[LØST]Problemer med Vundo-infeksjon

Tomhah · 23. juni 2007

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 22:10:22, on 23.06.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Klikk for å se/fjerne innholdet nedenfor

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Telenor\Online Start\Telenor.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\VentSrv\ventrilo_svc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WinRAR\WinRAR.exe

C:\Documents and Settings\Stein-Arild\Desktop\Hijackthis!\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1A7A8363-D24D-454B-B1A6-D13DC087F2C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Online Start Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program Files\Telenor\Online Start\IEFixItNowPlugin.dll

O2 - BHO: (no name) - {E5225210-F293-40FE-BB2F-D5A3C7F13C47} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [Telenor Online Start] "C:\Program Files\Telenor\Online Start\Telenor.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [j1271035] rundll32 C:\WINDOWS\system32\j1271035.dll sook

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\erfixhqb.dll",realset

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_06) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -

O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://bente.eurofoto.no/activex/ImageUploader3.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\egqcyipt.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

O24 - Desktop Component 0: (no name) - http://www.mgr.fi/galleria_australia2006l.jpg

--

End of file - 8154 bytes

Der er hijacken og her kommer fra SUPER antispyware:

UPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 06/23/2007 at 09:44 PM

Application Version : 3.8.1002

Core Rules Database Version : 3260

Trace Rules Database Version: 1271

Scan type : Complete Scan

Total Scan Time : 00:38:47

Memory items scanned : 434

Memory threats detected : 3

Registry items scanned : 5597

Registry threats detected : 40

File items scanned : 48770

File threats detected : 26

Trojan.WinFixer

C:\WINDOWS\SYSTEM32\GEEBA.DLL

HKLM\Software\Classes\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}

HKCR\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}

HKCR\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}\InprocServer32

HKCR\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\geeba

Adware.Vundo Variant

C:\WINDOWS\SYSTEM32\WVURPQO.DLL

HKLM\Software\Classes\CLSID\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}\InprocServer32

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\VWKRXHKE.DLL

HKLM\Software\Classes\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\NHOBSQUR.DLL

HKLM\Software\Classes\CLSID\{E12BFF69-38A7-406e-A8EF-2738107A7831}

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}\InprocServer32

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\HTKDBQQS.DLL

HKLM\Software\Classes\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}\InprocServer32

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\wvurpqo

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

Trojan.Downloader-CREW

C:\WINDOWS\SYSTEM32\TWGMPLKX.DLL

HKLM\Software\Classes\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34f}

HKCR\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34F}

HKCR\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34F}\InprocServer32

HKCR\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34F}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34f}

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP330\A0057169.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP331\A0057270.DLL

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\SMAYIJPN.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

Adware.Tracking Cookie

C:\Documents and Settings\Stein-Arild\Cookies\[email protected][1].txt

C:\Documents and Settings\Stein-Arild\Cookies\[email protected][2].txt

C:\Documents and Settings\Stein-Arild\Cookies\stein-arild@winantivirus[2].txt

C:\Documents and Settings\Stein-Arild\Cookies\stein-arild@indexstats[2].txt

Spyware.RelevantKnowledge

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP242\A0033369.EXE

RelevantKnowledge Spyware Component

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP243\A0033386.EXE

Trace.Known Threat Sources

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\3IMSZ2DS\checksoft[1].js

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\3IMSZ2DS\top1_menu[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\8ALIDEM6\wav_banner[1].swf

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\WZMNQDMT\top1[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\694FUPO5\styles[1].css

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\GPUF01EN\tracking[1].js

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\694FUPO5\ico2[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\JUVT1TZR\logo[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\GPUF01EN\button2[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\WZMNQDMT\ico1[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\JUVT1TZR\spacer[1].gif

EDIT: her er logg fra combofix

"Stein-Arild" - 2007-06-23 23:17:21 - ComboFix 07-06-23.5 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\erfixhqb.dll

C:\WINDOWS\system32\bqhxifre.ini

C:\WINDOWS\system32\abeeg.bak1

C:\WINDOWS\system32\abeeg.bak2

C:\WINDOWS\system32\abeeg.ini2

C:\WINDOWS\system32\abeeg.tmp

C:\WINDOWS\system32\abeeg.bak1

C:\WINDOWS\system32\abeeg.bak2

C:\WINDOWS\system32\abeeg.ini2

C:\WINDOWS\system32\abeeg.tmp

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\STEIN-~1\Desktop.\internet explorer.lnk

C:\i

C:\WINDOWS\servicepackfiles\mm.pidar

C:\WINDOWS\servicepackfiles\www.google.com

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp0.gif

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp1.gif

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp2.gif

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp3.gif

C:\WINDOWS\servicepackfiles\www.google.com\index.html

C:\WINDOWS\servicepackfiles\www.google.com\thank.html

C:\WINDOWS\system32\drivers\etc\hosts.tim

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))

