hkbruvold Skrevet 3. september 2010 Del Skrevet 3. september 2010 (endret) Vi er ca. 9 personer på et lokalt nett styrt av en ruter i et hybelhus. Det viser seg at en av datamaskinene har virus, som tydeligvis har spredt seg via lokalnettet til andre maskiner. Ruteren har automatisk blokkert enkelte porter ut mot internett for å hindre videre spredning. Ut fra loggen til Comodo ser det ut som at de første blokkeringene skjedde 23. august. Det virke som at alle forespørsmålene har blitt blokkert. Fra loggen til Comodo ser det ut som at det omhandler programmet "System", men det har bare vært før 29. august. På ett tidspunkt har programmet blitt endret til "Windows Operating System". Jeg har ikke lagt merke til noe unormalt (bortsett fra at loggen til comodo har blitt fylt opp og at ruteren har blokkert enkelte porter). Jeg har kjørt MBAM og Combofix. Her er skjermdump fra Comodo(logg fra 29. august): Logg fra MBAM: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Databaseversjon: 4535 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 03.09.2010 16:24:33 mbam-log-2010-09-03 (16-24-33).txt Skanntype: Hurtigsøk Objekter skannet: 134041 Tid tilbakelagt: 8 minutt(er), 39 sekund(er) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 3 Mapper infisert: 0 Filer infisert 1 Minneprosesser infisert: (Ingen skadelige objekter funnet) Minnemoduler infisert: (Ingen skadelige objekter funnet) Registernøkler infisert: (Ingen skadelige objekter funnet) Registerverdier infisert: (Ingen skadelige objekter funnet) Registerfiler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: (Ingen skadelige objekter funnet) Filer infisert C:\Documents and Settings\Hans-Kristian\Local Settings\Temp\comver.dll (Adware.GameSpyArcade) -> Quarantined and deleted successfully. Logg fra Combofix: ComboFix 10-09-02.03 - Hans-Kristian 03.09.2010 16:44:51.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2923 [GMT 2:00] Running from: c:\documents and settings\Hans-Kristian\Desktop\ComboFix.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Install.exe . ((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 ))))))))))))))))))))))))))))))) . 2010-09-03 14:10 . 2010-09-03 14:10 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Malwarebytes 2010-09-03 14:10 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-09-03 14:10 . 2010-09-03 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-09-03 14:10 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-09-03 14:10 . 2010-09-03 14:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-01 18:28 . 2010-09-01 18:28 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\vlc 2010-08-31 17:52 . 2010-08-31 17:52 -------- d-----w- c:\program files\JRE 2010-08-30 20:35 . 2010-08-30 20:35 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Wireshark 2010-08-30 20:31 . 2010-08-30 20:31 -------- d-----w- c:\program files\WinPcap 2010-08-30 20:31 . 2010-08-30 20:32 -------- d-----w- c:\program files\Wireshark 2010-08-30 19:30 . 2010-08-30 19:30 -------- d-----w- c:\program files\Common Files\Skype 2010-08-29 16:49 . 2010-08-29 16:49 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Launchy 2010-08-29 16:49 . 2010-08-29 16:49 -------- d-----w- c:\program files\Launchy 2010-08-24 17:18 . 2010-08-24 17:18 -------- d-----w- c:\program files\CPUID 2010-08-24 17:18 . 2010-05-11 10:00 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys 2010-08-19 15:13 . 2010-08-19 15:13 655360 ----a-w- c:\documents and settings\Hans-Kristian\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll 2010-08-19 15:13 . 2010-08-19 15:13 282624 ----a-w- c:\documents and settings\Hans-Kristian\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll 2010-08-19 15:13 . 2010-08-19 15:13 208896 ----a-w- c:\documents and settings\Hans-Kristian\Application Data\Spotify\Gracenote\gnsdk_dsp.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-03 14:32 . 2010-03-19 17:21 -------- d-----w- c:\program files\SpeedFan 2010-09-03 14:21 . 2008-06-29 20:18 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Skype 2010-09-03 14:19 . 2008-06-29 20:18 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\skypePM 2010-09-03 13:53 . 2009-10-28 13:28 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Spotify 2010-09-02 20:16 . 2009-10-03 17:08 712856 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-09-02 20:15 . 2010-03-19 14:33 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Mumble 2010-09-02 16:16 . 2009-04-18 19:50 -------- d-----w- c:\program files\Steam 2010-09-01 16:32 . 2008-10-25 09:20 1 ----a-w- c:\documents and settings\Hans-Kristian\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-01 13:09 . 2008-06-27 12:31 22104 ----a-w- c:\documents and settings\Hans-Kristian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-08-31 19:12 . 2008-07-09 17:32 -------- d-----w- c:\program files\Notepad++ 2010-08-31 17:52 . 2008-10-25 08:35 -------- d-----w- c:\program files\OpenOffice.org 3 2010-08-31 14:52 . 2008-07-06 03:24 -------- d-----w- c:\program files\NVIDIA Corporation 2010-08-30 19:30 . 2008-06-29 20:16 -------- d-----r- c:\program files\Skype 2010-08-30 19:30 . 2008-06-29 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2010-08-29 19:46 . 2010-03-19 14:32 -------- d-----w- c:\program files\Mumble 2010-08-25 12:24 . 2009-07-05 19:59 -------- d-----w- c:\program files\Fallout 3 2010-08-16 06:22 . 2009-08-02 00:53 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Audacity 2010-08-01 19:12 . 2009-08-01 16:50 -------- d-----w- c:\documents and settings\Hans-Kristian\Application Data\Red Alert 3 2010-07-15 17:28 . 2010-07-15 17:28 664 ----a-w- c:\documents and settings\Hans-Kristian\Local Settings\Application Data\d3d9caps.tmp 2010-07-12 16:59 . 2010-07-12 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO 2010-07-12 16:54 . 2010-07-12 16:54 -------- d-----w- c:\program files\COMODO 2010-07-12 16:51 . 2010-07-12 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader 2010-07-12 16:50 . 2010-07-12 16:50 -------- d-----w- c:\program files\winMd5Sum 2010-06-25 17:07 . 2010-06-25 17:07 281104 ----a-w- c:\windows\system32\wpcap.dll 2010-06-25 17:07 . 2010-06-25 17:07 100880 ----a-w- c:\windows\system32\Packet.dll 2010-06-25 17:07 . 2010-06-25 17:07 35088 ----a-w- c:\windows\system32\drivers\npf.sys 2010-06-25 17:03 . 2010-06-25 17:03 53299 ----a-w- c:\windows\system32\pthreadVC.dll 2010-06-07 06:44 . 2010-06-23 09:10 86016 ----a-w- c:\documents and settings\Hans-Kristian\Application Data\Mozilla\Firefox\Profiles\rs38f4hq.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\ipc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZScreen"="c:\program files\ZScreen\ZScreen.exe" [2010-03-16 1376256] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872] "RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824] "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352] "SpeedFan"="c:\program files\SpeedFan\speedfan.exe" [2009-11-25 4009592] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Launchy.lnk - c:\program files\Launchy\Launchy.exe [2010-8-29 405504] VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-8-31 116224] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SetPointII.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SetPointII.lnk backup=c:\windows\pss\SetPointII.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZScreen.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZScreen.lnk backup=c:\windows\pss\ZScreen.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Hans-Kristian^Start Menu^Programs^Startup^Logitech . Produktregistrering.lnk] path=c:\documents and settings\Hans-Kristian\Start Menu\Programs\Startup\Logitech . Produktregistrering.lnk backup=c:\windows\pss\Logitech . Produktregistrering.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Hans-Kristian^Start Menu^Programs^Startup^SetPoint.lnk] path=c:\documents and settings\Hans-Kristian\Start Menu\Programs\Startup\SetPoint.lnk backup=c:\windows\pss\SetPoint.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon] 2007-07-17 23:30 1687824 ----a-w- c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LgDevAgt] 2007-07-18 00:13 99600 ----a-w- c:\program files\Logitech\GamePanel Software\LGDevAgt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LCDMisc] 2010-03-04 21:01 477184 ----a-w- c:\documents and settings\Hans-Kristian\Desktop\G15 LCD\LCD Miscellany\LCD Miscellany 0.4.5.1\LCDMisc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer] 2009-06-17 08:55 55824 ----a-w- c:\windows\KHALMNPR.Exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite] 2009-05-27 14:46 598016 ----a-r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 03:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon] 2009-02-25 17:55 2781184 ----a-w- c:\program files\RivaTuner v2.24\RivaTuner.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-08-11 16:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"= "c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\generals.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"= "c:\\Program Files\\EA Games\\Battlefield 1942\\BF1942.exe"= "c:\\Program Files\\TmNationsForever\\TmForever.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Midway Games\\Hour of Victory\\Binaries\\LTCG-HOVGame.exe"= "c:\\Program Files\\Far Cry 2\\bin\\FarCry2.exe"= "c:\\Program Files\\Far Cry 2\\bin\\FC2Launcher.exe"= "c:\\Program Files\\Far Cry 2\\bin\\FC2Editor.exe"= "c:\\Program Files\\Electronic Arts\\Crysis\\Bin32\\Crysis.exe"= "c:\\Program Files\\Electronic Arts\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "c:\\Program Files\\Enemy Territory - QUAKE Wars\\etqw.exe"= "c:\\Program Files\\Enemy Territory - QUAKE Wars\\etqwded.exe"= "c:\\Program Files\\Nexuiz\\Nexuiz\\nexuiz.exe"= "c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"= "c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"= "c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Ubisoft\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Codemasters\\OF Dragon Rising\\OFDR.exe"= "c:\\Program Files\\LuxRender\\luxconsole.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\fuel\\GameSetup.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\soldiers heroes of world war 2\\soldiers.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\risen\\bin\\Risen.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\overlord ii\\Overlord2.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\overlord ii\\Config.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\sid meier's pirates!\\Pirates!.exe"= "c:\\Program Files\\City Interactive\\Sniper Ghost Warrior\\Sniper_x86.exe"= "c:\\Program Files\\Mumble\\murmur.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1337:TCP"= 1337:TCP:generals "1337:UDP"= 1337:UDP:generals R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12.07.2010 18:22 165456] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [04.06.2010 11:55 229312] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [01.06.2010 19:00 25240] R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [31.07.2009 20:08 115856] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [31.07.2009 20:08 41424] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12.07.2010 18:22 17744] R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [24.08.2010 19:18 20072] R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [23.12.2009 16:38 10384] R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [10.07.2009 17:51 99472] S2 gupdate1ca1a9fdaf95118;Googles oppdateringstjeneste (gupdate1ca1a9fdaf95118);c:\program files\Google\Update\GoogleUpdate.exe [11.08.2009 18:22 133104] S3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [27.06.2008 14:20 556832] S3 cpuz130;cpuz130;\??\c:\docume~1\HANS-K~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\HANS-K~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?] S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [30.10.2009 20:01 25728] S3 ldiskl;ldiskl;\??\c:\docume~1\HANS-K~1\LOCALS~1\Temp\ldiskl.sys --> c:\docume~1\HANS-K~1\LOCALS~1\Temp\ldiskl.sys [?] S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [29.03.2009 11:50 20864] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25.06.2010 19:07 35088] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [16.05.2010 09:15 89256] S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [16.05.2010 09:15 15016] S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [16.05.2010 09:15 120744] S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [16.05.2010 09:15 114216] S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [16.05.2010 09:15 25512] S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [16.05.2010 09:15 110632] S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [16.05.2010 09:15 115752] S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [15.01.2009 17:13 61536] S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [15.01.2009 17:13 9360] S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [15.01.2009 17:13 97088] S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [15.01.2009 17:13 88624] S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [15.01.2009 17:13 18704] S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [15.01.2009 17:13 86432] S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [15.01.2009 17:13 90800] S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [31.07.2009 20:08 91472] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05.07.2008 23:59 717296] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-09-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-13 16:21] 2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-11 16:21] 2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-11 16:21] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com/ uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyServer = localhost:8080 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 LSP: c:\program files\WideCap\widecapdrv.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Hans-Kristian\Application Data\Mozilla\Firefox\Profiles\rs38f4hq.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - component: c:\documents and settings\Hans-Kristian\Application Data\Mozilla\Firefox\Profiles\rs38f4hq.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\ipc.dll FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll FF - plugin: c:\documents and settings\Hans-Kristian\Application Data\Mozilla\Firefox\Profiles\rs38f4hq.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\documents and settings\Hans-Kristian\Application Data\Mozilla\Firefox\Profiles\rs38f4hq.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - HKLM-Run-nwiz - nwiz.exe MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe AddRemove-ROTR Public Beta - c:\program files\EA Games\Command & Conquer Generals Zero Hour ROTR\Uinst_ROTR_Beta.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-03 16:56 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose, ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2052111302-1844823847-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-2052111302-1844823847-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:c3,d0,3e,02,3f,9b,11,0f,23,4d,0f,3f,79,63,06,89,21,d7,04,f4,3d,c7,d2, 3e,ee,cf,01,92,76,92,74,25,dc,42,6a,91,b7,c2,a5,59,a8,62,4c,2f,21,4d,b7,c0,\ "??"=hex:80,11,0e,7a,bd,52,a5,e2,3c,ec,d2,b2,09,0e,11,43 [HKEY_USERS\S-1-5-21-2052111302-1844823847-725345543-1003\Software\SecuROM\License information*] "datasecu"=hex:dd,4f,9e,3a,0b,23,63,6f,d3,66,54,d3,e7,f5,a8,6b,59,81,90,f7,aa, 3a,e5,65,4d,3e,39,ea,55,3d,ac,7b,08,c3,f6,2f,14,71,51,df,e4,aa,99,c2,40,57,\ "rkeysecu"=hex:61,45,ec,71,23,3c,98,fe,08,29,3d,0b,33,f3,38,4d . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(664) c:\program files\WideCap\widecapdrv.dll c:\program files\WideCap\proxy32.dll . Completion time: 2010-09-03 16:58:17 ComboFix-quarantined-files.txt 2010-09-03 14:58 Pre-Run: 9 881 075 712 bytes free Post-Run: 10 417 393 664 bytes free Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - E9B3BB6FC5D897F1FA6359D70552CC9F Jeg har ingen anelse hvor viruset ligger, men det kan virke som at jeg holder det i sjakk etter at jeg blokkerte port 135-139 i Comodo. Og på forhånd takk. EDIT: La loggene i spoiler. Endret 5. september 2010 av hkbruvold Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå