DTLite.exe" -autorun

mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe

mRun: [ATICustomerCare] "c:\program files (x86)\ati\aticustomercare\ATICustomerCare.exe"

mRun: [sunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"

mRun: [startCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Logitech G35] c:\program files (x86)\logitech\g35\G35.exe

mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: &Download by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/202

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/gom/receiver/tc/FMSI.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TB-X64: {338B4DFE-2E2C-4338-9E41-E176D497299E} - No File

mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s

AppInit_DLLs-X64: avgrssta.dll

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\users\thor\appdata\roaming\mozilla\firefox\profiles\ur4gw7qa.default\

FF - component: c:\program files (x86)\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - plugin: c:\program files (x86)\opera 10.50 pre-alpha\program\plugins\npqtplugin.dll

FF - plugin: c:\program files (x86)\opera 10.50 pre-alpha\program\plugins\npqtplugin2.dll

FF - plugin: c:\program files (x86)\opera 10.50 pre-alpha\program\plugins\npqtplugin3.dll

FF - plugin: c:\program files (x86)\opera 10.50 pre-alpha\program\plugins\npqtplugin4.dll

FF - plugin: c:\program files (x86)\opera 10.50 pre-alpha\program\plugins\npqtplugin5.dll

FF - plugin: c:\program files (x86)\opera 10.50 pre-alpha\program\plugins\npqtplugin6.dll

FF - plugin: c:\program files (x86)\opera 10.50 pre-alpha\program\plugins\npqtplugin7.dll

FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\thor\appdata\local\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

 

============= SERVICES / DRIVERS ===============

 

R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2009-11-23 422920]

R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2009-11-23 34248]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 59904]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-11 202752]

R2 avg9wd;AVG Free WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2009-11-23 285392]

R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-7-13 24168]

R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [2009-7-13 30568]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2009-12-11 6228480]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2009-12-11 160256]

R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 29184]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-8-2 12672]

R3 Lycosa;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-1-17 18816]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam_x64.sys [2008-3-13 27136]

R3 netr28ux;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Dnetr28ux.sys [2009-8-6 987648]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-3-1 187392]

S2 PermissionResearch;PermissionResearch;c:\program files (x86)\permissionresearch\prservice.exe /service --> c:\program files (x86)\permissionresearch\prservice.exe [?]

S3 cxbu0x64;CardMan 3x21;c:\windows\system32\drivers\cxbu0x64.sys [2009-6-24 172544]

S3 ENTECH64;ENTECH64;c:\windows\system32\drivers\Entech64.sys [2009-12-25 12744]

S3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\drivers\ladfDHP2amd64.sys [2009-5-28 61712]

S3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\drivers\ladfSBVMamd64.sys [2009-5-28 376848]

 

=============== Created Last 30 ================

 

2010-03-05 16:47:23 0 dc----w- c:\users\thor\appdata\roaming\Malwarebytes

2010-03-05 16:47:19 22104 -c--a-w- c:\windows\system32\drivers\mbam.sys

2010-03-05 16:47:19 0 dc----w- c:\programdata\Malwarebytes

2010-03-05 16:47:19 0 dc----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2010-03-04 17:54:38 0 dc----w- c:\program files (x86)\iTunes

2010-03-04 17:54:38 0 dc----w- c:\program files (x86)\iPod

2010-03-04 17:49:46 0 dc----w- c:\users\thor\appdata\roaming\GrabPro

2010-02-27 21:18:34 0 dc----w- c:\users\thor\appdata\roaming\ManyCam

2010-02-27 21:18:34 0 dc----w- c:\program files (x86)\ManyCam 2.4

2010-02-25 22:35:48 310984 -c--a-w- c:\windows\system32\drivers\atksgt.sys

2010-02-25 22:35:47 42696 -c--a-w- c:\windows\system32\drivers\lirsgt.sys

2010-02-25 20:31:35 0 dc----w- c:\program files (x86)\DOSbox

2010-02-23 20:48:11 0 dc----w- c:\program files (x86)\DVDVideoSoft

2010-02-23 20:48:11 0 dc----w- c:\program files (x86)\common files\DVDVideoSoft

2010-02-23 12:06:39 73728 -c--a-w- c:\windows\system\vdremote.dll

2010-02-23 12:06:39 65536 -c--a-w- c:\windows\system\vdsvrlnk.dll

2010-02-23 09:42:25 0 dc----w- c:\programdata\VideoMach

2010-02-23 09:42:21 0 dc----w- c:\program files (x86)\VideoMach

2010-02-22 16:27:05 0 dc----w- c:\program files (x86)\NDW

2010-02-22 16:21:31 0 dc----w- c:\users\thor\appdata\roaming\avidemux

2010-02-22 16:21:25 0 dc----w- c:\program files (x86)\Avidemux 2.5

2010-02-22 15:12:06 0 dc----w- c:\programdata\Sony

2010-02-22 15:12:04 0 dc----w- c:\program files (x86)\Sony

2010-02-22 15:12:03 0 dc----w- c:\program files\Sony

2010-02-22 15:03:52 834544 -c--a-w- c:\windows\system32\drivers\sptd.sys

2010-02-22 15:03:41 0 dc----w- c:\program files (x86)\DAEMON Tools Lite

2010-02-21 23:12:36 0 dc----w- C:\Downloads

2010-02-21 23:12:23 0 dc----w- c:\program files (x86)\Orbitdownloader

2010-02-21 12:13:57 0 dc----w- c:\program files (x86)\BandwidthMonitor

2010-02-20 12:23:38 0 dc----w- c:\users\thor\appdata\roaming\Bioshock2

2010-02-20 12:20:27 0 dcsh--w- c:\programdata\SecuROM

2010-02-20 12:11:16 0 dc----w- c:\program files (x86)\2K Games

2010-02-17 16:07:25 0 dc----w- c:\program files (x86)\Microsoft SQL Server Compact Edition

2010-02-17 14:38:58 0 dc----w- c:\users\thor\appdata\roaming\DAEMON Tools Lite

2010-02-17 14:38:50 0 dc----w- c:\programdata\DAEMON Tools Lite

2010-02-17 11:25:16 0 dc----w- c:\users\thor\appdata\roaming\Braid

2010-02-17 11:25:10 3851784 -c--a-w- c:\windows\syswow64\D3DX9_39.dll

2010-02-14 04:10:26 0 dc----w- c:\users\thor\appdata\roaming\The Path

2010-02-13 22:14:42 0 dc----w- c:\users\thor\appdata\roaming\JungleDisk

2010-02-13 22:11:41 0 dc----w- C:\Audio Setup

2010-02-13 22:08:33 0 dc----w- C:\WMdownloads

2010-02-13 19:06:09 0 dc----w- c:\windows\system32\appmgmt

2010-02-13 19:00:34 0 dc----w- c:\program files\Logitech

2010-02-13 18:59:14 0 dc----w- c:\programdata\LogiShrd

2010-02-13 15:30:30 20 -c--a-w- c:\windows\mafosav.INI

2010-02-13 10:22:10 0 dc----w- c:\program files\Bonjour

2010-02-13 10:22:10 0 dc----w- c:\program files (x86)\Bonjour

2010-02-13 10:12:15 0 dc----w- c:\program files (x86)\Amazon

2010-02-13 09:39:20 0 dc----w- c:\programdata\JungleDisk

 

==================== Find3M ====================

 

