Tror jeg har et virus, Trojan.rboot...

Korka · 6. oktober 2007

Hei

Tror jeg har fått et virus...

Bruker Nod32 og scanner PC-en med Ad-Aware, og 2 Nod32 scanninger...

Her er et bilde over prosseser og over advarselen

Må nevnes at jeg har lasta ned en keygen...Brukte den ikke...Åpna den men det kom ikke opp noe.. Sletta den etterpå

Edit: Merka at PC-en ble nogenlunde treg istad og....Åpna photoshop, msn og firefox med en gang etter at jeg lukka bf2... Er det rart? Specs i profil..

Endret 6. oktober 2007 av korka

Korka · 6. oktober 2007

Hijackthis log:

PS: Jeg har ikke vista.. Bare ser sånn ut

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:18:42 AM, on 10/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Microsoft Setup Initialization

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Eset\nod32.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Microsoft Setup Initialization] Microsoft Setup Initialization

O4 - HKLM\..\RunServices: [Microsoft Setup Initialization] Microsoft Setup Initialization

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Microsoft Setup Initialization] Microsoft Setup Initialization

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183141727336

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 6552 bytes

Endret 6. oktober 2007 av korka

Korka · 6. oktober 2007

Har scannet med SaS, Ad-Aware2007, Nod32 full scan og Nod32 Full Depth Analysis... Jeg fant ingenting..

Her er SAS logg

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Klikk for å se/fjerne innholdet nedenfor

Generated 10/06/2007 at 04:03 AM

Application Version : 3.9.1008

Core Rules Database Version : 3320

Trace Rules Database Version: 1321

Scan type : Complete Scan

Total Scan Time : 00:35:29

Memory items scanned : 469

Memory threats detected : 0

Registry items scanned : 5472

Registry threats detected : 0

File items scanned : 35706

File threats detected : 16

Adware.Tracking Cookie

C:\Documents and Settings\Robus\Cookies\robus@usenext[1].txt

C:\Documents and Settings\Robus\Cookies\[email protected][1].txt

C:\Documents and Settings\Robus\Cookies\robus@imrworldwide[1].txt

C:\Documents and Settings\Robus\Cookies\[email protected][2].txt

C:\Documents and Settings\Robus\Cookies\[email protected][1].txt

C:\Documents and Settings\Robus\Cookies\robus@serving-sys[4].txt

C:\Documents and Settings\Robus\Cookies\[email protected][1].txt

C:\Documents and Settings\Robus\Cookies\[email protected][2].txt

C:\Documents and Settings\Robus\Cookies\robus@hitbox[2].txt

C:\Documents and Settings\Robus\Cookies\robus@serving-sys[1].txt

C:\Documents and Settings\Robus\Cookies\robus@serving-sys[2].txt

C:\Documents and Settings\Robus\Cookies\robus@serving-sys[3].txt

C:\Documents and Settings\Robus\Cookies\robus@statcounter[1].txt

C:\Documents and Settings\Robus\Cookies\[email protected][1].txt

Eneste jeg fant var slike cookies..

Restarta PC-en nå og en mappe kalt microsoft åpna seg... Inni der var det en mappe kalt Protect + 4-5 filer.

Endret 6. oktober 2007 av korka

norbat · 6. oktober 2007

Start HJT, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O4 - HKLM\..\Run: [Microsoft Setup Initialization] Microsoft Setup Initialization

O4 - HKLM\..\RunServices: [Microsoft Setup Initialization] Microsoft Setup Initialization

O4 - HKCU\..\Run: [Microsoft Setup Initialization] Microsoft Setup Initialization

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix (c:\combofix.txt) + ny HJT-logg

Før du lager hjt-loggen, forandrer du programnavne, hijackthis, til noe annet, f.eks. korka.

Korka · 6. oktober 2007

Her er da combofix...

Klikk for å se/fjerne innholdet nedenfor

ComboFix 07-10-06.3 - Robus 2007-10-06 11:40:33.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1510 [GMT 2:00]

Running from: C:\Documents and Settings\Robus\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))

.

2007-10-06 11:40 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-06 03:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-10-06 03:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-10-06 03:24 <DIR> d-------- C:\Documents and Settings\Robus\Application Data\SUPERAntiSpyware.com

2007-10-06 03:18 <DIR> d-------- C:\Program Files\Trend Micro

2007-10-06 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Earthsim

2007-10-01 14:55 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2007-10-01 14:55 <DIR> d-------- C:\Program Files\Microsoft Works

2007-10-01 14:54 <DIR> d-------- C:\Program Files\MSBuild

2007-10-01 14:53 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-10-01 14:52 <DIR> d-------- C:\WINDOWS\SHELLNEW

2007-10-01 14:52 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8

2007-10-01 14:51 <DIR> dr-h----- C:\MSOCache

2007-10-01 14:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

2007-09-27 19:43 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

2007-09-23 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

2007-09-23 12:41 <DIR> d-------- C:\Program Files\Bonjour

2007-09-23 12:32 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

2007-09-23 12:25 <DIR> d-------- C:\Program Files\MagicISO

2007-09-13 20:58 <DIR> d-------- C:\Program Files\Windows Journal Viewer

2007-09-08 18:01 <DIR> d-------- C:\Program Files\Ventrilo

2007-09-08 18:01 <DIR> d-------- C:\Documents and Settings\Robus\Application Data\Ventrilo

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-06 03:24 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-10-06 01:08 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-10-06 01:06 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2007-10-05 23:28 --------- d-------- C:\Program Files\Winamp

2007-10-05 22:29 --------- d-------- C:\Program Files\SpeedFan

2007-10-05 21:20 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-10-05 21:20 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-10-05 21:17 --------- d-------- C:\Documents and Settings\Robus\Application Data\LimeWire

2007-10-02 16:02 --------- d-------- C:\Documents and Settings\Robus\Application Data\teamspeak2

2007-09-20 21:25 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-09-14 15:34 --------- d-------- C:\Program Files\Codemasters

2007-09-11 14:30 --------- d-------- C:\Program Files\AGEIA Technologies

2007-09-03 15:43 --------- d-------- C:\Documents and Settings\Robus\Application Data\Google

2007-09-03 15:42 --------- d-------- C:\Program Files\Google

2007-08-28 10:43 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2007-08-12 19:55 --------- d-------- C:\Program Files\Teamspeak2_RC2

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-24 16:57 3642848 --a------ C:\Program Files\EMPD - Crossover.mp3

2007-07-24 16:46 5752960 --a------ C:\Program Files\thomax-tears_on_my_pillowcase_(taskforce).mp3

2007-07-24 16:44 3034469 --a------ C:\Program Files\Epmd - Rap Is Outta Control.mp3

2007-07-24 16:42 3612800 --a------ C:\Program Files\Keith Murry - The Most Beautifulest Thing.mp3

2007-07-18 18:20 2419317 --a------ C:\Program Files\Kool G Rap ft Joell Ortiz - China White.mp3

2007-07-18 18:19 3168384 --a------ C:\Program Files\Joell Ortiz - Aftermath Freestyle.mp3

2007-07-18 18:18 4132135 --a------ C:\Program Files\Joell Ortiz - Hip-Hop.mp3

2007-07-18 18:17 6092800 --a------ C:\Program Files\Nas - I Can.mp3

2007-07-18 18:17 5458267 --a------ C:\Program Files\T.I. - The King - 04 - I'm Talkin To You.mp3

2007-07-18 18:13 4170204 --a------ C:\Program Files\Blackstar - Mos Def, Talib Kweli, Kool G Rap, Sporty Thives, etc. - One Love, One Life.mp3

2007-07-15 00:28 5369306 --a------ C:\Program Files\Korn_Creep.mp3

2007-07-15 00:28 4819692 --a------ C:\Program Files\Korn - Love Song.mp3

2007-07-15 00:27 4137795 --a------ C:\Program Files\Korn - Blind.mp3

2007-07-15 00:27 4076720 --a------ C:\Program Files\Korn - Freak On A Leash.mp3

2007-07-13 20:16 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2007-07-09 21:07 524288 --a------ C:\WINDOWS\system32\DivXsm.exe

2007-07-09 21:07 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2007-07-09 21:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll

2007-07-09 21:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll

2007-07-09 21:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2007-07-09 21:05 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll

2007-07-09 21:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll

2007-07-09 21:05 740442 --a------ C:\WINDOWS\system32\DivX.dll

2007-07-09 21:05 73728 --a------ C:\WINDOWS\system32\dpl100.dll

2007-07-09 21:05 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll

2007-07-09 21:05 57344 --a------ C:\WINDOWS\system32\dpv11.dll

2007-07-09 21:05 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll

2007-07-09 21:05 344064 --a------ C:\WINDOWS\system32\dpus11.dll

2007-07-09 21:05 294912 --a------ C:\WINDOWS\system32\dpu11.dll

2007-07-09 21:05 294912 --a------ C:\WINDOWS\system32\dpu10.dll

2007-07-09 21:05 196608 --a------ C:\WINDOWS\system32\dtu100.dll

2007-07-09 21:05 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

2007-07-09 21:05 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

2007-07-02 16:45 5423232 --a------ C:\Program Files\Nas feat. Will.I.Am - Hip Hop Is Dead.mp3

2007-06-30 22:35 4893176 --a------ C:\Program Files\Korn - Twist.mp3

2007-06-30 22:35 4363029 --a------ C:\Program Files\Korn - Thoughtless.mp3

2007-06-30 22:34 2429683 --a------ C:\Program Files\Korn and Slipknot - Queen Of The Damned.mp3

2007-06-30 22:33 3896343 --a------ C:\Program Files\Ice Cube & Korn - Fuck Dying.mp3

2007-06-30 21:23 6593901 --a------ C:\Program Files\Korn - Here To Stay.mp3

2007-06-30 21:00 4331695 --a------ C:\Program Files\Korn - Beating Me Down.mp3

2007-06-30 20:50 2922080 --a------ C:\Program Files\Korn - Kunt!.mp3

2007-06-30 20:16 5830659 --a------ C:\Program Files\KoRn - Did My Time.mp3

2007-06-30 20:10 3960536 --a------ C:\Program Files\Korn - Fuck that.mp3

2007-06-30 20:09 4552955 --a------ C:\Program Files\Korn - Dead Bodies Everywhere.mp3

2007-06-30 20:09 4427776 --a------ C:\Program Files\Korn - Clown.mp3

2007-06-30 20:06 5123730 --a------ C:\Program Files\Korn-Word Up.mp3

2007-06-30 20:03 5379028 --a------ C:\Program Files\Korn - Coming Undone.mp3

2007-06-29 21:47 2718116 --a------ C:\Program Files\KoRn - Twisted Transistor.mp3

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-29 19:29]

"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44]

"JMB36X Configure"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-10-30 14:44]

"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-07 16:17]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]

"P17Helper"="P17.dll" [2005-05-03 19:38 C:\WINDOWS\system32\P17.dll]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]

"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys

R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys

R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2a8f6db-2671-11dc-a9f0-806d6172696f}]

AutoRun\command- D:\.\Bin\ASSETUP.exe

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2007-09-29 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-06 11:42:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-10-06 11:42:57

.

--- E O F ---

Og hijackthis, renama det til korka.exe...

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:44:17 AM, on 10/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe