Antimalware Doctor virus.....

[norbat]

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen.

 

Folder::

c:\documents and settings\Administrator\Lokale innstillinger\Programdata\flybhbbcc

c:\documents and settings\Administrator\Lokale innstillinger\Programdata\qxwbhrnrl

 

rootkit::

kfzni.sys

 

file::

c:\windows\system32\drivers\kfzni.sys

 

SRPeek::

c:\windows\system32\winlogon.exe

c:\windows\explorer.exe

c:\windows\system32\drivers\ndis.sys

 

Hvis du får spm. om å installere gjenopprettingskonsollen, sier du ja.

Endret 21. august 2010 av norbat

[T.O.E]

i sikkerhetsmodus?

[norbat]

Kan godt kjøre fra sikker modus hvis det er probl. å få logg fra normal modus.

[T.O.E]

Funka bare i sikkerhetsmodus dette og. Loggen:

 

 

ComboFix 10-08-21.01 - Administrator 08/22/2010 0:23.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.1976.1485 [GMT 2:00]

Kjører fra: c:\documents and settings\Administrator\Skrivebord\ComboFix.exe

Command switches brukt :: c:\documents and settings\Administrator\Skrivebord\CFScript.txt..txt

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {2045E3EF-E5E7-488B-AC43-2B179BB14050}

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {C24317C3-EF42-4BD3-B9F6-926FE54E7D8D}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

 

FILE ::

"c:\windows\system32\drivers\kfzni.sys"

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Administrator\Lokale innstillinger\Programdata\flybhbbcc

c:\documents and settings\Administrator\Lokale innstillinger\Programdata\qxwbhrnrl

c:\windows\system32\drivers\kfzni.sys

 

c:\windows\system32\winlogon.exe . . . er infisert!!

 

c:\windows\explorer.exe . . . er infisert!!

 

c:\windows\system32\drivers\ndis.sys . . . er infisert!!

 

.

((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_kfzni

-------\Service_kfzni

 

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2010-07-21 til 2010-08-21 )))))))))))))))))))))))))))))))))

.

 

2010-08-21 16:25 . 2010-08-21 16:25 0 ----a-w- c:\windows\nsreg.dat

2010-08-21 16:25 . 2010-08-21 16:25 -------- d-----w- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\Mozilla

2010-08-21 13:26 . 2010-08-21 16:04 -------- d-----w- c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy

2010-08-21 12:24 . 2010-08-21 12:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-08-21 08:08 . 2010-08-21 08:08 -------- d-----w- c:\documents and settings\Administrator\Programdata\Malwarebytes

2010-08-21 08:08 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-21 08:07 . 2010-08-21 08:07 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes

2010-08-21 08:07 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-21 08:07 . 2010-08-21 08:08 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware

2010-08-20 21:53 . 2010-08-20 21:53 -------- d--h--w- c:\documents and settings\1505hvmo\InstallAnywhere

2010-08-20 21:50 . 2010-08-20 21:51 -------- d-----w- c:\documents and settings\1505hvmo\Programdata\BitTorrent

2010-08-20 19:52 . 2010-08-20 19:52 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-20 12:19 . 2010-08-20 12:19 -------- d-----w- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\PCHealth

2010-08-19 13:18 . 2010-08-19 13:18 -------- d-----w- c:\documents and settings\1505hvmo\Programdata\Sports Interactive

2010-08-07 19:18 . 2010-08-07 19:18 -------- d--h--w- c:\windows\PIF

2010-08-05 20:39 . 2010-08-05 20:39 503808 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5df9c3ab-n\msvcp71.dll

2010-08-05 20:39 . 2010-08-05 20:39 499712 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5df9c3ab-n\jmc.dll

2010-08-05 20:39 . 2010-08-05 20:39 348160 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5df9c3ab-n\msvcr71.dll

2010-08-05 20:39 . 2010-08-05 20:39 61440 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4ea596b7-n\decora-sse.dll

2010-08-05 20:39 . 2010-08-05 20:39 12800 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4ea596b7-n\decora-d3d.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-21 22:35 . 2010-07-18 19:51 -------- d-----w- c:\documents and settings\Administrator\Programdata\LimeWire

2010-08-21 22:32 . 2009-11-04 15:16 -------- d-----w- c:\programfiler\LanSchool

2010-08-21 22:06 . 2010-06-15 23:56 -------- d-----w- c:\documents and settings\Administrator\Programdata\Spotify

2010-08-21 21:04 . 2010-06-16 20:28 -------- d-----w- c:\programfiler\DesktopEarth

2010-08-21 20:12 . 2010-06-16 21:03 -------- d-----w- c:\documents and settings\Administrator\Programdata\vlc

2010-08-21 19:36 . 2010-06-16 17:38 -------- d-----w- c:\documents and settings\Administrator\Programdata\BitTorrent

2010-08-21 12:43 . 2010-07-01 18:51 -------- d-----w- c:\documents and settings\Administrator\Programdata\Skype

2010-08-21 12:17 . 2010-07-01 18:52 -------- d-----w- c:\documents and settings\Administrator\Programdata\skypePM

2010-08-20 22:09 . 2009-06-12 12:49 -------- d--h--w- c:\programfiler\InstallShield Installation Information

2010-08-20 21:57 . 2010-06-03 09:39 -------- d-----w- c:\documents and settings\1505hvmo\Programdata\Skype

2010-08-20 20:04 . 2010-06-03 10:14 -------- d-----w- c:\documents and settings\1505hvmo\Programdata\skypePM

2010-08-20 19:27 . 2008-08-03 12:01 210816 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-08-14 08:01 . 2009-06-12 12:13 -------- d-----w- c:\programfiler\Microsoft Silverlight

2010-07-28 10:43 . 2010-06-16 20:28 29926 ----a-r- c:\documents and settings\Administrator\Programdata\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_CE4FFA1DD37E7C505AED29.exe

2010-07-28 10:43 . 2010-06-16 20:28 29926 ----a-r- c:\documents and settings\Administrator\Programdata\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe

2010-07-28 10:43 . 2010-06-16 20:28 29926 ----a-r- c:\documents and settings\Administrator\Programdata\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_6FEFF9B68218417F98F549.exe

2010-07-27 11:04 . 2008-08-03 12:02 84518 ----a-w- c:\windows\system32\perfc014.dat

2010-07-27 11:04 . 2008-08-03 12:02 457746 ----a-w- c:\windows\system32\perfh014.dat

2010-07-21 14:07 . 2010-07-21 14:07 -------- d-----w- c:\programfiler\Fellesfiler\Apple

2010-07-21 14:07 . 2010-07-21 14:07 -------- d-----w- c:\programfiler\QuickTime

2010-07-21 14:06 . 2010-07-21 14:06 -------- d-----w- c:\documents and settings\All Users\Programdata\Apple Computer

2010-07-16 16:23 . 2010-07-16 16:23 -------- d-----w- c:\documents and settings\Administrator\Programdata\Apple Computer

2010-07-06 09:04 . 2010-07-06 09:04 61232 ----a-w- c:\windows\system32\lskhook64.dll

2010-07-06 09:04 . 2010-07-06 09:04 75056 ----a-w- c:\windows\system32\lskhook.dll

2010-07-05 18:51 . 2010-07-05 18:51 -------- d-----w- c:\programfiler\Apple Software Update

2010-07-05 18:51 . 2010-07-05 18:51 -------- d-----w- c:\documents and settings\All Users\Programdata\Apple

2010-07-01 18:52 . 2010-07-01 18:52 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-07-01 18:51 . 2010-07-01 18:51 -------- d-----r- c:\programfiler\Skype

2010-07-01 18:51 . 2010-07-01 18:51 -------- d-----w- c:\programfiler\Fellesfiler\Skype

2010-07-01 18:50 . 2010-06-03 09:39 -------- d-----w- c:\documents and settings\All Users\Programdata\Skype

2010-06-30 10:51 . 2010-06-30 10:51 371272 ----a-r- c:\documents and settings\1505hvmo\Programdata\Microsoft\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe

2010-06-27 15:56 . 2010-06-15 21:20 -------- d-----w- c:\programfiler\Opera

2010-06-16 19:01 . 2010-06-16 19:01 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-06-15 23:56 . 2010-06-15 23:56 655360 ----a-w- c:\documents and settings\Administrator\Programdata\Spotify\Gracenote\gnsdk_sdkmanager.dll

2010-06-15 23:56 . 2010-06-15 23:56 282624 ----a-w- c:\documents and settings\Administrator\Programdata\Spotify\Gracenote\gnsdk_musicid_file.dll

2010-06-15 23:56 . 2010-06-15 23:56 208896 ----a-w- c:\documents and settings\Administrator\Programdata\Spotify\Gracenote\gnsdk_dsp.dll

2010-06-15 20:55 . 2010-06-15 20:55 503808 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f75a956-n\msvcp71.dll

2010-06-15 20:55 . 2010-06-15 20:55 499712 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f75a956-n\jmc.dll

2010-06-15 20:55 . 2010-06-15 20:55 348160 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f75a956-n\msvcr71.dll

2010-06-15 20:54 . 2010-06-15 20:54 61440 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7329539c-n\decora-sse.dll

2010-06-15 20:54 . 2010-06-15 20:54 12800 ----a-w- c:\documents and settings\Administrator\Programdata\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7329539c-n\decora-d3d.dll

2010-06-15 20:48 . 2010-06-15 20:48 85176 ----a-w- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT

2010-06-10 16:46 . 2010-06-10 16:46 153600 ----a-w- c:\documents and settings\1505hvmo\Programdata\Sun\Java\Deployment\cache\6.0\39\1d7a9127-66ffc9b9-n\lwjgl.dll

2010-06-07 20:47 . 2010-06-07 20:46 87 ----a-w- c:\documents and settings\1505hvmo\jagex_runescape_preferences2.dat

2010-06-07 20:46 . 2010-06-07 20:45 42 ----a-w- c:\documents and settings\1505hvmo\jagex_runescape_preferences.dat

2010-06-07 20:46 . 2010-06-07 20:46 0 ----a-w- c:\documents and settings\1505hvmo\jagex__preferences3.dat

2010-05-31 07:34 . 2010-05-31 07:34 503808 ----a-w- c:\documents and settings\1505hvmo\Programdata\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20880a3a-n\msvcp71.dll

2010-05-31 07:34 . 2010-05-31 07:34 499712 ----a-w- c:\documents and settings\1505hvmo\Programdata\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20880a3a-n\jmc.dll

2010-05-31 07:34 . 2010-05-31 07:34 348160 ----a-w- c:\documents and settings\1505hvmo\Programdata\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20880a3a-n\msvcr71.dll

2010-05-31 07:34 . 2010-05-31 07:34 61440 ----a-w- c:\documents and settings\1505hvmo\Programdata\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73a6983d-n\decora-sse.dll

2010-05-31 07:34 . 2010-05-31 07:34 12800 ----a-w- c:\documents and settings\1505hvmo\Programdata\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73a6983d-n\decora-d3d.dll

2009-06-01 17:19 . 2009-06-01 17:19 6253 ----a-w- c:\programfiler\eula.rtf

.

 

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

c:\windows\system32\dllcache\explorer.exe [x]

[-] A67E9F4D1702203DEAA4B1A0ED2A792C 1033728 \RP4\A0003083.exe

 

c:\windows\system32\dllcache\winlogon.exe [x]

[-] AEF02169B75C963E95040A26944E22BD 506880 \RP4\A0000450.exe

.

------- Sigcheck -------

 

[-] 2010-08-20 19:27 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\drivers\ndis.sys

[-] 2010-08-20 19:27 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\dllcache\ndis.sys

 

[-] 2008-04-15 . 68EF5586A73B55BBA6CFC92FE1E33B36 . 506880 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

 

[-] 2008-04-15 . A67E9F4D1702203DEAA4B1A0ED2A792C . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-08-21_21.04.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-21 22:20 . 2010-08-21 22:20 16384 c:\windows\Temp\Perflib_Perfdata_338.dat

+ 2010-08-21 22:32 . 2010-08-21 22:32 16384 c:\windows\Temp\Perflib_Perfdata_248.dat

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Swedish.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Swedish.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Spanish.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Spanish.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\PortugueseBrazilian.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\PortugueseBrazilian.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut8_57F014000F314BE984FA68DAF3EDB629.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut8_57F014000F314BE984FA68DAF3EDB629.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut4_57F014000F314BE984FA68DAF3EDB629.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut4_57F014000F314BE984FA68DAF3EDB629.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut2_57F014000F314BE984FA68DAF3EDB629.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut2_57F014000F314BE984FA68DAF3EDB629.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut2_01B928542FD2483DBC92A5C3611FBF0F.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut2_01B928542FD2483DBC92A5C3611FBF0F.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut1_57F014000F314BE984FA68DAF3EDB629.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut1_57F014000F314BE984FA68DAF3EDB629.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut1.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut1.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Japanese.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Japanese.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Italian.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Italian.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\FrenchCanadian.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\FrenchCanadian.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\English.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\English.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\DataStudioDesktop.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\DataStudioDesktop.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\DataStudio_German_47E8DEFABB1544659378F993E9E0CF41.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\DataStudio_German_47E8DEFABB1544659378F993E9E0CF41.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\DataStudio.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\DataStudio.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Danish.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Danish.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Chinese.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Chinese.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\ARPPRODUCTICON.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\ARPPRODUCTICON.exe

- 2009-11-05 11:23 . 2009-11-05 11:23 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Arabic.exe

+ 2009-11-05 11:23 . 2010-08-21 22:34 40960 c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\Arabic.exe

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\programfiler\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OfficeScanNT Monitor"="c:\programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-16 746792]

"WatchDog"="c:\programfiler\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]

 

c:\documents and settings\Administrator\Start-meny\Programmer\Oppstart\

DesktopEarth AutoStart.lnk - c:\documents and settings\Administrator\Programdata\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2010-6-16 29926]

LimeWire On Startup.lnk - c:\programfiler\LimeWire\LimeWire.exe [2010-7-8 503808]

 

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\

DVD Check.lnk - c:\programfiler\InterVideo\DVD Check\DVDCheck.exe [2009-6-12 197904]

PASPortal.lnk - c:\windows\Installer\{7AC82557-3E93-4896-83E0-6BCC1A869F98}\NewShortcut1.exe [2009-11-5 40960]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\programfiler\Novell\ZENworks\bin\NalShell.dll" [2009-12-11 929792]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2007-05-15 14:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2007-05-15 14:08 281088 ----a-w- c:\programfiler\ActivIdentity\ActivClient\acunlock.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LCredMgr]

2009-06-24 17:58 61440 ----a-w- c:\programfiler\Novell\CASA\bin\lcredmgr.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nzrNotifier]

2009-11-20 06:36 57344 ----a-w- c:\windows\system32\nzrNotifier.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1584278910-2727298251-198245966-46329\Scripts\Logon\0\0]

"Script"=logon.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1584278910-2727298251-198245966-5694\Scripts\Logon\0\0]

"Script"=logon.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1584278910-2727298251-198245966-87039\Scripts\Logon\0\0]

"Script"=logon.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-961192664-1044802044-2078469417-43630\Scripts\Logon\0\0]

"Script"=logon.bat

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LanSchoolStudent]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programfiler\\LanSchool\\student.exe"=

"c:\\Programfiler\\BitTorrent\\bittorrent.exe"=

"c:\\Programfiler\\Spotify\\spotify.exe"=

"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7628:TCP"= 7628:TCP:ZENworks TCP - Port 7628

"7628:UDP"= 7628:UDP:ZENworks UDP - Port 7628

"63287:TCP"= 63287:TCP:Trend Micro OfficeScan Listener

 

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [8/18/2009 10:31 AM 24064]

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [8/3/2008 2:12 PM 10880]

R2 accoca;ActivClient Middleware Service;c:\programfiler\ActivIdentity\ActivClient\accoca.exe [5/15/2007 4:08 PM 182576]

R2 LanSchoolStudent;LanSchool Student Service;c:\programfiler\LanSchool\student.exe [7/6/2010 11:05 AM 1054000]

R2 Novell Identity Store;Novell Identity Store;c:\programfiler\Novell\CASA\bin\micasad.exe [6/24/2009 7:58 PM 245760]

R2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;c:\programfiler\Novell\ZENworks\bin\ZenworksWindowsService.exe [11/26/2009 12:45 PM 28672]

R2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\programfiler\Novell\ZENworks\bin\nzrWinVNC.exe -service --> c:\programfiler\Novell\ZENworks\bin\nzrWinVNC.exe -service [?]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/17/2009 12:26 PM 50192]

R2 TmFilter;Trend Micro Filter;c:\programfiler\Trend Micro\OfficeScan Client\TmXPFlt.sys [5/22/2009 1:02 AM 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\programfiler\Trend Micro\OfficeScan Client\tmpreflt.sys [5/22/2009 1:00 AM 36368]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [8/13/2009 5:31 PM 9176]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [4/7/2009 1:50 PM 31896]

R3 tmcfw;tmcfw;c:\windows\system32\drivers\TM_CFW.sys [2/23/2009 12:32 PM 338960]

R3 TmPfw;OfficeScan NT Firewall;c:\programfiler\Trend Micro\OfficeScan Client\TmPfw.exe [2/23/2009 12:32 PM 488768]

S2 gupdate1c9ec307e332d60;Googles oppdateringstjeneste (gupdate1c9ec307e332d60);c:\programfiler\Google\Update\GoogleUpdate.exe [6/13/2009 4:08 PM 133104]

S3 Com4QLBEx;Com4QLBEx;c:\programfiler\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/18/2009 12:57 PM 193840]

S3 RoxMediaDB10;RoxMediaDB10;c:\programfiler\Fellesfiler\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/8/2008 2:12 PM 1112560]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [6/21/2007 4:40 AM 56448]

S3 TmProxy;OfficeScan NT Proxy Service;c:\programfiler\Trend Micro\OfficeScan Client\TmProxy.exe [2/23/2009 12:31 PM 652552]

S3 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [8/13/2009 5:28 PM 188416]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/16/2010 9:01 PM 691696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-06-20 10:47 451872 ----a-w- c:\programfiler\Fellesfiler\LightScribe\LSRunOnce.exe

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

 

2010-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

 

2010-08-21 c:\windows\Tasks\Google Software Updater.job

- c:\programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-13 14:08]

 

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\programfiler\Google\Update\GoogleUpdate.exe [2009-06-13 14:08]

 

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\programfiler\Google\Update\GoogleUpdate.exe [2009-06-13 14:08]

 

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-866411099-3860770546-1621290543-500Core.job

- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe [2010-06-19 17:02]

 

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-866411099-3860770546-1621290543-500UA.job

- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe [2010-06-19 17:02]

 

2010-08-21 c:\windows\Tasks\User_Feed_Synchronization-{A0CCED10-2886-49BC-A483-EB00AF7419B3}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://svgs.vfk.no

mStart Page = hxxp://svgs.vfk.no

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

DPF: DirectEdit - hxxps://vfk.itslearning.com/file/DirectEdit.CAB

FF - ProfilePath - c:\documents and settings\Administrator\Programdata\Mozilla\Firefox\Profiles\ppmrok2n.default\

FF - plugin: c:\documents and settings\Administrator\Lokale innstillinger\Programdata\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\programfiler\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\programfiler\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll

FF - plugin: c:\programfiler\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\programfiler\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\programfiler\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-22 00:32

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe >>UNKNOWN [0x89CE90E0]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf754bf28

\Driver\ACPI -> ACPI.sys @ 0xf735ecb8

\Driver\atapi -> atapi.sys @ 0xf7211852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Intel® WiFi Link 5100 AGN -> SendCompleteHandler -> NDIS.sys @ 0x89cd0bb0

PacketIndicateHandler -> NDIS.sys @ 0x89cdda21

SendHandler -> NDIS.sys @ 0x89cbb87b

user & kernel MBR OK

 

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_USERS\S-1-5-21-866411099-3860770546-1621290543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,34,9f,d2,40,f3,35,46,bd,c6,e1,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,34,9f,d2,40,f3,35,46,bd,c6,e1,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(1148)

c:\windows\system32\ZENPol.dll

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\programfiler\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll

c:\programfiler\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

c:\windows\system32\msi.dll

c:\windows\system32\nzrNotifier.dll

c:\programfiler\Novell\ZENworks\bin\nzrLogger.dll

c:\programfiler\Novell\ZENworks\bin\modules\RemotingService.dll

c:\programfiler\Novell\ZENworks\bin\zmd.dll

c:\programfiler\Novell\ZENworks\bin\Novell.Zenworks.Logger.dll

c:\programfiler\Novell\ZENworks\bin\Novell.Zenworks.extlogger.dll

c:\programfiler\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\programfiler\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll

c:\programfiler\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\programfiler\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

 

- - - - - - - > 'explorer.exe'(4512)

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\programfiler\Novell\ZENworks\bin\TSUsage32.exe

c:\windows\system32\agrsmsvc.exe

c:\programfiler\Fellesfiler\InterVideo\RegMgr\iviRegMgr.exe

c:\programfiler\Java\jre6\bin\jqs.exe

c:\programfiler\Fellesfiler\LightScribe\LSSrvc.exe

c:\programfiler\ActivIdentity\ActivClient\acevents.exe

c:\programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe

c:\programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

c:\programfiler\Novell\ZENworks\bin\nzrWinVNC.exe

c:\programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\programfiler\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

c:\programfiler\Trend Micro\BM\TMBMSRV.exe

c:\windows\system32\msiexec.exe

c:\programfiler\DataStudio\PASPortal.exe

c:\programfiler\DesktopEarth\DesktopEarth.exe

.

**************************************************************************

.

Tidspunkt ferdig: 2010-08-22 00:36:48 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2010-08-21 22:36

ComboFix2.txt 2010-08-21 21:07

 

Pre-Run: 18,111,029,248 byte ledig

Post-Run: 18,094,903,296 byte ledig

 

- - End Of File - - AEF3A2925020DDF7214965498CCAE86F

[T.O.E]

Ser det bra ut?

 

Malwarebytes-scannen finner fremdeles de to Rootkit.Agent filene i

 

C:\WINDOWS\system32\Drivers\ntndis.sys

og

C:\WINDOWS\system32\ipsecndis.sys

Endret 22. august 2010 av T.O.E

[norbat]

Beklager sein respons.

 

Post nye logger.

[T.O.E]

Loggen fra Malwarebytes:

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Databaseversjon: 4507

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

8/30/2010 5:17:04 PM

mbam-log-2010-08-30 (17-17-04).txt

 

Skanntype: Hurtigsøk

Objekter skannet: 188230

Tid tilbakelagt: 6 minutt(er), 45 sekund(er)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert 2

 

Minneprosesser infisert:

(Ingen skadelige objekter funnet)

 

Minnemoduler infisert:

(Ingen skadelige objekter funnet)

 

Registernøkler infisert:

(Ingen skadelige objekter funnet)

 

Registerverdier infisert:

(Ingen skadelige objekter funnet)

 

Registerfiler infisert:

(Ingen skadelige objekter funnet)

 

Mapper infisert:

(Ingen skadelige objekter funnet)

 

Filer infisert

C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.