2010-03-05 17:05:21 78250 -c--a-w- c:\windows\system32\perfc014.dat

2010-03-05 17:05:21 456276 -c--a-w- c:\windows\system32\perfh014.dat

2010-02-24 10:55:05 7680 ----a-w- c:\windows\syswow64\instnm.exe

2010-02-24 10:55:05 5120 ----a-w- c:\windows\syswow64\wow32.dll

2010-02-24 10:55:05 25600 ----a-w- c:\windows\syswow64\setup16.exe

2010-02-24 10:55:05 243200 ----a-w- c:\windows\system32\wow64.dll

2010-02-24 10:55:05 2048 ----a-w- c:\windows\syswow64\user.exe

2010-02-24 10:55:05 14336 ----a-w- c:\windows\syswow64\ntvdm64.dll

2010-02-24 10:55:02 2048 ----a-w- c:\windows\syswow64\tzres.dll

2010-02-24 10:55:02 2048 ----a-w- c:\windows\system32\tzres.dll

2010-02-24 10:54:59 716800 ----a-w- c:\windows\syswow64\jscript.dll

2010-02-24 10:54:55 960512 ----a-w- c:\windows\system32\CPFilters.dll

2010-02-24 10:54:55 641536 ----a-w- c:\windows\syswow64\CPFilters.dll

2010-02-24 10:54:55 613888 ----a-w- c:\windows\system32\psisdecd.dll

2010-02-24 10:54:55 552960 ----a-w- c:\windows\system32\msdri.dll

2010-02-24 10:54:55 465408 ----a-w- c:\windows\syswow64\psisdecd.dll

2010-02-15 17:43:02 4076 -csha-w- c:\programdata\KGyGaAvL.sys

2010-02-15 17:43:01 88 -csh--r- c:\programdata\982251D75B.sys

2010-02-14 02:09:44 466456 -c--a-w- c:\windows\system32\wrap_oal.dll

2010-02-14 02:09:44 122904 -c--a-w- c:\windows\system32\OpenAL32.dll

2010-02-14 02:09:43 444952 -c--a-w- c:\windows\syswow64\wrap_oal.dll

2010-02-14 02:09:43 109080 -c--a-w- c:\windows\syswow64\OpenAL32.dll

2010-02-11 15:46:49 91648 ----a-w- c:\windows\syswow64\avifil32.dll

2010-02-08 20:19:43 15058301 -c--a-w- c:\program files (x86)\Opera.rar

2010-01-30 16:45:02 0 -c-ha-w- c:\windows\system32\drivers\Msft_User_WUDFUsbccidDriver_01_09_00.Wdf

2010-01-27 14:57:23 389632 ----a-w- c:\windows\system32\winlogon.exe

2010-01-27 14:57:23 2870272 ----a-w- c:\windows\explorer.exe

2010-01-27 14:57:23 2614272 ----a-w- c:\windows\syswow64\explorer.exe

2010-01-22 20:00:37 977920 ----a-w- c:\windows\syswow64\wininet.dll

2010-01-22 20:00:37 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll

2010-01-22 20:00:37 5961728 ----a-w- c:\windows\syswow64\mshtml.dll

2010-01-22 20:00:37 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll

2010-01-22 20:00:37 1224704 ----a-w- c:\windows\syswow64\urlmon.dll

2010-01-22 20:00:37 1192960 ----a-w- c:\windows\system32\wininet.dll

2010-01-22 20:00:37 10976768 ----a-w- c:\windows\syswow64\ieframe.dll

2010-01-13 10:54:06 70656 ----a-w- c:\windows\syswow64\fontsub.dll

2010-01-13 10:54:06 148480 ----a-w- c:\windows\system32\t2embed.dll

2010-01-13 10:54:06 108544 ----a-w- c:\windows\syswow64\t2embed.dll

2010-01-13 10:54:06 100864 ----a-w- c:\windows\system32\fontsub.dll

2010-01-08 04:52:23 0 -c-ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2009-12-25 13:16:55 178800 -c--a-w- c:\windows\syswow64\CmdLineExt_x64.dll

2009-12-17 16:14:09 153376 -c--a-w- c:\windows\syswow64\javaws.exe

2009-12-17 16:14:08 145184 -c--a-w- c:\windows\syswow64\javaw.exe

2009-12-17 16:14:06 145184 -c--a-w- c:\windows\syswow64\java.exe

2009-12-17 16:14:00 411368 -c--a-w- c:\windows\syswow64\deploytk.dll

2009-12-11 20:45:40 446464 -c--a-w- c:\windows\system32\ATIDEMGX.dll

2009-12-11 20:45:28 450048 -c--a-w- c:\windows\system32\atieclxx.exe

2009-12-11 20:44:52 202752 -c--a-w- c:\windows\system32\atiesrxx.exe

2009-12-11 20:43:40 17560576 -c--a-w- c:\windows\system32\atio6axx.dll

2009-12-11 20:43:26 120320 -c--a-w- c:\windows\system32\atitmm64.dll

2009-12-11 20:43:06 421376 -c--a-w- c:\windows\system32\atipdl64.dll

2009-12-11 20:42:58 356352 -c--a-w- c:\windows\syswow64\atipdlxx.dll

2009-12-11 20:42:44 274432 -c--a-w- c:\windows\syswow64\Oemdspif.dll

2009-12-11 20:42:38 12288 -c--a-w- c:\windows\system32\atimuixx.dll

2009-12-11 20:42:34 59392 -c--a-w- c:\windows\system32\atiedu64.dll

2009-12-11 20:42:28 43520 -c--a-w- c:\windows\syswow64\ati2edxx.dll

2009-12-11 20:39:38 3060224 -c--a-w- c:\windows\syswow64\atidxx32.dll

2009-12-11 20:35:34 400384 -c--a-w- c:\windows\syswow64\aticfx32.dll

2009-12-11 20:34:46 434176 -c--a-w- c:\windows\system32\aticfx64.dll

2009-12-11 20:31:50 3671040 -c--a-w- c:\windows\system32\atidxx64.dll

2009-12-11 20:26:00 13383168 -c--a-w- c:\windows\syswow64\atioglxx.dll

2009-12-11 20:22:58 3601920 -c--a-w- c:\windows\syswow64\atiumdag.dll

2009-12-11 20:17:10 4668416 -c--a-w- c:\windows\system32\atiumd64.dll

2009-12-11 20:11:30 55296 -c--a-w- c:\windows\system32\coinst.dll

2009-12-11 20:10:48 2617344 -c--a-w- c:\windows\system32\atiumd6a.dll

2009-12-11 20:04:52 43008 -c--a-w- c:\windows\system32\aticalrt64.dll

2009-12-11 20:04:50 53248 -c--a-w- c:\windows\syswow64\aticalrt.dll

2009-12-11 20:04:50 2912768 -c--a-w- c:\windows\syswow64\atiumdva.dll

2009-12-11 20:04:38 39936 -c--a-w- c:\windows\system32\aticalcl64.dll

2009-12-11 20:04:34 53248 -c--a-w- c:\windows\syswow64\aticalcl.dll

2009-12-11 20:04:22 4748288 -c--a-w- c:\windows\system32\aticaldd64.dll

2009-12-11 20:03:22 3641344 -c--a-w- c:\windows\syswow64\aticaldd.dll

2009-12-11 19:52:22 53248 -c--a-w- c:\windows\system32\atimpc64.dll

2009-12-11 19:52:22 53248 -c--a-w- c:\windows\system32\amdpcom64.dll

2009-12-11 19:52:16 52224 -c--a-w- c:\windows\syswow64\atimpc32.dll

2009-12-11 19:52:16 52224 -c--a-w- c:\windows\syswow64\amdpcom32.dll

2009-12-11 19:51:46 314880 -c--a-w- c:\windows\system32\atiadlxx.dll

2009-12-11 19:51:38 225280 -c--a-w- c:\windows\syswow64\atiadlxy.dll

2009-12-11 19:51:26 14848 -c--a-w- c:\windows\system32\atig6pxx.dll

2009-12-11 19:51:22 12800 -c--a-w- c:\windows\syswow64\atiglpxx.dll

2009-12-11 19:51:22 12800 -c--a-w- c:\windows\system32\atiglpxx.dll

2009-12-11 19:51:18 16896 -c--a-w- c:\windows\system32\atig6txx.dll

2009-12-11 19:51:12 15360 -c--a-w- c:\windows\syswow64\atigktxx.dll

2009-12-11 19:50:34 35840 -c--a-w- c:\windows\system32\atiuxp64.dll

2009-12-11 19:50:28 27136 -c--a-w- c:\windows\syswow64\atiuxpag.dll

2009-12-11 19:50:20 28160 -c--a-w- c:\windows\system32\atiu9p64.dll

2009-12-11 19:50:12 20480 -c--a-w- c:\windows\syswow64\atiu9pag.dll

2009-12-08 10:34:42 332320 -c--a-w- c:\windows\system32\RtlCPAPI64.dll

2009-12-08 10:34:42 1692192 -c--a-w- c:\windows\system32\RtPgEx64.dll

2009-12-08 10:34:36 149536 -c--a-w- c:\windows\system32\RtkCfg64.dll

2009-12-08 10:34:30 475680 -c--a-w- c:\windows\system32\RtkApi64.dll

2009-12-08 10:34:30 1639456 -c--a-w- c:\windows\system32\RtkAPO64.dll

2009-12-08 10:34:30 1201184 -c--a-w- c:\windows\system32\RTCOM64.dll

2009-12-08 10:34:24 66592 -c--a-w- c:\windows\system32\RCoInst64.dll

2009-11-23 17:33:19 36156 -c--a-w- c:\windows\inf\perflib\0414\perfd.dat

2009-11-23 17:33:19 36156 -c--a-w- c:\windows\inf\perflib\0414\perfc.dat

2009-11-23 17:33:19 298300 -c--a-w- c:\windows\inf\perflib\0414\perfi.dat

2009-11-23 17:33:19 298300 -c--a-w- c:\windows\inf\perflib\0414\perfh.dat

2009-07-14 05:37:38 31548 -c--a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 05:37:38 31548 -c--a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-11-23 17:40:14 245760 -csha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2006-05-03 10:06:54 163328 -csh--r- c:\windows\syswow64\flvDX.dll

2007-02-21 11:47:16 31232 -csh--r- c:\windows\syswow64\msfDX.dll

2008-03-16 13:30:52 216064 -csh--r- c:\windows\syswow64\nbDX.dll

2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

 

============= FINISH: 18:11:51,91 ===============

 

 

 

 

Er maskinen ren?

[raWrz]

Skal sjekke fila og se hva som skjer personlig før jeg sier om du er ren

 

Tips: Hvis du vil sjekke programmer Bruk sandboxie (http://www.sandboxie.com/)

 

Tipper det er en RAT (remote administration tool) som gjør at han kan styre maskina di... er veldig vanelig for "nubene" (skiddies) innen hacking

[Thor.]

Takker for sandboxie. Fattern bruker noe lignende hele tiden. Skal huske på dette neste gang jeg kommer over noe "for godt til å være sant".

[raWrz]

fant ut IPen til fyren ...

 

og pass litt på... ser ut som om den sprer eg til andre maskiner på nette... så se om det skjer noe med de andre maskinene

[Thor.]

Takk skal du ha. Hvordan spre seg? Internett eller lan? Er min brors windows 7 utsatt? Den er beskyttet med AVG.

 

Og kan du/noen andre bekrefte om maskinen min er ren?

 

Edit: For sikkerhets skyld så har jeg forresten byttet passord på diverse viktige kontoer. Var jo på nettbanken idag!!

Endret 5. mars 2010 av Thor.

[raWrz]

ser ut som det er LAN siden jeg så i COMODO sin logg at den svchost kobla seg opp til mine andre LAN IPer.

 

Hvis du merker noe på de andre så veit du hva du må gjøra

 

ut ifra HJT loggen ser det fint ut

Endret 5. mars 2010 av Submit

[Thor.]

Ok, men da er jeg safe

 

Takker for hjelp.