Gå til innhold

Msn virus fra "photobucket"-link

jojo123

Av jojo123
i IKT-drift og sikkerhet

Anbefalte innlegg

norbat

norbat

Skrevet
Skrevet

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

R3 - URLSearchHook: (no name) - {13B31289-804F-ACBD-3353-8F6A67DC8AC9} - C:\WINDOWS\system32\irxfqs.dll (file missing)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162

O22 - SharedTaskScheduler: AutoDisc Ware - {e04408db-4812-4478-8d4d-e46edcffd3b6} - (no file)

 

Kunne du også ha sjekket om/hvilke filer som ligger i følgende mappe:

C:\zia02540

 

Du kan slette fila:

C:\WINDOWS\system32\drivers\vcannlmg.sys.vir

 

Avinstaller Combofix:

Klikk: Start->Kjør

Skriv: ComboFix /u

 

Combofix vil starte opp og deretter avinstallere seg.

 

Du bør oppdatere JAVA: http://java.com/en/download/index.jsp

 

Kjører MSN normalt?

 

Tøm systemgjenopprettingsmappa:

Nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....",

restart pc, fjern merket igjen for å aktivere funksjonen.

 

 

 

 

 

Kjører du XP, kan du prøve følgende:

 

Hent Avenger og pakk det ut.

 

Start programmet, sett prikk i "Input Script Manually" og klikk på lupen.

I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under:

 

Files to delete:

C:\WINDOWS\lssas.exe

C:\WINDOWS\ntmngr.exe

C:\445930.exe

C:\WINDOWS\images.zip

Klikk på Trafikklyset. Restart PC-en.

Etter restart vil det komme en loggfil som forteller hva som har skjedd. Post loggen.

 

Det kan hende at noen av filene ikke finnes.

 

Deretter henter du Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix. (vanligvis c:\combofix.txt)

 

Tusen takk "norbat"

Denne oppskriften hjalp meg :thumbup:

 

Om du føler for det så kan du poste en Combofix-logg (i en egen tråd som du oppretter ved å klikke Nytt emne) :)

Lenke til kommentar

Videoannonse

Videoannonse
Annonse
krvi-bre

krvi-bre

Skrevet
Skrevet

Svineriet kom også inn på en av PC-ene i huset mitt, føler meg ikke helt trygg på at alt er borte ennå.

 

Jeg kjørte ikke i sikkermodus. Noe av det jeg gjorde var å kjøre bitdefenders online scan for å fjerne de fleste filene nevnt, brukte så et program kalt unlocker for å kunne slette ntmngr.exe. Fjernet også lssas.exe, lsas.exe m.m (lsass.exe beholdt selvsagt).

 

Messenger på den PC-en kjører ikke ut virus nå, men det siste skumle som skjer er at en registernøkkel legges inn hele tiden i CurrentVersion/Run/mssrvc = c:windows/system32:lsas.exe

 

SpyBot Search & Destroy har en Resident funksjon som varsler om at denne nøkkelen forsøkes lagt inn.

 

Filen lsas.exe refereres det ofte til som virus, men jeg finner altså ikke denne på PC-en. Så hva er det som hele tiden insisterer på å legge inn nøkkelen i registeret?

 

Ingen virusscannere finner flere lugubre saker på PC-en, det er altså bare lsas.exe som bekymrer meg (nei det er ikke feilskrevet).

 

Noen som helst idéer til hva som kan gjøres for å fjerne innlegging av denne nøkkelen permanent eller om dette kan skyldes andre uoppdagede trojaner?

Lenke til kommentar
morgan_kane

morgan_kane

Skrevet
Skrevet (endret)

satan eg hate folk som lager virus!!!

 

dokker må bestandi spørre ka linken dokker får i msn leder til hvis ikke det står youtube.com eller andre kjente sider.

 

veldig lange adresser er som regel virus.

 

til deg som ikke fikk startet opp windows... skru ut hardisken og sett den i en anna maskin og redd bilder osv og formater disken. du kan eventuelt bruke en linux live cd.

Endret av morgan_kane
Lenke til kommentar
norbat

norbat

Skrevet
Skrevet
norbat:

 

Du skrev tidligere i tråden at hvis man har XP prøver du følgende.... osvosv

 

Enn hvis man har Vista?

 

Hm, tror det var ang. bruk av Avenger. Det er visst ikke kompatibelt med Vista (typisk)

 

Hvis man har Vista kan man lage en egen fix vha. combofix evt. slette filene manuelt (hvis man finner dem)

Skal det lages egen fix, så trenger man å se en logg fra combofix.

Lenke til kommentar
Rugboy

Rugboy

Skrevet
Skrevet

Hei, norbat! Eg presterte å innstalere detta viruset. eg har kjørt Combofix med følgende logg:

 

 

ComboFix 08-01-13.1 - Stian 2008-01-13 0:09:22.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.273 [GMT 1:00]

Running from: C:\Documents and Settings\Stian\Skrivebord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\images.zip

 

.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

 

2008-01-13 00:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- C:\Programfiler\Lavasoft

2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-01-12 23:01 . 2008-01-12 23:00 45,568 -r-hs---- C:\WINDOWS\lssas.exe

2008-01-04 00:16 . 2008-01-04 03:30 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-01-04 00:15 . 2008-01-04 00:15 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll

2008-01-04 00:15 . 2008-01-04 00:15 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll

2008-01-04 00:15 . 2008-01-04 00:15 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll

2008-01-04 00:10 . 2008-01-04 00:16 29,607 --a------ C:\WINDOWS\DIIUnin.dat

2008-01-04 00:09 . 2008-01-04 00:09 94,208 --a------ C:\WINDOWS\DIIUnin.exe

2008-01-04 00:09 . 2008-01-04 00:09 2,829 --a------ C:\WINDOWS\DIIUnin.pif

2008-01-04 00:06 . 2008-01-12 02:13 <DIR> d-------- C:\Programfiler\Diablo II

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 22:15 --------- d-----w C:\Documents and Settings\All Users\Programdata\Avg7

2008-01-12 22:14 --------- d-----w C:\Documents and Settings\Stian\Programdata\AVG7

2008-01-06 17:24 --------- d-----w C:\Documents and Settings\Stian\Programdata\Hamachi

2008-01-05 18:03 --------- d-----w C:\Documents and Settings\Stian\Programdata\uTorrent

2008-01-05 05:54 --------- d-----w C:\Documents and Settings\Stian\Programdata\LimeWire

2007-12-12 02:47 --------- d-----w C:\Documents and Settings\Stian\Programdata\dvdcss

2007-12-02 22:59 --------- d-----w C:\Programfiler\DivX

2007-12-02 22:55 --------- d-----w C:\Programfiler\Xvid

2007-11-27 23:14 --------- d-----w C:\Programfiler\LimeWire

2007-11-27 00:26 --------- d-----w C:\Programfiler\PowerStrip

2007-11-20 03:15 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2007-11-20 03:14 --------- d-----w C:\Programfiler\Hamachi

2007-11-19 19:11 --------- d-----w C:\Programfiler\DOSBox-0.72

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-15 10:42 4112384]

"nwiz"="nwiz.exe" [2004-07-15 10:42 843776 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-07-15 10:42 81920]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 11:39 579072]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"PowerStrip"="c:\programfiler\powerstrip\pstrip.exe" [2007-07-14 10:35 730360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 16:12 219136]

 

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 19:22]

R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-15 02:37]

S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\system32\DRIVERS\genelan.sys []

 

*Newly Created Service* - PROCEXP90

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:12:43

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-13 0:13:16

ComboFix-quarantined-files.txt 2008-01-12 23:13:02

.

2008-01-09 02:00:39 --- E O F ---

 

 

Er alt i orden no? :)

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Ikke helt. Følgende fil må bort: C:\WINDOWS\lssas.exe

 

Ta den via utforsker eller gjør følgende:

 

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\lssas.exe

 

 

Post loggen.

Lenke til kommentar
Rugboy

Rugboy

Skrevet
Skrevet

Ska vi sjå.. Logg:

 

 

 

ComboFix 08-01-13.1 - Stian 2008-01-13 0:34:18.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.268 [GMT 1:00]

Running from: C:\Documents and Settings\Stian\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Stian\Skrivebord\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\WINDOWS\lssas.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\lssas.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

 

2008-01-13 00:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- C:\Programfiler\Lavasoft

2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-01-04 00:16 . 2008-01-04 03:30 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-01-04 00:15 . 2008-01-04 00:15 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll

2008-01-04 00:15 . 2008-01-04 00:15 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll

2008-01-04 00:15 . 2008-01-04 00:15 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll

2008-01-04 00:10 . 2008-01-04 00:16 29,607 --a------ C:\WINDOWS\DIIUnin.dat

2008-01-04 00:09 . 2008-01-04 00:09 94,208 --a------ C:\WINDOWS\DIIUnin.exe

2008-01-04 00:09 . 2008-01-04 00:09 2,829 --a------ C:\WINDOWS\DIIUnin.pif

2008-01-04 00:06 . 2008-01-12 02:13 <DIR> d-------- C:\Programfiler\Diablo II

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 22:15 --------- d-----w C:\Documents and Settings\All Users\Programdata\Avg7

2008-01-12 22:14 --------- d-----w C:\Documents and Settings\Stian\Programdata\AVG7

2008-01-06 17:24 --------- d-----w C:\Documents and Settings\Stian\Programdata\Hamachi

2008-01-05 18:03 --------- d-----w C:\Documents and Settings\Stian\Programdata\uTorrent

2008-01-05 05:54 --------- d-----w C:\Documents and Settings\Stian\Programdata\LimeWire

2007-12-12 02:47 --------- d-----w C:\Documents and Settings\Stian\Programdata\dvdcss

2007-12-02 22:59 --------- d-----w C:\Programfiler\DivX

2007-12-02 22:55 --------- d-----w C:\Programfiler\Xvid

2007-11-27 23:14 --------- d-----w C:\Programfiler\LimeWire

2007-11-27 00:26 --------- d-----w C:\Programfiler\PowerStrip

2007-11-20 03:15 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2007-11-20 03:14 --------- d-----w C:\Programfiler\Hamachi

2007-11-19 19:11 --------- d-----w C:\Programfiler\DOSBox-0.72

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-13_ 0.12.47,82 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-12 23:09:02 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-12 23:34:07 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-12 23:09:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-12 23:34:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-12 23:09:02 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-12 23:34:07 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-12 23:09:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-12 23:34:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-12 23:09:03 3,964,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-12 23:34:07 3,964,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

- 2008-01-12 23:09:03 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-12 23:34:07 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-15 10:42 4112384]

"nwiz"="nwiz.exe" [2004-07-15 10:42 843776 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-07-15 10:42 81920]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 11:39 579072]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"PowerStrip"="c:\programfiler\powerstrip\pstrip.exe" [2007-07-14 10:35 730360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 16:12 219136]

 

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 19:22]

R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-15 02:37]

S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\system32\DRIVERS\genelan.sys []

 

*Newly Created Service* - PROCEXP90

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:35:53

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-13 0:36:25

ComboFix-quarantined-files.txt 2008-01-12 23:36:11

ComboFix2.txt 2008-01-12 23:13:17

.

2008-01-09 02:00:39 --- E O F ---

 

 

 

Ser ut som den Issas.exe fila ble slettet. Er jeg ferdi og kan trygt åpne msn nå? :)

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Eg kan ikkje sjå noko meir i loggen, så du kan starte MSN igjen :)

 

Du kan avinstallere Combofix:

Klikk: Start->Kjør

Skriv: ComboFix /u

 

Du kan gjerne poste en hjt-logg til slutt:

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.

Lenke til kommentar
krvi-bre

krvi-bre

Skrevet
Skrevet

Ok, da har jeg resultatet fra Combofix...

 

 

 

ComboFix 08-01-11.1 - Server 2008-01-13 0:22:28.2 - NTFSx86

Running from: C:\Documents and Settings\Server\Skrivebord\ComboFix.exe

.

ADS - system32: deleted 19456 bytes in 1 streams.

 

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))

.

 

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Programfiler\Uniblue

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Documents and Settings\Server\Programdata\Uniblue

2008-01-12 19:24 . 2008-01-12 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab

2008-01-12 18:12 . 2008-01-12 22:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-01-11 22:15 . 2008-01-11 22:15 250 --a------ C:\WINDOWS\gmer.ini

2008-01-11 22:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-11 21:59 . 2007-09-22 12:59 3,377 --a------ C:\WINDOWS\msnchk.exe

2008-01-11 20:57 . 2008-01-12 18:10 <DIR> d-------- C:\Documents and Settings\Server\.housecall6.6

2008-01-04 01:02 . 2008-01-04 01:02 <DIR> d-------- C:\Programfiler\RarZilla Free Unrar

2008-01-04 01:01 . 2008-01-04 01:01 1,154 --a------ C:\WINDOWS\mozver.dat

2008-01-02 19:57 . 2008-01-05 18:31 <DIR> d-------- C:\iam

2007-12-31 15:55 . 2007-12-31 15:55 <DIR> d-------- C:\Programfiler\uTorrent

2007-12-31 15:54 . 2008-01-05 10:52 <DIR> d-------- C:\Documents and Settings\Server\Programdata\uTorrent

2007-12-29 10:39 . 2007-12-29 10:39 0 --a------ C:\WINDOWS\nsreg.dat

2007-12-16 11:35 . 2007-12-25 19:41 <DIR> d-------- C:\Programfiler\dvd43

2007-12-16 11:35 . 2007-12-25 19:41 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 22:20 --------- d-----w C:\Documents and Settings\Server\Programdata\OpenOffice.org2

2008-01-08 18:03 --------- d-----w C:\Documents and Settings\All Users\Programdata\DVD Shrink

2008-01-04 19:36 --------- d-----w C:\Programfiler\PeerGuardian2

2008-01-03 14:46 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-28 22:16 --------- d-----w C:\Documents and Settings\Server\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Programfiler\QuickTime

2007-11-17 15:14 --------- d-----w C:\Programfiler\Apple Software Update

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-30 21:51 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe

2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-11_22.07.24,04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-12 17:13:02 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll

+ 2008-01-12 17:13:02 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll

+ 2008-01-12 17:13:02 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll

+ 2008-01-12 17:13:04 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll

+ 2008-01-12 17:13:05 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll

+ 2008-01-12 17:13:02 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll

+ 2007-05-07 15:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll

+ 2007-05-07 15:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll

+ 2007-05-07 15:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll

+ 2008-01-11 21:15:44 585,791 ----a-w C:\WINDOWS\gmer.dll

+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe

+ 2008-01-11 21:15:44 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys

- 2007-06-21 18:57:20 132,656 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-01-12 22:06:27 133,448 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

- 2007-03-15 16:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2008-01-12 22:19:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_538.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 02:31 68856]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"LaCie Backup"="C:\Programfiler\LaCie\Backup Software\\LaCieBackup.exe" [2006-07-06 09:30 2596864]

"PeerGuardian"="C:\Programfiler\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

"mssrvc"="C:\WINDOWS\system32:lsas.exe" [ ]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2006-04-07 09:45 53248 C:\WINDOWS\system32\VTTimer.exe]

"S3Trayp"="S3Trayp.exe" [2005-10-31 20:15 163840 C:\WINDOWS\system32\S3Trayp.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 16143872 C:\WINDOWS\RTHDCPL.exe]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"ApacheTomcatMonitor"="C:\Tomcat6.0\bin\tomcat6w.exe" [2007-02-13 14:03 98304]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-10-19 20:16 286720]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-02 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]

"dvd43"="C:\Programfiler\dvd43\dvd43_tray.exe" [2007-11-20 16:40 731136]

"UnlockerAssistant"="C:\Programfiler\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]

"mssrvc"="C:\WINDOWS\system32:notepad.exe" [ ]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

 

C:\Documents and Settings\Server\Start-meny\Programmer\Oppstart\

OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56]

WinMySQLadmin.lnk - D:\mysql\bin\winmysqladmin.exe [2004-03-21 03:05:35]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2007-05-01 20:14:50]

HP Digital Imaging Monitor.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]

HP Image Zone Fast Start.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]

 

R2 Tomcat6;Apache Tomcat;C:\Tomcat6.0\bin\tomcat6.exe [2007-02-13 14:03]

R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-05-22 18:42]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 11:10]

S3 NPF;Netgroup Packet Filter;C:\WINDOWS\system32\drivers\npf.sys [2006-04-22 08:19]

 

*Newly Created Service* - PGFILTER

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A}]

C:\WINDOWS\system32:lsas.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:29:36

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

mssrvc = C:\WINDOWS\system32:lsas.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\Programfiler\Unlocker\UnlockerHook.dll

.

Completion time: 2008-01-13 0:31:14

ComboFix-quarantined-files.txt 2008-01-12 23:30:33

ComboFix2.txt 2008-01-11 21:07:43

.

2008-01-12 10:48:57 --- E O F ---

 

 

 

Lenke til kommentar
Rugboy

Rugboy

Skrevet
Skrevet

Åkei, tusen takk for hjelpa! :) Her er forresten HJT-loggen:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:46:20, on 13.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\programfiler\powerstrip\pstrip.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\DAEMON Tools\daemon.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PowerStrip] c:\programfiler\powerstrip\pstrip.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1191013386670

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 4477 bytes

 

 

Lenke til kommentar
ICE76

ICE76

Skrevet
Skrevet

Blei dette bra? Virker slik herfra.

 

 

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))

.

 

2008-01-12 23:50 . 2008-01-12 23:50 <DIR> d-------- C:\fsaua.data

2008-01-12 19:29 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-12 19:23 . 2008-01-12 19:23 126,976 --a------ C:\zip.exe

2008-01-12 19:23 . 2008-01-12 19:23 60,416 --a------ C:\WINDOWS\system32\drivers\lblvahwq.sys

2008-01-12 19:23 . 2008-01-12 19:23 1,080 --a------ C:\afyivpvt.bat

2008-01-12 08:37 . 2008-01-12 08:37 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\AVG7

2008-01-12 08:37 . 2008-01-12 19:14 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\AVG7

2008-01-12 08:37 . 2008-01-12 08:37 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Grisoft

2008-01-12 08:37 . 2008-01-12 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\avg7

2008-01-04 22:00 . 2008-01-04 22:00 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2008-01-03 20:22 . 2008-01-03 20:25 <DIR> d-------- C:\Programfiler\SpeedFan

2008-01-03 20:22 . 2008-01-03 20:22 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2008-01-02 14:26 . 2008-01-02 14:26 83 --a------ C:\WINDOWS\wwp.INI

2007-12-25 02:08 . 2007-12-25 02:08 <DIR> d-------- C:\Programfiler\XviD

2007-12-25 02:08 . 2005-12-30 20:10 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll

2007-12-25 02:08 . 2005-12-30 20:18 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-12-25 02:08 . 2005-12-30 20:16 77,824 --a------ C:\WINDOWS\system32\xvid.ax

2007-12-22 11:26 . 2008-01-12 08:31 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP

2007-12-22 11:06 . 2007-12-22 11:06 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\Simply Super Software

2007-12-22 11:06 . 2007-12-22 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Simply Super Software

2007-12-22 11:06 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-12-22 11:06 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-12-17 08:16 . 2007-12-17 08:16 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\vlc

2007-12-17 08:15 . 2007-12-17 08:15 <DIR> d-------- C:\Programfiler\VideoLAN

2007-12-17 08:09 . 2007-12-17 08:09 <DIR> d-------- C:\Programfiler\defaultlogomode

2007-12-17 07:32 . 2007-12-17 08:10 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\defaultlogomode

2007-12-17 07:32 . 2007-12-17 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Software rule flag owns

2007-12-13 15:52 . 2007-12-13 15:53 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2007-12-13 15:52 . 2007-12-13 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 23:06 --------- d-----w C:\Documents and Settings\Arild Rønning\Programdata\uTorrent

2008-01-04 06:44 --------- d-----w C:\Documents and Settings\Arild Rønning\Programdata\dvdcss

2007-12-31 15:51 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2007-12-20 23:58 --------- d-----w C:\Programfiler\Windows Live Safety Center

2007-12-13 14:52 --------- d-----w C:\Programfiler\Windows Live

2007-11-30 17:47 --------- d-----w C:\Documents and Settings\All Users\Programdata\ATI

2007-11-30 15:54 --------- d-----w C:\Programfiler\Windows Live Toolbar

2007-11-30 15:54 --------- d-----w C:\Programfiler\Windows Live Favorites

2007-11-28 00:25 --------- d-----w C:\Documents and Settings\Arild Rønning\Programdata\Earthsim

2007-11-28 00:14 --------- d-----w C:\Programfiler\ATI Technologies

2007-11-28 00:05 --------- d-----w C:\Programfiler\Windows Desktop Search

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-11-02 04:57 9,314,304 ----a-w C:\WINDOWS\system32\atioglx2.dll

2007-11-02 04:24 176,128 ----a-w C:\WINDOWS\system32\atiok3x2.dll

2007-11-02 04:10 364,544 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll

2007-11-02 04:09 268,288 ----a-w C:\WINDOWS\system32\ati2dvag.dll

2007-11-02 04:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe

2007-11-02 04:01 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll

2007-11-02 04:01 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll

2007-11-02 04:00 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll

2007-11-02 04:00 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll

2007-11-02 03:59 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe

2007-11-02 03:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL

2007-11-02 03:50 3,133,728 ----a-w C:\WINDOWS\system32\ati3duag.dll

2007-11-02 03:39 1,602,176 ----a-w C:\WINDOWS\system32\ativvaxx.dll

2007-11-02 03:35 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll

2007-11-02 03:26 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll

2007-11-02 03:24 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll

2007-11-02 03:22 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll

2007-11-02 03:16 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll

2007-11-01 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-24 00:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll

2007-10-24 00:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll

2007-10-24 00:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll

2007-10-24 00:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll

2007-10-18 10:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-12_19.31.32,17 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-11 14:20:52 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll

+ 2007-12-11 14:20:52 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll

+ 2007-12-11 14:22:14 397,312 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll

+ 2007-12-11 14:20:52 159,744 ----a-w C:\WINDOWS\Downloaded Program Files\fsld32.dll

+ 2007-12-11 14:20:24 580,200 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe

+ 2007-12-11 14:20:24 580,200 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncheradmin.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03 152872]

"uTorrent"="C:\Programfiler\uTorrent\uTorrent.exe" [2007-09-17 07:14 219952]

"AWMON"="E:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 11:12 517632]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2007-08-09 00:00 950664]

"LiveMonitor"="C:\Programfiler\MSI\Live Update 3\LMonitor.exe" [ ]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 04:42 577536 C:\WINDOWS\soundman.exe]

"Adobe Reader Speed Launcher"="E:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]

"NWEReboot"="" []

"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]

"Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 09:14 528384]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]

"MediaFace Integration"="E:\Programfiler\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 16:46 53248]

"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:03 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 08:37 219136]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 14:50 233472]

 

R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 17:08]

R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 18:52]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 14:54]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 14:54]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 14:54]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 14:54]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 14:54]

S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 10:50]

 

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

"2007-12-22 10:00:01 C:\WINDOWS\Tasks\A01FEBF39198656F.job"

- c:\docume~1\arildr~1\progra~1\defaul~1\RoadTestAim.exe

"2007-12-22 09:48:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"

- C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:07:01

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-13 0:07:36

ComboFix2.txt 2008-01-12 18:31:49

.

2008-01-08 21:20:59 --- E O F ---

 

 

Lenke til kommentar
Peavey

Peavey

Skrevet
Skrevet
norbat:

 

Du skrev tidligere i tråden at hvis man har XP prøver du følgende.... osvosv

 

Enn hvis man har Vista?

 

Hm, tror det var ang. bruk av Avenger. Det er visst ikke kompatibelt med Vista (typisk)

 

Hvis man har Vista kan man lage en egen fix vha. combofix evt. slette filene manuelt (hvis man finner dem)

Skal det lages egen fix, så trenger man å se en logg fra combofix.

 

 

Okei! Her er min rapport:

 

 

 

ComboFix 08-01-13.1 - Peavey 2008-01-13 0:44:29.1 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1044.18.174 [GMT 1:00]

Running from: C:\Users\Peavet\AppData\Roaming\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

 

2008-01-13 00:42 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\All Users\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\ProgramData\Grisoft

2008-01-12 00:44 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys

2008-01-11 21:19 . 2008-01-11 21:18 286,720 --a------ C:\Windows\iun506.exe

2008-01-11 21:18 . 2008-01-11 21:19 <DIR> d-------- C:\Program Files\Risk 2

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\Users\All Users\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\ProgramData\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:12 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-11 18:27 . 2008-01-11 18:27 36,864 -r-hs---- C:\Windows\ntmngr.exe

2008-01-10 18:35 . 2005-06-02 18:19 228,352 --a------ C:\Windows\System32\drivers\BTCamDrv.sys

2008-01-10 16:12 . 2008-01-10 16:17 <DIR> d-------- C:\Program Files\Wings Of Fury

2008-01-10 15:12 . 2008-01-10 15:12 <DIR> d--h----- C:\Windows\PIF

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\Users\All Users\TEMP

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\ProgramData\TEMP

2008-01-10 10:37 . 2007-09-20 12:04 114,688 --a------ C:\Windows\System32\btcamvideosource.dll

2008-01-10 10:37 . 2008-01-10 10:37 8,192 -ra-s---- C:\BOOTSECT.BAK

2008-01-10 10:17 . 2008-01-10 10:19 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Hamachi

2008-01-10 10:17 . 2008-01-10 10:17 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys

2008-01-09 14:34 . 2008-01-09 14:34 <DIR> d-------- C:\Program Files\Timios

2008-01-09 12:37 . 2008-01-09 12:37 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys

2008-01-09 12:37 . 2008-01-09 12:37 216,760 --a------ C:\Windows\System32\drivers\netio.sys

2008-01-09 12:37 . 2008-01-09 12:37 167,424 --a------ C:\Windows\System32\tcpipcfg.dll

2008-01-09 12:37 . 2008-01-09 12:37 24,064 --a------ C:\Windows\System32\netcfg.exe

2008-01-09 12:37 . 2008-01-09 12:37 22,016 --a------ C:\Windows\System32\netiougc.exe

2008-01-09 12:35 . 2008-01-09 12:35 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,686,016 --a------ C:\Windows\System32\gameux.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys

2008-01-09 12:35 . 2008-01-09 12:35 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys

2008-01-09 12:35 . 2008-01-09 12:35 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys

2008-01-09 12:35 . 2008-01-09 12:35 109,624 --a------ C:\Windows\System32\drivers\ataport.sys

2008-01-09 12:35 . 2008-01-09 12:35 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys

2008-01-09 12:35 . 2008-01-09 12:35 21,560 --a------ C:\Windows\System32\drivers\atapi.sys

2008-01-09 12:35 . 2008-01-09 12:35 17,464 --a------ C:\Windows\System32\drivers\intelide.sys

2008-01-09 12:34 . 2008-01-09 12:34 11,776 --a------ C:\Windows\System32\sbunattend.exe

2008-01-06 23:56 . 2008-01-06 23:56 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\VoipDiscount

2008-01-06 23:54 . 2008-01-06 23:54 <DIR> d-------- C:\Program Files\VoipDiscount.com

2008-01-03 01:41 . 2008-01-03 03:36 <DIR> d-------- C:\Program Files\SignSIS-GUI

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Users\All Users\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\ProgramData\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Nokia

2007-12-29 19:04 . 2007-12-29 19:04 <DIR> d-------- C:\Program Files\Common Files\PCSuite

2007-12-19 01:07 . 2007-12-19 01:07 <DIR> d-------- C:\Program Files\DivX

2007-12-15 19:17 . 2007-12-15 19:18 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\NSeries

2007-12-15 18:53 . 2007-12-15 18:59 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Nokia

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\Users\All Users\PC Suite

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\ProgramData\PC Suite

2007-12-15 18:52 . 2007-12-15 18:52 <DIR> d-------- C:\Windows\Downloaded Installations

2007-12-15 18:50 . 2007-12-15 18:53 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\PC Suite

2007-12-15 18:49 . 2007-12-15 18:49 <DIR> d-------- C:\Program Files\PC Connectivity Solution

2007-12-15 18:45 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Nokia

2007-12-15 18:45 . 2007-02-22 10:15 90,624 --a------ C:\Windows\System32\nmwcdcls.dll

2007-12-14 15:38 . 2007-12-14 16:15 <DIR> d-------- C:\Program Files\FreeRIP3

2007-12-14 15:38 . 2007-12-14 16:15 4,510 --a------ C:\Windows\cdplayer.ini

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Start-meny

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Skrivebord

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Programdata

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Maler

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Favoritter

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Dokumenter

2079-12-31 11:53 --------- d-sh--w C:\Program Files\Fellesfiler

2008-01-12 23:10 --------- d-----w C:\Users\Peavey\AppData\Roaming\uTorrent

2008-01-12 13:29 --------- d-----w C:\Program Files\Norman

2008-01-11 20:22 120,022 ----a-w C:\Users\Peavey\AppData\Roaming\nvModes.dat

2008-01-11 18:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Sidebar

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Mail

2008-01-09 13:39 --------- d-----w C:\ProgramData\Microsoft Help

2008-01-09 11:35 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-01-09 11:35 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-01-09 11:35 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-01-09 11:35 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-01-03 23:22 --------- d-----w C:\Program Files\MediaMonkey

2007-12-27 23:50 --------- d-----w C:\Users\Peavey\AppData\Roaming\dvdcss

2007-12-12 11:57 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL

2007-12-12 11:57 223,232 ----a-w C:\Windows\System32\WMASF.DLL

2007-12-12 11:57 1,327,104 ----a-w C:\Windows\System32\quartz.dll

2007-12-12 11:56 824,832 ----a-w C:\Windows\System32\wininet.dll

2007-12-12 11:56 56,320 ----a-w C:\Windows\System32\iesetup.dll

2007-12-12 11:56 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2007-12-12 11:56 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2007-12-12 11:49 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys

2007-12-12 11:49 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys

2007-12-12 11:49 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys

2007-12-12 11:49 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys

2007-12-12 11:47 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe

2007-12-12 11:47 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe

2007-12-11 22:34 200,704 ----a-w C:\Windows\System32\ssldivx.dll

2007-12-11 22:34 1,044,480 ----a-w C:\Windows\System32\libdivx.dll

2007-12-10 10:28 --------- d-----w C:\Program Files\Picasa2

2007-12-10 10:25 --------- d-----w C:\Program Files\Google

2007-12-08 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-08 18:47 --------- d-----w C:\Program Files\Caplio Software

2007-12-05 11:41 --------- d-----w C:\Program Files\OpenTTD

2007-11-28 20:42 --------- d-----w C:\ProgramData\Ahead

2007-11-28 20:40 --------- d-----w C:\Program Files\Common Files\Ahead

2007-11-28 20:38 --------- d-----w C:\ProgramData\Nero

2007-11-28 16:40 --------- d-----w C:\Program Files\OO Software

2007-11-26 16:26 --------- d-----w C:\ProgramData\Office Genuine Advantage

2007-11-23 11:03 --------- d--h--w C:\Program Files\Zenographics

2007-11-23 11:03 --------- d-----w C:\Program Files\Hewlett-Packard

2007-11-21 10:08 --------- d-----w C:\Program Files\XNeat Windows Manager

2007-11-20 10:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy

2007-11-16 13:17 --------- d-----w C:\Program Files\Graph

2007-11-14 07:35 1,244,672 ----a-w C:\Windows\System32\mcmde.dll

2007-09-07 11:39 174 --sha-w C:\Program Files\desktop.ini

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-09-18 16:16 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 12:34 1232896]

"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 12:58 495616]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:34 125440]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-07 12:33 1006264]

"Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40 183352]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-15 23:32 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-15 23:32 8433664]

"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-06-15 23:32 67584]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll]

"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll]

"XNeat Windows Manager"="C:\Program Files\XNeat Windows Manager\XNeatWM.exe" [2007-11-14 22:51 188416]

"OODefragTray"="C:\Windows\system32\oodtray.exe" [2007-05-11 02:08 2512392]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative SB Monitoring Utility]

--a------ 2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN]

-r-hs---- 2008-01-11 18:27 36864 C:\Windows\ntmngr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]

--a------ 2007-10-01 11:29 3104768 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-06-15 23:32 81920 C:\Windows\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SbUsb AudCtrl]

--a------ 2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

C:\Windows\UpdReg.EXE

 

R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]

R3 BTCAMDRV;Mobiola Web Camera driver;C:\Windows\system32\DRIVERS\BTCamDrv.sys [2005-06-02 18:19]

R3 ksaud;Creative USB Audio Driver;C:\Windows\system32\drivers\ksaud.sys [2007-08-06 15:36]

R3 NETw3v32;Intel® PRO/trådløs 3945ABG-kortdriver for Windows Vista, 32-bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 08:30]

R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2007-07-09 09:50]

R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-07-12 10:38]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]

S2 TimerStop;TimerStop;C:\Windows\system32\TimerStop.sys [2006-12-22 23:44]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8178c875-5d4d-11dc-986e-0016419ed03f}]

\shell\AutoRun\command - G:\setup.exe

\shell\readme\command - G:\SEW.EXE bin\ACADFeui\docs\readme_acade.htm

\shell\setupwizard\command - G:\setup.exe

 

*Newly Created Service* - PROCEXP90

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:49:08

Windows 6.0.6000 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]

-> C:\Program Files\RocketDock\RocketDock.dll

-> C:\Program Files\XNeat Windows Manager\XNeatDrv.dll

-> C:\Program Files\XNeat Windows Manager\scripts\taskabarbuttons\tbsorter.dll

.

Completion time: 2008-01-13 0:51:03

.

2008-01-11 10:25:22 --- E O F ---

 

 

 

 

Kan du se over den?

 

Har slettet en fil som het image.zip som jeg fant ved lesing i denne tråden.

Tror du det kan være mer?

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet
Ok, da har jeg resultatet fra Combofix...

 

 

 

ComboFix 08-01-11.1 - Server 2008-01-13 0:22:28.2 - NTFSx86

Running from: C:\Documents and Settings\Server\Skrivebord\ComboFix.exe

.

ADS - system32: deleted 19456 bytes in 1 streams.

 

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))

.

 

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Programfiler\Uniblue

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Documents and Settings\Server\Programdata\Uniblue

2008-01-12 19:24 . 2008-01-12 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab

2008-01-12 18:12 . 2008-01-12 22:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-01-11 22:15 . 2008-01-11 22:15 250 --a------ C:\WINDOWS\gmer.ini

2008-01-11 22:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-11 21:59 . 2007-09-22 12:59 3,377 --a------ C:\WINDOWS\msnchk.exe

2008-01-11 20:57 . 2008-01-12 18:10 <DIR> d-------- C:\Documents and Settings\Server\.housecall6.6

2008-01-04 01:02 . 2008-01-04 01:02 <DIR> d-------- C:\Programfiler\RarZilla Free Unrar

2008-01-04 01:01 . 2008-01-04 01:01 1,154 --a------ C:\WINDOWS\mozver.dat

2008-01-02 19:57 . 2008-01-05 18:31 <DIR> d-------- C:\iam

2007-12-31 15:55 . 2007-12-31 15:55 <DIR> d-------- C:\Programfiler\uTorrent

2007-12-31 15:54 . 2008-01-05 10:52 <DIR> d-------- C:\Documents and Settings\Server\Programdata\uTorrent

2007-12-29 10:39 . 2007-12-29 10:39 0 --a------ C:\WINDOWS\nsreg.dat

2007-12-16 11:35 . 2007-12-25 19:41 <DIR> d-------- C:\Programfiler\dvd43

2007-12-16 11:35 . 2007-12-25 19:41 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 22:20 --------- d-----w C:\Documents and Settings\Server\Programdata\OpenOffice.org2

2008-01-08 18:03 --------- d-----w C:\Documents and Settings\All Users\Programdata\DVD Shrink

2008-01-04 19:36 --------- d-----w C:\Programfiler\PeerGuardian2

2008-01-03 14:46 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-28 22:16 --------- d-----w C:\Documents and Settings\Server\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Programfiler\QuickTime

2007-11-17 15:14 --------- d-----w C:\Programfiler\Apple Software Update

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-30 21:51 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe

2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-11_22.07.24,04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-12 17:13:02 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll

+ 2008-01-12 17:13:02 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll

+ 2008-01-12 17:13:02 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll

+ 2008-01-12 17:13:04 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll

+ 2008-01-12 17:13:05 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll

+ 2008-01-12 17:13:02 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll

+ 2007-05-07 15:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll

+ 2007-05-07 15:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll

+ 2007-05-07 15:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll

+ 2008-01-11 21:15:44 585,791 ----a-w C:\WINDOWS\gmer.dll

+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe

+ 2008-01-11 21:15:44 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys

- 2007-06-21 18:57:20 132,656 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-01-12 22:06:27 133,448 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

- 2007-03-15 16:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2008-01-12 22:19:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_538.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 02:31 68856]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"LaCie Backup"="C:\Programfiler\LaCie\Backup Software\\LaCieBackup.exe" [2006-07-06 09:30 2596864]

"PeerGuardian"="C:\Programfiler\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

"mssrvc"="C:\WINDOWS\system32:lsas.exe" [ ]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2006-04-07 09:45 53248 C:\WINDOWS\system32\VTTimer.exe]

"S3Trayp"="S3Trayp.exe" [2005-10-31 20:15 163840 C:\WINDOWS\system32\S3Trayp.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 16143872 C:\WINDOWS\RTHDCPL.exe]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"ApacheTomcatMonitor"="C:\Tomcat6.0\bin\tomcat6w.exe" [2007-02-13 14:03 98304]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-10-19 20:16 286720]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-02 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]

"dvd43"="C:\Programfiler\dvd43\dvd43_tray.exe" [2007-11-20 16:40 731136]

"UnlockerAssistant"="C:\Programfiler\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]

"mssrvc"="C:\WINDOWS\system32:notepad.exe" [ ]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

 

C:\Documents and Settings\Server\Start-meny\Programmer\Oppstart\

OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56]

WinMySQLadmin.lnk - D:\mysql\bin\winmysqladmin.exe [2004-03-21 03:05:35]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2007-05-01 20:14:50]

HP Digital Imaging Monitor.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]

HP Image Zone Fast Start.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]

 

R2 Tomcat6;Apache Tomcat;C:\Tomcat6.0\bin\tomcat6.exe [2007-02-13 14:03]

R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-05-22 18:42]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 11:10]

S3 NPF;Netgroup Packet Filter;C:\WINDOWS\system32\drivers\npf.sys [2006-04-22 08:19]

 

*Newly Created Service* - PGFILTER

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A}]

C:\WINDOWS\system32:lsas.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:29:36

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

mssrvc = C:\WINDOWS\system32:lsas.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\Programfiler\Unlocker\UnlockerHook.dll

.

Completion time: 2008-01-13 0:31:14

ComboFix-quarantined-files.txt 2008-01-12 23:30:33

ComboFix2.txt 2008-01-11 21:07:43

.

2008-01-12 10:48:57 --- E O F ---

 

 

 

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mssrvc"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mssrvc"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A}]

 

Post loggen sammen med en hjt-logg (Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.)

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet
Åkei, tusen takk for hjelpa! :) Her er forresten HJT-loggen:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:46:20, on 13.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\programfiler\powerstrip\pstrip.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\DAEMON Tools\daemon.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PowerStrip] c:\programfiler\powerstrip\pstrip.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1191013386670

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 4477 bytes

 

 

Loggen er fin ut.

 

Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Kontrollpanel->system->systemgjenoppretting .

Sett merke framfor "Slå av Systemgjenopprettingen .....",

restart pc,

fjern merket igjen for å aktivere funksjonen.

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet
Blei dette bra? Virker slik herfra.

 

 

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))

.

 

2008-01-12 23:50 . 2008-01-12 23:50 <DIR> d-------- C:\fsaua.data

2008-01-12 19:29 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-12 19:23 . 2008-01-12 19:23 126,976 --a------ C:\zip.exe

2008-01-12 19:23 . 2008-01-12 19:23 60,416 --a------ C:\WINDOWS\system32\drivers\lblvahwq.sys

2008-01-12 19:23 . 2008-01-12 19:23 1,080 --a------ C:\afyivpvt.bat

2008-01-12 08:37 . 2008-01-12 08:37 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\AVG7

2008-01-12 08:37 . 2008-01-12 19:14 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\AVG7

2008-01-12 08:37 . 2008-01-12 08:37 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Grisoft

2008-01-12 08:37 . 2008-01-12 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\avg7

2008-01-04 22:00 . 2008-01-04 22:00 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2008-01-03 20:22 . 2008-01-03 20:25 <DIR> d-------- C:\Programfiler\SpeedFan

2008-01-03 20:22 . 2008-01-03 20:22 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2008-01-02 14:26 . 2008-01-02 14:26 83 --a------ C:\WINDOWS\wwp.INI

2007-12-25 02:08 . 2007-12-25 02:08 <DIR> d-------- C:\Programfiler\XviD

2007-12-25 02:08 . 2005-12-30 20:10 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll

2007-12-25 02:08 . 2005-12-30 20:18 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-12-25 02:08 . 2005-12-30 20:16 77,824 --a------ C:\WINDOWS\system32\xvid.ax

2007-12-22 11:26 . 2008-01-12 08:31 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP

2007-12-22 11:06 . 2007-12-22 11:06 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\Simply Super Software

2007-12-22 11:06 . 2007-12-22 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Simply Super Software

2007-12-22 11:06 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-12-22 11:06 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-12-17 08:16 . 2007-12-17 08:16 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\vlc

2007-12-17 08:15 . 2007-12-17 08:15 <DIR> d-------- C:\Programfiler\VideoLAN

2007-12-17 08:09 . 2007-12-17 08:09 <DIR> d-------- C:\Programfiler\defaultlogomode

2007-12-17 07:32 . 2007-12-17 08:10 <DIR> d-------- C:\Documents and Settings\Arild Rønning\Programdata\defaultlogomode

2007-12-17 07:32 . 2007-12-17 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Software rule flag owns

2007-12-13 15:52 . 2007-12-13 15:53 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2007-12-13 15:52 . 2007-12-13 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 23:06 --------- d-----w C:\Documents and Settings\Arild Rønning\Programdata\uTorrent

2008-01-04 06:44 --------- d-----w C:\Documents and Settings\Arild Rønning\Programdata\dvdcss

2007-12-31 15:51 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2007-12-20 23:58 --------- d-----w C:\Programfiler\Windows Live Safety Center

2007-12-13 14:52 --------- d-----w C:\Programfiler\Windows Live

2007-11-30 17:47 --------- d-----w C:\Documents and Settings\All Users\Programdata\ATI

2007-11-30 15:54 --------- d-----w C:\Programfiler\Windows Live Toolbar

2007-11-30 15:54 --------- d-----w C:\Programfiler\Windows Live Favorites

2007-11-28 00:25 --------- d-----w C:\Documents and Settings\Arild Rønning\Programdata\Earthsim

2007-11-28 00:14 --------- d-----w C:\Programfiler\ATI Technologies

2007-11-28 00:05 --------- d-----w C:\Programfiler\Windows Desktop Search

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-11-02 04:57 9,314,304 ----a-w C:\WINDOWS\system32\atioglx2.dll

2007-11-02 04:24 176,128 ----a-w C:\WINDOWS\system32\atiok3x2.dll

2007-11-02 04:10 364,544 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll

2007-11-02 04:09 268,288 ----a-w C:\WINDOWS\system32\ati2dvag.dll

2007-11-02 04:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe

2007-11-02 04:01 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll

2007-11-02 04:01 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll

2007-11-02 04:00 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll

2007-11-02 04:00 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll

2007-11-02 03:59 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe

2007-11-02 03:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL

2007-11-02 03:50 3,133,728 ----a-w C:\WINDOWS\system32\ati3duag.dll

2007-11-02 03:39 1,602,176 ----a-w C:\WINDOWS\system32\ativvaxx.dll

2007-11-02 03:35 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll

2007-11-02 03:26 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll

2007-11-02 03:24 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll

2007-11-02 03:22 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll

2007-11-02 03:16 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll

2007-11-01 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-24 00:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll

2007-10-24 00:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll

2007-10-24 00:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll

2007-10-24 00:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll

2007-10-18 10:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-12_19.31.32,17 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-11 14:20:52 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll

+ 2007-12-11 14:20:52 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll

+ 2007-12-11 14:22:14 397,312 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll

+ 2007-12-11 14:20:52 159,744 ----a-w C:\WINDOWS\Downloaded Program Files\fsld32.dll

+ 2007-12-11 14:20:24 580,200 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe

+ 2007-12-11 14:20:24 580,200 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncheradmin.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03 152872]

"uTorrent"="C:\Programfiler\uTorrent\uTorrent.exe" [2007-09-17 07:14 219952]

"AWMON"="E:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 11:12 517632]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2007-08-09 00:00 950664]

"LiveMonitor"="C:\Programfiler\MSI\Live Update 3\LMonitor.exe" [ ]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 04:42 577536 C:\WINDOWS\soundman.exe]

"Adobe Reader Speed Launcher"="E:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]

"NWEReboot"="" []

"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]

"Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 09:14 528384]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]

"MediaFace Integration"="E:\Programfiler\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 16:46 53248]

"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:03 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 08:37 219136]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 14:50 233472]

 

R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 17:08]

R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 18:52]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 14:54]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 14:54]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 14:54]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 14:54]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 14:54]

S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 10:50]

 

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

"2007-12-22 10:00:01 C:\WINDOWS\Tasks\A01FEBF39198656F.job"

- c:\docume~1\arildr~1\progra~1\defaul~1\RoadTestAim.exe

"2007-12-22 09:48:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"

- C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:07:01

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-13 0:07:36

ComboFix2.txt 2008-01-12 18:31:49

.

2008-01-08 21:20:59 --- E O F ---

 

 

Du har en Lop-infeksjon liggende, så det hadde vært ok om du postet denne combofix-loggen i en egen tråd som du oppretter (klikk Nytt Emne-knappen), så skal jeg gi deg en oppskrift :)

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet
norbat:

 

Du skrev tidligere i tråden at hvis man har XP prøver du følgende.... osvosv

 

Enn hvis man har Vista?

 

Hm, tror det var ang. bruk av Avenger. Det er visst ikke kompatibelt med Vista (typisk)

 

Hvis man har Vista kan man lage en egen fix vha. combofix evt. slette filene manuelt (hvis man finner dem)

Skal det lages egen fix, så trenger man å se en logg fra combofix.

 

 

Okei! Her er min rapport:

 

 

 

ComboFix 08-01-13.1 - Peavey 2008-01-13 0:44:29.1 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1044.18.174 [GMT 1:00]

Running from: C:\Users\Peavet\AppData\Roaming\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

 

2008-01-13 00:42 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\All Users\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\ProgramData\Grisoft

2008-01-12 00:44 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys

2008-01-11 21:19 . 2008-01-11 21:18 286,720 --a------ C:\Windows\iun506.exe

2008-01-11 21:18 . 2008-01-11 21:19 <DIR> d-------- C:\Program Files\Risk 2

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\Users\All Users\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\ProgramData\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:12 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-11 18:27 . 2008-01-11 18:27 36,864 -r-hs---- C:\Windows\ntmngr.exe

2008-01-10 18:35 . 2005-06-02 18:19 228,352 --a------ C:\Windows\System32\drivers\BTCamDrv.sys

2008-01-10 16:12 . 2008-01-10 16:17 <DIR> d-------- C:\Program Files\Wings Of Fury

2008-01-10 15:12 . 2008-01-10 15:12 <DIR> d--h----- C:\Windows\PIF

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\Users\All Users\TEMP

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\ProgramData\TEMP

2008-01-10 10:37 . 2007-09-20 12:04 114,688 --a------ C:\Windows\System32\btcamvideosource.dll

2008-01-10 10:37 . 2008-01-10 10:37 8,192 -ra-s---- C:\BOOTSECT.BAK

2008-01-10 10:17 . 2008-01-10 10:19 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Hamachi

2008-01-10 10:17 . 2008-01-10 10:17 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys

2008-01-09 14:34 . 2008-01-09 14:34 <DIR> d-------- C:\Program Files\Timios

2008-01-09 12:37 . 2008-01-09 12:37 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys

2008-01-09 12:37 . 2008-01-09 12:37 216,760 --a------ C:\Windows\System32\drivers\netio.sys

2008-01-09 12:37 . 2008-01-09 12:37 167,424 --a------ C:\Windows\System32\tcpipcfg.dll

2008-01-09 12:37 . 2008-01-09 12:37 24,064 --a------ C:\Windows\System32\netcfg.exe

2008-01-09 12:37 . 2008-01-09 12:37 22,016 --a------ C:\Windows\System32\netiougc.exe

2008-01-09 12:35 . 2008-01-09 12:35 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,686,016 --a------ C:\Windows\System32\gameux.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys

2008-01-09 12:35 . 2008-01-09 12:35 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys

2008-01-09 12:35 . 2008-01-09 12:35 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys

2008-01-09 12:35 . 2008-01-09 12:35 109,624 --a------ C:\Windows\System32\drivers\ataport.sys

2008-01-09 12:35 . 2008-01-09 12:35 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys

2008-01-09 12:35 . 2008-01-09 12:35 21,560 --a------ C:\Windows\System32\drivers\atapi.sys

2008-01-09 12:35 . 2008-01-09 12:35 17,464 --a------ C:\Windows\System32\drivers\intelide.sys

2008-01-09 12:34 . 2008-01-09 12:34 11,776 --a------ C:\Windows\System32\sbunattend.exe

2008-01-06 23:56 . 2008-01-06 23:56 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\VoipDiscount

2008-01-06 23:54 . 2008-01-06 23:54 <DIR> d-------- C:\Program Files\VoipDiscount.com

2008-01-03 01:41 . 2008-01-03 03:36 <DIR> d-------- C:\Program Files\SignSIS-GUI

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Users\All Users\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\ProgramData\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Nokia

2007-12-29 19:04 . 2007-12-29 19:04 <DIR> d-------- C:\Program Files\Common Files\PCSuite

2007-12-19 01:07 . 2007-12-19 01:07 <DIR> d-------- C:\Program Files\DivX

2007-12-15 19:17 . 2007-12-15 19:18 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\NSeries

2007-12-15 18:53 . 2007-12-15 18:59 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Nokia

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\Users\All Users\PC Suite

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\ProgramData\PC Suite

2007-12-15 18:52 . 2007-12-15 18:52 <DIR> d-------- C:\Windows\Downloaded Installations

2007-12-15 18:50 . 2007-12-15 18:53 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\PC Suite

2007-12-15 18:49 . 2007-12-15 18:49 <DIR> d-------- C:\Program Files\PC Connectivity Solution

2007-12-15 18:45 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Nokia

2007-12-15 18:45 . 2007-02-22 10:15 90,624 --a------ C:\Windows\System32\nmwcdcls.dll

2007-12-14 15:38 . 2007-12-14 16:15 <DIR> d-------- C:\Program Files\FreeRIP3

2007-12-14 15:38 . 2007-12-14 16:15 4,510 --a------ C:\Windows\cdplayer.ini

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Start-meny

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Skrivebord

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Programdata

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Maler

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Favoritter

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Dokumenter

2079-12-31 11:53 --------- d-sh--w C:\Program Files\Fellesfiler

2008-01-12 23:10 --------- d-----w C:\Users\Peavey\AppData\Roaming\uTorrent

2008-01-12 13:29 --------- d-----w C:\Program Files\Norman

2008-01-11 20:22 120,022 ----a-w C:\Users\Peavey\AppData\Roaming\nvModes.dat

2008-01-11 18:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Sidebar

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Mail

2008-01-09 13:39 --------- d-----w C:\ProgramData\Microsoft Help

2008-01-09 11:35 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-01-09 11:35 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-01-09 11:35 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-01-09 11:35 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-01-03 23:22 --------- d-----w C:\Program Files\MediaMonkey

2007-12-27 23:50 --------- d-----w C:\Users\Peavey\AppData\Roaming\dvdcss

2007-12-12 11:57 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL

2007-12-12 11:57 223,232 ----a-w C:\Windows\System32\WMASF.DLL

2007-12-12 11:57 1,327,104 ----a-w C:\Windows\System32\quartz.dll

2007-12-12 11:56 824,832 ----a-w C:\Windows\System32\wininet.dll

2007-12-12 11:56 56,320 ----a-w C:\Windows\System32\iesetup.dll

2007-12-12 11:56 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2007-12-12 11:56 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2007-12-12 11:49 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys

2007-12-12 11:49 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys

2007-12-12 11:49 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys

2007-12-12 11:49 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys

2007-12-12 11:47 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe

2007-12-12 11:47 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe

2007-12-11 22:34 200,704 ----a-w C:\Windows\System32\ssldivx.dll

2007-12-11 22:34 1,044,480 ----a-w C:\Windows\System32\libdivx.dll

2007-12-10 10:28 --------- d-----w C:\Program Files\Picasa2

2007-12-10 10:25 --------- d-----w C:\Program Files\Google

2007-12-08 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-08 18:47 --------- d-----w C:\Program Files\Caplio Software

2007-12-05 11:41 --------- d-----w C:\Program Files\OpenTTD

2007-11-28 20:42 --------- d-----w C:\ProgramData\Ahead

2007-11-28 20:40 --------- d-----w C:\Program Files\Common Files\Ahead

2007-11-28 20:38 --------- d-----w C:\ProgramData\Nero

2007-11-28 16:40 --------- d-----w C:\Program Files\OO Software

2007-11-26 16:26 --------- d-----w C:\ProgramData\Office Genuine Advantage

2007-11-23 11:03 --------- d--h--w C:\Program Files\Zenographics

2007-11-23 11:03 --------- d-----w C:\Program Files\Hewlett-Packard

2007-11-21 10:08 --------- d-----w C:\Program Files\XNeat Windows Manager

2007-11-20 10:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy

2007-11-16 13:17 --------- d-----w C:\Program Files\Graph

2007-11-14 07:35 1,244,672 ----a-w C:\Windows\System32\mcmde.dll

2007-09-07 11:39 174 --sha-w C:\Program Files\desktop.ini

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-09-18 16:16 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 12:34 1232896]

"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 12:58 495616]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:34 125440]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-07 12:33 1006264]

"Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40 183352]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-15 23:32 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-15 23:32 8433664]

"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-06-15 23:32 67584]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll]

"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll]

"XNeat Windows Manager"="C:\Program Files\XNeat Windows Manager\XNeatWM.exe" [2007-11-14 22:51 188416]

"OODefragTray"="C:\Windows\system32\oodtray.exe" [2007-05-11 02:08 2512392]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative SB Monitoring Utility]

--a------ 2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN]

-r-hs---- 2008-01-11 18:27 36864 C:\Windows\ntmngr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]

--a------ 2007-10-01 11:29 3104768 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-06-15 23:32 81920 C:\Windows\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SbUsb AudCtrl]

--a------ 2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

C:\Windows\UpdReg.EXE

 

R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]

R3 BTCAMDRV;Mobiola Web Camera driver;C:\Windows\system32\DRIVERS\BTCamDrv.sys [2005-06-02 18:19]

R3 ksaud;Creative USB Audio Driver;C:\Windows\system32\drivers\ksaud.sys [2007-08-06 15:36]

R3 NETw3v32;Intel® PRO/trådløs 3945ABG-kortdriver for Windows Vista, 32-bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 08:30]

R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2007-07-09 09:50]

R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-07-12 10:38]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]

S2 TimerStop;TimerStop;C:\Windows\system32\TimerStop.sys [2006-12-22 23:44]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8178c875-5d4d-11dc-986e-0016419ed03f}]

\shell\AutoRun\command - G:\setup.exe

\shell\readme\command - G:\SEW.EXE bin\ACADFeui\docs\readme_acade.htm

\shell\setupwizard\command - G:\setup.exe

 

*Newly Created Service* - PROCEXP90

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:49:08

Windows 6.0.6000 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]

-> C:\Program Files\RocketDock\RocketDock.dll

-> C:\Program Files\XNeat Windows Manager\XNeatDrv.dll

-> C:\Program Files\XNeat Windows Manager\scripts\taskabarbuttons\tbsorter.dll

.

Completion time: 2008-01-13 0:51:03

.

2008-01-11 10:25:22 --- E O F ---

 

 

 

 

Kan du se over den?

 

Har slettet en fil som het image.zip som jeg fant ved lesing i denne tråden.

Tror du det kan være mer?

 

Denne fila skal bort: C:\Windows\ntmngr.exe

 

Du kan gjøre følgende:

 

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\Windows\ntmngr.exe

 

Post loggen sammen med en hjt-logg (Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.)

Lenke til kommentar
krvi-bre

krvi-bre

Skrevet
Skrevet

Combofix log:

 

 

ComboFix 08-01-11.1 - Server 2008-01-13 1:14:40.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1278 [GMT 1:00]

Running from: C:\Documents and Settings\Server\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Server\Skrivebord\CFScript.txt C:\Documents and Settings\Server\Skrivebord\CFScript.txt

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

 

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Programfiler\Uniblue

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Documents and Settings\Server\Programdata\Uniblue

2008-01-12 19:24 . 2008-01-12 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab

2008-01-12 18:12 . 2008-01-12 22:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-01-11 22:15 . 2008-01-11 22:15 250 --a------ C:\WINDOWS\gmer.ini

2008-01-11 22:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-11 21:59 . 2007-09-22 12:59 3,377 --a------ C:\WINDOWS\msnchk.exe

2008-01-11 20:57 . 2008-01-12 18:10 <DIR> d-------- C:\Documents and Settings\Server\.housecall6.6

2008-01-04 01:02 . 2008-01-04 01:02 <DIR> d-------- C:\Programfiler\RarZilla Free Unrar

2008-01-04 01:01 . 2008-01-04 01:01 1,154 --a------ C:\WINDOWS\mozver.dat

2008-01-02 19:57 . 2008-01-05 18:31 <DIR> d-------- C:\iam

2007-12-31 15:55 . 2007-12-31 15:55 <DIR> d-------- C:\Programfiler\uTorrent

2007-12-31 15:54 . 2008-01-05 10:52 <DIR> d-------- C:\Documents and Settings\Server\Programdata\uTorrent

2007-12-29 10:39 . 2007-12-29 10:39 0 --a------ C:\WINDOWS\nsreg.dat

2007-12-16 11:35 . 2007-12-25 19:41 <DIR> d-------- C:\Programfiler\dvd43

2007-12-16 11:35 . 2007-12-25 19:41 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 22:20 --------- d-----w C:\Documents and Settings\Server\Programdata\OpenOffice.org2

2008-01-08 18:03 --------- d-----w C:\Documents and Settings\All Users\Programdata\DVD Shrink

2008-01-04 19:36 --------- d-----w C:\Programfiler\PeerGuardian2

2008-01-03 14:46 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-28 22:16 --------- d-----w C:\Documents and Settings\Server\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Programfiler\QuickTime

2007-11-17 15:14 --------- d-----w C:\Programfiler\Apple Software Update

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-30 21:51 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe

2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-11_22.07.24,04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-12 17:13:02 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll

+ 2008-01-12 17:13:02 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll

+ 2008-01-12 17:13:02 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll

+ 2008-01-12 17:13:04 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll

+ 2008-01-12 17:13:05 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll

+ 2008-01-12 17:13:02 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll

+ 2007-05-07 15:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll

+ 2007-05-07 15:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll

+ 2007-05-07 15:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll

- 2008-01-11 21:01:05 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-13 00:14:23 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-11 21:01:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-13 00:14:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-11 21:01:06 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-13 00:14:23 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-11 21:01:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-13 00:14:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-11 21:01:06 3,072,000 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-13 00:14:23 3,072,000 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

- 2008-01-11 21:01:06 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-13 00:14:23 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-11 21:15:44 585,791 ----a-w C:\WINDOWS\gmer.dll

+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe

+ 2008-01-11 21:15:44 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys

- 2007-06-21 18:57:20 132,656 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-01-12 22:06:27 133,448 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

- 2007-03-15 16:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2008-01-12 22:19:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_538.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 02:31 68856]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"LaCie Backup"="C:\Programfiler\LaCie\Backup Software\\LaCieBackup.exe" [2006-07-06 09:30 2596864]

"PeerGuardian"="C:\Programfiler\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2006-04-07 09:45 53248 C:\WINDOWS\system32\VTTimer.exe]

"S3Trayp"="S3Trayp.exe" [2005-10-31 20:15 163840 C:\WINDOWS\system32\S3Trayp.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 16143872 C:\WINDOWS\RTHDCPL.exe]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"ApacheTomcatMonitor"="C:\Tomcat6.0\bin\tomcat6w.exe" [2007-02-13 14:03 98304]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-10-19 20:16 286720]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-02 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]

"dvd43"="C:\Programfiler\dvd43\dvd43_tray.exe" [2007-11-20 16:40 731136]

"UnlockerAssistant"="C:\Programfiler\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

 

C:\Documents and Settings\Server\Start-meny\Programmer\Oppstart\

OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56]

WinMySQLadmin.lnk - D:\mysql\bin\winmysqladmin.exe [2004-03-21 03:05:35]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2007-05-01 20:14:50]

HP Digital Imaging Monitor.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]

HP Image Zone Fast Start.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]

 

R2 Tomcat6;Apache Tomcat;C:\Tomcat6.0\bin\tomcat6.exe [2007-02-13 14:03]

R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-05-22 18:42]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 11:10]

S3 NPF;Netgroup Packet Filter;C:\WINDOWS\system32\drivers\npf.sys [2006-04-22 08:19]

 

*Newly Created Service* - PGFILTER

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A}]

C:\WINDOWS\system32:lsas.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 01:17:07

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\Programfiler\Unlocker\UnlockerHook.dll

.

Completion time: 2008-01-13 1:17:58

ComboFix-quarantined-files.txt 2008-01-13 00:17:54

ComboFix2.txt 2008-01-12 23:31:14

ComboFix3.txt 2008-01-11 21:07:43

.

2008-01-12 10:48:57 --- E O F ---

 

 

 

 

Hijack this log:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:18:31, on 13.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\S3Trayp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Tomcat6.0\bin\tomcat6w.exe

C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\dvd43\dvd43_tray.exe

C:\Programfiler\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\LaCie\Backup Software\LaCieBackup.exe

C:\Programfiler\PeerGuardian2\pg2.exe

C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe

C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe

D:\mysql\bin\winmysqladmin.exe

C:\Programfiler\OpenOffice.org 2.2\program\soffice.exe

C:\MySQL5.0\bin\mysqld-nt.exe

C:\Programfiler\No-IP\DUC20.exe

C:\Programfiler\OpenOffice.org 2.2\program\soffice.BIN

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Tomcat6.0\bin\tomcat6.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqimzone.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [s3Trayp] S3Trayp.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Tomcat6.0\bin\tomcat6w.exe" //MS//Tomcat6

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [dvd43] C:\Programfiler\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Programfiler\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LaCie Backup] C:\Programfiler\LaCie\Backup Software\\LaCieBackup.exe /background

O4 - HKCU\..\Run: [PeerGuardian] C:\Programfiler\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe

O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe

O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Programfiler\Hp\Digital Imaging\bin\hpqthb08.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O15 - Trusted Zone: *.stumbleupon.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{376C75B3-D449-4383-9C49-D40ACD278A10}: NameServer = 192.168.0.1,10.0.0.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{376C75B3-D449-4383-9C49-D40ACD278A10}: NameServer = 192.168.0.1,10.0.0.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{376C75B3-D449-4383-9C49-D40ACD278A10}: NameServer = 192.168.0.1,10.0.0.1

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: MySQL - Unknown owner - C:\MySQL5.0\bin\mysqld-nt (file missing)

O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Programfiler\No-IP\DUC20.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Tomcat6.0\bin\tomcat6.exe

 

--

End of file - 8627 bytes

 

 

 

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste
×
×
  • Opprett ny...