2007-06-23 23:16 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-23 21:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-06-23 21:03 <DIR> d-------- C:\DOCUME~1\STEIN-~1\APPLIC~1\SUPERAntiSpyware.com

2007-06-23 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-06-23 13:11 <DIR> d-------- C:\Program Files\Alwil Software

2007-06-23 01:14 4,628 --a------ C:\WINDOWS\system32\rttwvhrk.exe

2007-06-20 13:48 <DIR> d-------- C:\Program Files\F1 Challange KRC 2007

2007-06-11 19:19 <DIR> d-------- C:\DOCUME~1\STEIN-~1\APPLIC~1\Opera

2007-06-07 16:20 <DIR> d-------- C:\Program Files\Common Files\Skype

2007-06-05 20:30 <DIR> d-------- C:\VIRTUAL RC RACING

2007-06-05 20:29 <DIR> d-------- C:\Program Files\VIRTUAL RC RACING DEMO

2007-06-03 18:57 <DIR> d-------- C:\Program Files\VIRTUAL RC RACING

2007-06-03 14:14 <DIR> d-------- C:\NAB FULL

2007-06-03 12:05 <DIR> d-------- C:\Nerf Arena Blast

2007-05-28 18:41 <DIR> d-------- C:\Program Files\Schmads Inc

2007-05-28 17:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 19:02:50 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-06-23 10:45:26 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\Hamachi

2007-06-23 10:26:44 -------- d-----w C:\Program Files\mIRC

2007-06-19 14:47:30 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\teamspeak2

2007-06-13 16:06:19 -------- d-----w C:\Program Files\rFactor

2007-06-09 20:28:27 -------- d-----w C:\Program Files\LFS

2007-06-07 19:31:24 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\Creative

2007-06-07 19:00:47 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\Skype

2007-06-07 14:20:23 -------- d-----w C:\Program Files\Skype

2007-05-29 16:52:41 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2007-05-29 16:41:33 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-28 15:56:02 -------- d-----w C:\Program Files\Common Files\Logitech

2007-05-28 15:56:01 -------- d-----w C:\Program Files\Logitech

2007-05-28 10:07:40 -------- d-----w C:\Program Files\Messenger Plus! Live

2007-05-28 10:07:39 -------- d-----w C:\Program Files\MSN Messenger

2007-05-22 17:57:29 -------- d-----w C:\Program Files\Mafia

2007-05-22 17:52:44 -------- d-----w C:\Program Files\Mafia

2007-05-21 15:29:43 -------- d-----w C:\Program Files\VentSrv

2007-05-21 15:12:16 -------- d-----w C:\Program Files\Steam

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-16 15:02:00 101,376 ----a-w C:\WINDOWS\system32\drivers\ACEDRV07.sys

2007-05-16 13:55:56 -------- d-----w C:\Program Files\BitLord

2007-05-14 16:20:30 -------- d-----w C:\Program Files\SmartFTP Client

2007-05-14 16:09:49 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\SmartFTP

2007-05-09 13:44:00 -------- d-----w C:\Program Files\Microsoft Games

2007-05-07 14:27:38 -------- d-----w C:\Program Files\BobsTrackBuilder

2007-05-03 18:47:31 -------- d-----w C:\Program Files\Creative

2007-05-03 18:46:57 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-05-03 18:46:57 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2007-05-03 15:22:10 -------- d-----w C:\Program Files\Vstep

2007-05-03 15:15:05 -------- d-----w C:\Program Files\Ship simulator

2007-04-30 16:37:08 -------- d-----w C:\Program Files\GameShadow

2007-04-29 08:25:32 -------- d-----w C:\Program Files\BlueVoda Website Builder

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-24 18:15:18 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-04-24 18:07:49 -------- d-----w C:\Program Files\GTR 2

2007-04-24 18:06:09 -------- d-----w C:\Program Files\DAEMON Tools

2007-04-24 18:01:01 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-07 11:09]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 03:25]

{DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516}=C:\Program Files\Telenor\Online Start\IEFixItNowPlugin.dll [2007-03-02 14:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:12]

"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]

"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 C:\WINDOWS\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 C:\WINDOWS\system32\CTXFIHLP.EXE]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-23 12:50]

"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06]

"Telenor Online Start"="C:\Program Files\Telenor\Online Start\Telenor.exe" [2006-11-30 14:51]

"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 16:54]

"@"="" []

"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 17:22]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" []

"Steam"="" []

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bff1043c-5257-11db-8062-806d6172696f}]

AutoRun\command- H:\ASUSACPI.exe

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-23 23:23:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-06-23 23:24:11 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-23 23:24

--- E O F ---

Ny hijack this logg

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 00:14:26, on 24.06.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Telenor\Online Start\Telenor.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\VentSrv\ventrilo_svc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Stein-Arild\Desktop\Hijackthis!\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank