Kan noen sjekke denne HJT loggen?

RMBB · 4. januar 2008

Har fjernet en del på maskinen men vet ikke om den er helt ren. Legger ved en HJT logg..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:17:15, on 04.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\NORMAN\Npm\bin\ELOGSVC.EXE

C:\Programfiler\Internet Explorer\iexplore.exe

C:\NORMAN\Npm\Bin\Zanda.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svcd\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\srvany.exe

C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\ZyDummyZD11B-BG.exe

C:\NORMAN\Npm\bin\NJEEVES.EXE

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe

C:\NORMAN\Npm\bin\ZLH.EXE

C:\WINDOWS\system32\ntvdm.exe

C:\Programfiler\PestPatrol\PPControl.exe

C:\Programfiler\PestPatrol\PPMemCheck.exe

C:\Programfiler\PestPatrol\CookiePatrol.exe

C:\WINDOWS\noskrnl.exe

C:\NORMAN\Nvc\bin\cclaw.exe

C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\ZDWlan.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Programfiler\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\System32\winlogon.scr

C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Programfiler\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Npm\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [Java] C:\WINDOWS\Twunk_16.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programfiler\PestPatrol\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\Programfiler\PestPatrol\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\Programfiler\PestPatrol\CookiePatrol.exe

O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe

O4 - HKCU\..\Run: [main] C:\WINDOWS\System32\drivers\sysdrv.exe

O4 - HKCU\..\Run: [default] C:\Documents and Settings\eritep.HOLMEN047\scvhost.exe

O4 - HKCU\..\RunOnce: [ati] C:\Documents and Settings\eritep.HOLMEN047\scvhost.exe

O4 - HKCU\..\RunOnce: [sysinit] C:\WINDOWS\System32\drivers\sysdrv.exe

O4 - Global Startup: AirLink 6554 Utility.lnk = C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\ZDWlan.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Programfiler\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?ca183a8ec1474af7b74fb35e32021add

O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?ca183a8ec1474af7b74fb35e32021add

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lan.holmen.vgs.no

O17 - HKLM\Software\..\Telephony: DomainName = lan.holmen.vgs.no

O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD54645-39B8-4906-A56E-DC8ACE5C1331}: NameServer = 85.255.116.172,85.255.112.62

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1C32ADF-8AC8-4A43-915D-1711C7E080FE}: NameServer = 85.255.116.172,85.255.112.62

O17 - HKLM\System\CCS\Services\Tcpip\..\{E7843E9D-8FAA-4436-9E38-3FF5C24BF7AE}: NameServer = 85.255.116.172,85.255.112.62

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lan.holmen.vgs.no

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.62

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lan.holmen.vgs.no

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.62

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lan.holmen.vgs.no

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.62

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.62

O20 - AppInit_DLLs: autofmt.dll

O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Dokumenter\Settings\bot.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\NORMAN\Npm\bin\ELOGSVC.EXE

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\SHARED\HPQWMI.exe

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\NORMAN\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: OPHB DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHBLDCS.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Security Service (SIRM) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe

O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmuyh.exe

O23 - Service: ZyDAS1211BBG - Unknown owner - C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\srvany.exe

O23 - Service: ZZZsvc_lich - Unknown owner - C:\lich.exe

--

End of file - 8606 bytes

norbat · 4. januar 2008

Det ligger en del igjen, så du kan fortsette med følgende:

Hent Fixwareout

Legg filen på skrivebordet og dobbeltklikk på den. Klikk Next -> Install.

Sjekk at det er avkrysset i 'Run fixit'.

Klikk Finish og fixet vil starte. Følg instruksjonen.

Restart PC-en når du blir bedt om det. Oppstarten vil ta litt lengre tid en normalt .....

Når PC-en har restartet følger du bare instruksjonen som kommer på skjermen.

Når Fixwareout er ferdigkjørt, fortsetter du med følgende:

Langversjonen i denne posten: https://www.diskusjon.no/index.php?showtopic=691246

Du poster loggene som det spørres om, her i din egen tråd, sammem med loggen fra Fixwareout (C:\fixwareout\report.txt)

RMBB · 7. januar 2008

Takk for svar. Her kommer loggene.

edit: Combofix loggen sliter. Åpne den spoiler sist...

Username "eritep" - 07.01.2008 9:03:21 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKLM\SOFTWARE\~\Winlogon\ "System"="csjay.exe"

Service: "Windows Management Service" = C:\WINDOWS\System32\dmuyh.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

"nameserver"="85.255.116.172 85.255.112.62" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4CD54645-39B8-4906-A56E-DC8ACE5C1331}

"nameserver"="85.255.116.172,85.255.112.62" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D1C32ADF-8AC8-4A43-915D-1711C7E080FE}

"nameserver"="85.255.116.172,85.255.112.62" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E7843E9D-8FAA-4436-9E38-3FF5C24BF7AE}

"nameserver"="85.255.116.172,85.255.112.62" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1DFEA81E-E69E-4413-BA1C-3334850F727A}

"DhcpNameServer"="85.255.116.172,85.255.112.62" <Value cleared.

DNS Resolver-bufferen ble tømt.

System was rebooted successfully.

~~~~~ Postrun check

HKLM\SOFTWARE\~\Winlogon\ "system"=""

....

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}70287742E82B-D50A-13C4-0D29-62F77CA4{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}68CC81ABCE7D-3689-3874-477F-D3B1A24F{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}29E05424EE51-F359-7E24-C373-3993C75F{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "hyumd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "yajsc" Value deleted

HKCR\CLSID\{C4D4173A-4ABB-4EE8-8CEC-BF773CF7BF88}\_h\4 Deleted.

....

~~~~~ Misc files.

C:\Documents and Settings\eritep.HOLMEN047\Programdata\Install.dat Deleted

C:\WINDOWS\System32\kernel32.exe Deleted

....

~~~~~ Checking for older varients.

....

~~~~~ Other

C:\WINDOWS\Temp\dmuyh.ren 57934 04.08.2004

~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"

"SunJavaUpdateSched"="\"C:\\Programfiler\\Java\\jre1.6.0_03\\bin\\jusched.exe\""

"UpdateManager"="\"C:\\Programfiler\\Fellesfiler\\Sonic\\Update Manager\\sgtray.exe\" /r"

"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"SynTPLpr"="C:\\Programfiler\\Synaptics\\SynTP\\SynTPLpr.exe"

"SynTPEnh"="C:\\Programfiler\\Synaptics\\SynTP\\SynTPEnh.exe"

"HPHUPD05"="c:\\Programfiler\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"

"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"

"eabconfg.cpl"="C:\\Programfiler\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"

"Norman ZANDA"="C:\\NORMAN\\Npm\\bin\\ZLH.EXE /LOAD /SPLASH"

"Java"="C:\\WINDOWS\\Twunk_16.exe"

"PestPatrol Control Center"="C:\\Programfiler\\PestPatrol\\PPControl.exe"

"PPMemCheck"="C:\\Programfiler\\PestPatrol\\PPMemCheck.exe"

"CookiePatrol"="C:\\Programfiler\\PestPatrol\\CookiePatrol.exe"

"spoolsvv"="C:\\WINDOWS\\system32\\spoolsvv.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"noskrnl"="C:\\WINDOWS\\noskrnl.exe"

"main"="C:\\WINDOWS\\System32\\drivers\\sysdrv.exe"

"default"="C:\\Documents and Settings\\eritep.HOLMEN047\\scvhost.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it...

~~~~~ End report ~~~~~

SAS log

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 01/07/2008 at 10:08 AM

Application Version : 3.9.1008

Core Rules Database Version : 3375

Trace Rules Database Version: 1369

Scan type : Complete Scan

Total Scan Time : 00:38:50

Memory items scanned : 495

Memory threats detected : 2

Registry items scanned : 4671

Registry threats detected : 8

File items scanned : 22306

File threats detected : 40

Trojan.Downloader-Gen/Bot

C:\DOCUMENTS AND SETTINGS\ALL USERS\DOKUMENTER\SETTINGS\BOT.DLL

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\botreg

Trojan.SpoolSVV/32

C:\WINDOWS\SYSTEM32\SPOOLSVV.EXE

[spoolsvv] C:\WINDOWS\SYSTEM32\SPOOLSVV.EXE

Trojan.BraveSentry

HKU\S-1-5-21-2294372181-2308636165-2577751238-1008\Software\Brave-Sentry

C:\Documents and Settings\eritep.HOLMEN047\Start-meny\Programmer\Brave-Sentry\BraveSentry.lnk

C:\Documents and Settings\eritep.HOLMEN047\Start-meny\Programmer\Brave-Sentry\Uninstall.lnk

C:\Documents and Settings\eritep.HOLMEN047\Start-meny\Programmer\Brave-Sentry

Trojan.DNSChanger-Codec

HKCR\MovieCommander

HKCR\MovieCommander\CLSID

HKU\S-1-5-21-2294372181-2308636165-2577751238-1008\Software\MovieCommander

Rootkit.RunTime2

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys

Adware.Tracking Cookie

C:\Documents and Settings\bjofre\Cookies\bjofre@2o7[2].txt

C:\Documents and Settings\bjofre\Cookies\bjofre@belnk[1].txt

C:\Documents and Settings\bjofre\Cookies\bjofre@casalemedia[2].txt

C:\Documents and Settings\bjofre\Cookies\[email protected][2].txt

C:\Documents and Settings\bjofre\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][2].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@adtech[2].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@advertising[2].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@atdmt[2].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@doubleclick[1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][2].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@mediaplex[1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@overture[1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@postclicktracking[1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@serving-sys[1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][2].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\[email protected][2].txt

C:\Documents and Settings\eritep.HOLMEN\Cookies\eritep@tradedoubler[2].txt

C:\Documents and Settings\eritep.HOLMEN\Lokale innstillinger\Temp\Cookies\eritep@advertising[2].txt

C:\Documents and Settings\eritep.HOLMEN\Lokale innstillinger\Temp\Cookies\eritep@doubleclick[1].txt

C:\Documents and Settings\eritep.HOLMEN\Lokale innstillinger\Temp\Cookies\[email protected][2].txt

C:\Documents and Settings\eritep.HOLMEN\Lokale innstillinger\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\eritep.HOLMEN\Lokale innstillinger\Temp\Cookies\eritep@tradedoubler[2].txt

Rootkit.SpoolDR-Config

C:\WINDOWS\NOSKRNL.CONFIG

Trojan.Downloader-Gen/NewMaxx

C:\WINDOWS\SYSTEM32\NEWMAXXSV234.EXE

Trojan.VXGame-Gen

C:\WINDOWS\SYSTEM32\VEDXG4AM1ET2.EXE

C:\WINDOWS\SYSTEM32\VEDXGA1ME4T1.EXE

Combofix log

ComboFix 08-01-04.1 - eritep 2008-01-07 11:04:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.54 [GMT 1:00]

Running from: C:\Documents and Settings\eritep.HOLMEN047\Skrivebord\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\eritep.HOLMEN\Programdata\install.dat

C:\WINDOWS\system32\9_exception.nls

C:\WINDOWS\system32\dllh8jkd1q8.exe

C:\WINDOWS\system32\drivers\sysdrv.exe

C:\WINDOWS\system32\kr_done1

C:\WINDOWS\system32\vx.tll

C:\WINDOWS\system32\winlogon.scr

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_DRIVER

-------\LEGACY_NDISWON

-------\LEGACY_RUNTIME

-------\LEGACY_RUNTIME2

-------\LEGACY_ZZZDRV_LICH

-------\LEGACY_ZZZSVC_LICH

-------\Driver

-------\NdisWon

-------\ZZZdrv_lich

-------\ZZZsvc_lich

((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))

.

2008-01-07 11:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-07 09:28 . 2008-01-07 11:00 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-01-07 09:28 . 2008-01-07 09:28 <DIR> d-------- C:\Documents and Settings\eritep.HOLMEN047\Programdata\SUPERAntiSpyware.com

2008-01-07 09:28 . 2008-01-07 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-01-07 09:26 . 2008-01-07 11:00 <DIR> dr-h----- C:\Documents and Settings\eritep.HOLMEN047\Siste

2008-01-07 09:26 . 2008-01-07 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Yahoo! Companion

2008-01-07 09:24 . 2008-01-07 09:24 <DIR> d-------- C:\Programfiler\Yahoo!

2008-01-07 09:24 . 2008-01-07 09:24 <DIR> d-------- C:\Programfiler\CCleaner

2008-01-04 13:14 . 2008-01-04 13:14 <DIR> d-------- C:\Documents and Settings\NetworkService\Start-meny

2008-01-02 16:28 . 2008-01-02 16:28 <DIR> d-------- C:\Programfiler\Trend Micro

2008-01-02 16:28 . 2008-01-07 11:24 <DIR> d-------- C:\Programfiler\PestPatrol

2008-01-02 16:28 . 2008-01-02 16:28 1,737 --a------ C:\WINDOWS\SetupPestPatrolCorporate.mif

2008-01-02 10:02 . 2008-01-02 10:02 29 --a------ C:\WINDOWS\system32\rfeepioo.tmp

2007-12-14 22:20 . 2007-10-21 10:41 1,918 --a------ C:\X-Micro WLAN 11g USB Utility.lnk

2007-12-14 22:20 . 2007-08-12 11:31 1,874 --a------ C:\HP Digital Imaging Monitor.lnk

2007-12-14 22:20 . 2007-11-03 11:35 1,748 --a------ C:\AirLink 6554 Utility.lnk

2007-12-14 22:17 . 2007-12-14 22:19 <DIR> d-------- C:\Documents and Settings\eritep.HOLMEN047\Programdata\Business Logic

2007-12-14 14:31 . 2003-10-30 09:48 159,744 --a------ C:\WINDOWS\system32\igfxres.dll

2007-12-11 18:17 . 2004-08-04 13:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime

2007-12-11 18:16 . 2004-08-04 13:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll

2007-12-11 18:15 . 2004-08-04 13:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll

2007-12-11 18:14 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll

2007-12-11 18:12 . 2007-12-11 18:12 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2007-12-11 18:12 . 2007-12-11 18:12 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2007-12-11 18:12 . 2007-12-11 18:12 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2007-12-11 18:12 . 2007-12-11 18:12 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest

2007-12-11 18:12 . 2007-12-11 18:12 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2007-12-11 18:12 . 2007-12-11 18:12 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2007-12-11 18:08 . 2004-08-04 01:03 152,576 --a------ C:\WINDOWS\system32\irftp.exe

2007-12-11 18:08 . 2004-08-03 23:00 87,424 --a------ C:\WINDOWS\system32\drivers\irda.sys

2007-12-11 18:08 . 2004-08-04 01:03 27,136 --a------ C:\WINDOWS\system32\irmon.dll

2007-12-11 18:08 . 2004-08-04 01:03 8,192 --a------ C:\WINDOWS\system32\wshirda.dll

2007-12-11 18:02 . 2001-08-17 21:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-07 08:27 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-01-02 15:55 --------- d-----w C:\Programfiler\Google

2008-01-02 10:32 --------- d-----w C:\Programfiler\Windows Live Toolbar

2007-12-16 10:45 --------- d-----w C:\Programfiler\HPQ

2007-12-14 13:32 12,960 ----a-w C:\WINDOWS\system32\taskmon.sys

2007-12-05 14:24 --------- d-----w C:\Programfiler\Lavasoft

2007-12-05 14:24 --------- d-----w C:\Documents and Settings\All Users\Programdata\Lavasoft

2007-11-27 20:51 --------- d-----w C:\Programfiler\Intel

2007-11-27 20:50 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2007-11-27 20:49 1,781 --sha-r C:\WINDOWS\system32\drivers\HP_compaq nx9020 (PG705ES#ABN)_YN_0U_QCNF4490VJW_E373977091_45JL_I3084_SQuanta_V41.0B_BF.15_T041109_WXP2_L4

4_M223_J30_7Intel_8Celeron M_91.4_#041111_N10EC8139_()_XMOBILE_CN10_RHewlett-Packard_2Rev 1_G80863582.MRK

2007-11-27 20:14 --------- d-----w C:\Programfiler\CONEXANT

2007-11-27 18:18 --------- d-----w C:\Documents and Settings\eritep.HOLMEN047\Programdata\Image Zone Express

2007-11-26 10:48 --------- d-----w C:\Programfiler\OpenOffice.org1.1.3

2007-10-17 09:58 737,280 ----a-w C:\WINDOWS\iun6002.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"ati"="C:\Documents and Settings\eritep.HOLMEN047\scvhost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-30 09:46 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-30 09:33 118784]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"UpdateManager"="C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-25 01:04 122939]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 18:15 536576]

"HPHUPD05"="c:\Programfiler\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 20:03 49152]

"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 19:58 483328]

"eabconfg.cpl"="C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 08:33 286720]

"Norman ZANDA"="C:\NORMAN\Npm\bin\ZLH.exe" [2007-08-09 14:40 183352]

"PestPatrol Control Center"="C:\Programfiler\PestPatrol\PPControl.exe" [2004-11-15 11:49 98304]

"PPMemCheck"="C:\Programfiler\PestPatrol\PPMemCheck.exe" [2003-04-19 07:53 148480]

"CookiePatrol"="C:\Programfiler\PestPatrol\CookiePatrol.exe" [2005-01-10 09:35 73728]

C:\Documents and Settings\Holmen\Start-meny\Programmer\Oppstart\

OpenOffice.org 1.1.3.lnk - C:\Programfiler\OpenOffice.org1.1.3\program\quickstart.exe [2004-09-15 00:10:00]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

AirLink 6554 Utility.lnk - C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\ZDWlan.exe [2007-11-03 11:35:20]

HP Digital Imaging Monitor.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]

X-Micro WLAN 11g USB Utility.lnk - C:\Programfiler\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe [2007-10-21 10:41:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

R2 Ndiskio;Ndiskio;C:\NORMAN\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-07-09 10:50]

S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 14:25]

S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25]

S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25]

S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25]

S3 taskmon.sys;taskmon.sys;C:\WINDOWS\system32\taskmon.sys [2007-12-14 14:32]

S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]

.

Contents of the 'Scheduled Tasks' folder

"2008-01-07 10:04:01 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"

- C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-07 11:25:19

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ati = C:\Documents and Settings\eritep.HOLMEN047\scvhost.exe???????????5?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-01-07 11:34:28 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-07 10:33:47

HTJ log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:48:34, on 07.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\NORMAN\Npm\bin\ELOGSVC.EXE

C:\NORMAN\Npm\Bin\Zanda.exe

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Lavasoft\Ad-Aware 2007\AAWTray.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\srvany.exe

C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\ZyDummyZD11B-BG.exe

C:\NORMAN\Npm\bin\NJEEVES.EXE

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe

C:\NORMAN\Npm\bin\ZLH.EXE

C:\Programfiler\PestPatrol\PPControl.exe

C:\Programfiler\PestPatrol\PPMemCheck.exe

C:\Programfiler\PestPatrol\CookiePatrol.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\NORMAN\Nvc\bin\cclaw.exe

C:\Programfiler\Jensen Scandinavia\AirLink_6554_Utility\ZDWlan.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Programfiler\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\Programfiler\internet explorer\iexplore.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Programfiler\Trend Micro\HijackThis\run.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll