Msn virus fra "photobucket"-link

norbat · 13. januar 2008

Kunne du også ha sjekket om/hvilke filer som ligger i følgende mappe:
C:\zia02540

Det er ingen mappe, berre en enkel fil

Og Msn(Trillian) fungerer som normalt ja

Ok, og den har ingen filendelse?

Får du noe mer info om den om du høyreklikker på den og velger Egenskaper?

norbat · 13. januar 2008

Combofix log:

ComboFix 08-01-11.1 - Server 2008-01-13 1:14:40.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1278 [GMT 1:00]

Running from: C:\Documents and Settings\Server\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Server\Skrivebord\CFScript.txt C:\Documents and Settings\Server\Skrivebord\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Programfiler\Uniblue

2008-01-12 23:28 . 2008-01-12 23:28 <DIR> d-------- C:\Documents and Settings\Server\Programdata\Uniblue

2008-01-12 19:24 . 2008-01-12 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-01-12 18:13 . 2008-01-12 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab

2008-01-12 18:12 . 2008-01-12 22:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-01-11 22:15 . 2008-01-11 22:15 250 --a------ C:\WINDOWS\gmer.ini

2008-01-11 22:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-11 21:59 . 2007-09-22 12:59 3,377 --a------ C:\WINDOWS\msnchk.exe

2008-01-11 20:57 . 2008-01-12 18:10 <DIR> d-------- C:\Documents and Settings\Server\.housecall6.6

2008-01-04 01:02 . 2008-01-04 01:02 <DIR> d-------- C:\Programfiler\RarZilla Free Unrar

2008-01-04 01:01 . 2008-01-04 01:01 1,154 --a------ C:\WINDOWS\mozver.dat

2008-01-02 19:57 . 2008-01-05 18:31 <DIR> d-------- C:\iam

2007-12-31 15:55 . 2007-12-31 15:55 <DIR> d-------- C:\Programfiler\uTorrent

2007-12-31 15:54 . 2008-01-05 10:52 <DIR> d-------- C:\Documents and Settings\Server\Programdata\uTorrent

2007-12-29 10:39 . 2007-12-29 10:39 0 --a------ C:\WINDOWS\nsreg.dat

2007-12-16 11:35 . 2007-12-25 19:41 <DIR> d-------- C:\Programfiler\dvd43

2007-12-16 11:35 . 2007-12-25 19:41 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 22:20 --------- d-----w C:\Documents and Settings\Server\Programdata\OpenOffice.org2

2008-01-08 18:03 --------- d-----w C:\Documents and Settings\All Users\Programdata\DVD Shrink

2008-01-04 19:36 --------- d-----w C:\Programfiler\PeerGuardian2

2008-01-03 14:46 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-28 22:16 --------- d-----w C:\Documents and Settings\Server\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Programfiler\QuickTime

2007-11-17 15:14 --------- d-----w C:\Programfiler\Apple Software Update

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2007-11-17 15:14 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-30 21:51 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe

2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

((((((((((((((((((((((((((((( snapshot@2008-01-11_22.07.24,04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-12 17:13:02 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll

+ 2008-01-12 17:13:02 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll

+ 2008-01-12 17:13:02 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll

+ 2008-01-12 17:13:04 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll

+ 2008-01-12 17:13:05 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll

+ 2008-01-12 17:13:02 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll

+ 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll

+ 2007-05-07 15:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll

+ 2007-05-07 15:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll

+ 2007-05-07 15:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll

+ 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll

- 2008-01-11 21:01:05 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-13 00:14:23 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-11 21:01:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-13 00:14:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-11 21:01:06 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-13 00:14:23 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-11 21:01:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-13 00:14:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-11 21:01:06 3,072,000 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-13 00:14:23 3,072,000 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

- 2008-01-11 21:01:06 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-13 00:14:23 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-11 21:15:44 585,791 ----a-w C:\WINDOWS\gmer.dll

+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe

+ 2008-01-11 21:15:44 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys

- 2007-06-21 18:57:20 132,656 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-01-12 22:06:27 133,448 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

- 2007-03-15 16:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll

+ 2008-01-12 22:19:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_538.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 02:31 68856]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"LaCie Backup"="C:\Programfiler\LaCie\Backup Software\\LaCieBackup.exe" [2006-07-06 09:30 2596864]

"PeerGuardian"="C:\Programfiler\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2006-04-07 09:45 53248 C:\WINDOWS\system32\VTTimer.exe]

"S3Trayp"="S3Trayp.exe" [2005-10-31 20:15 163840 C:\WINDOWS\system32\S3Trayp.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 16143872 C:\WINDOWS\RTHDCPL.exe]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"ApacheTomcatMonitor"="C:\Tomcat6.0\bin\tomcat6w.exe" [2007-02-13 14:03 98304]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-10-19 20:16 286720]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-02 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]

"dvd43"="C:\Programfiler\dvd43\dvd43_tray.exe" [2007-11-20 16:40 731136]

"UnlockerAssistant"="C:\Programfiler\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

C:\Documents and Settings\Server\Start-meny\Programmer\Oppstart\

OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56]

WinMySQLadmin.lnk - D:\mysql\bin\winmysqladmin.exe [2004-03-21 03:05:35]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2007-05-01 20:14:50]

HP Digital Imaging Monitor.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]

HP Image Zone Fast Start.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]

R2 Tomcat6;Apache Tomcat;C:\Tomcat6.0\bin\tomcat6.exe [2007-02-13 14:03]

R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-05-22 18:42]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 11:10]

S3 NPF;Netgroup Packet Filter;C:\WINDOWS\system32\drivers\npf.sys [2006-04-22 08:19]

*Newly Created Service* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A}]

C:\WINDOWS\system32:lsas.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 01:17:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\Programfiler\Unlocker\UnlockerHook.dll

.

Completion time: 2008-01-13 1:17:58

ComboFix-quarantined-files.txt 2008-01-13 00:17:54

ComboFix2.txt 2008-01-12 23:31:14

ComboFix3.txt 2008-01-11 21:07:43

.

2008-01-12 10:48:57 --- E O F ---

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:18:31, on 13.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\S3Trayp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Tomcat6.0\bin\tomcat6w.exe

C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\dvd43\dvd43_tray.exe

C:\Programfiler\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\LaCie\Backup Software\LaCieBackup.exe

C:\Programfiler\PeerGuardian2\pg2.exe

C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe

C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe

D:\mysql\bin\winmysqladmin.exe

C:\Programfiler\OpenOffice.org 2.2\program\soffice.exe

C:\MySQL5.0\bin\mysqld-nt.exe

C:\Programfiler\No-IP\DUC20.exe

C:\Programfiler\OpenOffice.org 2.2\program\soffice.BIN

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Tomcat6.0\bin\tomcat6.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqimzone.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [s3Trayp] S3Trayp.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Tomcat6.0\bin\tomcat6w.exe" //MS//Tomcat6

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [dvd43] C:\Programfiler\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Programfiler\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LaCie Backup] C:\Programfiler\LaCie\Backup Software\\LaCieBackup.exe /background

O4 - HKCU\..\Run: [PeerGuardian] C:\Programfiler\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe

O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe

O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Programfiler\Hp\Digital Imaging\bin\hpqthb08.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O15 - Trusted Zone: *.stumbleupon.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{376C75B3-D449-4383-9C49-D40ACD278A10}: NameServer = 192.168.0.1,10.0.0.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{376C75B3-D449-4383-9C49-D40ACD278A10}: NameServer = 192.168.0.1,10.0.0.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{376C75B3-D449-4383-9C49-D40ACD278A10}: NameServer = 192.168.0.1,10.0.0.1

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: MySQL - Unknown owner - C:\MySQL5.0\bin\mysqld-nt (file missing)

O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Programfiler\No-IP\DUC20.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Tomcat6.0\bin\tomcat6.exe

--

End of file - 8627 bytes

Hent Avenger og pakk det ut.

Start programmet, sett prikk i "Input Script Manually" og klikk på lupen.

I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under:

Registry keys to delete:

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A}

Klikk på Trafikklyset. Restart PC-en.

Etter restart vil det komme en loggfil som forteller hva som har skjedd. Post loggen den lager.

krvi-bre · 13. januar 2008

Avenger log:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\tjjqbomt

*******************

Script file located at: \??\C:\WINDOWS\qbxjopcb.txt

Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Nøkkelen mssrvc blir ikke lenger lagt inn i registeret

Er det noen andre trusler du legger merke til?

Endret 13. januar 2008 av krvi-bre

Pjunin · 13. januar 2008

Kunne du også ha sjekket om/hvilke filer som ligger i følgende mappe:
C:\zia02540

Det er ingen mappe, berre en enkel fil

Og Msn(Trillian) fungerer som normalt ja

Ok, og den har ingen filendelse?

Får du noe mer info om den om du høyreklikker på den og velger Egenskaper?

Type of file: File

Description: zia02540

Location: C:\

Size 1.13KB

Size on disk 4,00KB

Created 12.januar 2008, 03:19:22

Modified: 12.januar 2008. 03:19:22

Accessed 13.januar 2008, 00:55:30

norbat · 13. januar 2008

Avenger log:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\tjjqbomt

*******************

Script file located at: \??\C:\WINDOWS\qbxjopcb.txt

Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BFDC1376-8D0D-6183-35DC-6125E678712A} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Nøkkelen mssrvc blir ikke lenger lagt inn i registeret

Er det noen andre trusler du legger merke til?

Nei, resten ser fint ut.

Du kan rydde litt ved å bla. avisntallere de programmene du har brukt og som du ikke trenger mer.

Combofix kan du avinstallere:

Klikk: Start->Kjør

Skriv: ComboFix /u

Du bør også nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Kontrollpanel->system->systemgjenoppretting .

Sett merke framfor "Slå av Systemgjenopprettingen .....",

restart pc,

fjern merket igjen for å aktivere funksjonen.

Surt trygt.

krvi-bre · 13. januar 2008

Takker ærbødigst norbat! Du har vært svært hjelpsom, håper det er flere som vet å sette pris på guruer som deg

norbat · 13. januar 2008

Kunne du også ha sjekket om/hvilke filer som ligger i følgende mappe:
C:\zia02540

Det er ingen mappe, berre en enkel fil

Og Msn(Trillian) fungerer som normalt ja

Ok, og den har ingen filendelse?

Får du noe mer info om den om du høyreklikker på den og velger Egenskaper?

Type of file: File

Description: zia02540

Location: C:\

Size 1.13KB

Size on disk 4,00KB

Created 12.januar 2008, 03:19:22

Modified: 12.januar 2008. 03:19:22

Accessed 13.januar 2008, 00:55:30

Ok. Tror vi bare lar den få være i fred.

Fungerer ellers alt ok?

norbat · 13. januar 2008

Takker ærbødigst norbat! Du har vært svært hjelpsom, håper det er flere som vet å sette pris på guruer som deg

Takk for tilbakemeldingen. Hyggelig å være til hjelp. Ble litt på overtid i kveld, men slik blir det når disse epidemiene slår til

Peavey · 13. januar 2008

norbat:

Du skrev tidligere i tråden at hvis man har XP prøver du følgende.... osvosv

Enn hvis man har Vista?

Hm, tror det var ang. bruk av Avenger. Det er visst ikke kompatibelt med Vista (typisk)

Hvis man har Vista kan man lage en egen fix vha. combofix evt. slette filene manuelt (hvis man finner dem)

Skal det lages egen fix, så trenger man å se en logg fra combofix.

Okei! Her er min rapport:

ComboFix 08-01-13.1 - Peavey 2008-01-13 0:44:29.1 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1044.18.174 [GMT 1:00]

Running from: C:\Users\Peavet\AppData\Roaming\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

2008-01-13 00:42 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\All Users\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\ProgramData\Grisoft

2008-01-12 00:44 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys

2008-01-11 21:19 . 2008-01-11 21:18 286,720 --a------ C:\Windows\iun506.exe

2008-01-11 21:18 . 2008-01-11 21:19 <DIR> d-------- C:\Program Files\Risk 2

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\Users\All Users\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\ProgramData\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:12 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-11 18:27 . 2008-01-11 18:27 36,864 -r-hs---- C:\Windows\ntmngr.exe

2008-01-10 18:35 . 2005-06-02 18:19 228,352 --a------ C:\Windows\System32\drivers\BTCamDrv.sys

2008-01-10 16:12 . 2008-01-10 16:17 <DIR> d-------- C:\Program Files\Wings Of Fury

2008-01-10 15:12 . 2008-01-10 15:12 <DIR> d--h----- C:\Windows\PIF

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\Users\All Users\TEMP

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\ProgramData\TEMP

2008-01-10 10:37 . 2007-09-20 12:04 114,688 --a------ C:\Windows\System32\btcamvideosource.dll

2008-01-10 10:37 . 2008-01-10 10:37 8,192 -ra-s---- C:\BOOTSECT.BAK

2008-01-10 10:17 . 2008-01-10 10:19 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Hamachi

2008-01-10 10:17 . 2008-01-10 10:17 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys

2008-01-09 14:34 . 2008-01-09 14:34 <DIR> d-------- C:\Program Files\Timios

2008-01-09 12:37 . 2008-01-09 12:37 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys

2008-01-09 12:37 . 2008-01-09 12:37 216,760 --a------ C:\Windows\System32\drivers\netio.sys

2008-01-09 12:37 . 2008-01-09 12:37 167,424 --a------ C:\Windows\System32\tcpipcfg.dll

2008-01-09 12:37 . 2008-01-09 12:37 24,064 --a------ C:\Windows\System32\netcfg.exe

2008-01-09 12:37 . 2008-01-09 12:37 22,016 --a------ C:\Windows\System32\netiougc.exe

2008-01-09 12:35 . 2008-01-09 12:35 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,686,016 --a------ C:\Windows\System32\gameux.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys

2008-01-09 12:35 . 2008-01-09 12:35 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys

2008-01-09 12:35 . 2008-01-09 12:35 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys

2008-01-09 12:35 . 2008-01-09 12:35 109,624 --a------ C:\Windows\System32\drivers\ataport.sys

2008-01-09 12:35 . 2008-01-09 12:35 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys

2008-01-09 12:35 . 2008-01-09 12:35 21,560 --a------ C:\Windows\System32\drivers\atapi.sys

2008-01-09 12:35 . 2008-01-09 12:35 17,464 --a------ C:\Windows\System32\drivers\intelide.sys

2008-01-09 12:34 . 2008-01-09 12:34 11,776 --a------ C:\Windows\System32\sbunattend.exe

2008-01-06 23:56 . 2008-01-06 23:56 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\VoipDiscount

2008-01-06 23:54 . 2008-01-06 23:54 <DIR> d-------- C:\Program Files\VoipDiscount.com

2008-01-03 01:41 . 2008-01-03 03:36 <DIR> d-------- C:\Program Files\SignSIS-GUI

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Users\All Users\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\ProgramData\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Nokia

2007-12-29 19:04 . 2007-12-29 19:04 <DIR> d-------- C:\Program Files\Common Files\PCSuite

2007-12-19 01:07 . 2007-12-19 01:07 <DIR> d-------- C:\Program Files\DivX

2007-12-15 19:17 . 2007-12-15 19:18 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\NSeries

2007-12-15 18:53 . 2007-12-15 18:59 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Nokia

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\Users\All Users\PC Suite

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\ProgramData\PC Suite

2007-12-15 18:52 . 2007-12-15 18:52 <DIR> d-------- C:\Windows\Downloaded Installations

2007-12-15 18:50 . 2007-12-15 18:53 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\PC Suite

2007-12-15 18:49 . 2007-12-15 18:49 <DIR> d-------- C:\Program Files\PC Connectivity Solution

2007-12-15 18:45 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Nokia

2007-12-15 18:45 . 2007-02-22 10:15 90,624 --a------ C:\Windows\System32\nmwcdcls.dll

2007-12-14 15:38 . 2007-12-14 16:15 <DIR> d-------- C:\Program Files\FreeRIP3

2007-12-14 15:38 . 2007-12-14 16:15 4,510 --a------ C:\Windows\cdplayer.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Start-meny

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Skrivebord

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Programdata

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Maler

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Favoritter

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Dokumenter

2079-12-31 11:53 --------- d-sh--w C:\Program Files\Fellesfiler

2008-01-12 23:10 --------- d-----w C:\Users\Peavey\AppData\Roaming\uTorrent

2008-01-12 13:29 --------- d-----w C:\Program Files\Norman

2008-01-11 20:22 120,022 ----a-w C:\Users\Peavey\AppData\Roaming\nvModes.dat

2008-01-11 18:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Sidebar

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Mail

2008-01-09 13:39 --------- d-----w C:\ProgramData\Microsoft Help

2008-01-09 11:35 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-01-09 11:35 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-01-09 11:35 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-01-09 11:35 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-01-03 23:22 --------- d-----w C:\Program Files\MediaMonkey

2007-12-27 23:50 --------- d-----w C:\Users\Peavey\AppData\Roaming\dvdcss

2007-12-12 11:57 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL

2007-12-12 11:57 223,232 ----a-w C:\Windows\System32\WMASF.DLL

2007-12-12 11:57 1,327,104 ----a-w C:\Windows\System32\quartz.dll

2007-12-12 11:56 824,832 ----a-w C:\Windows\System32\wininet.dll

2007-12-12 11:56 56,320 ----a-w C:\Windows\System32\iesetup.dll

2007-12-12 11:56 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2007-12-12 11:56 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2007-12-12 11:49 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys

2007-12-12 11:49 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys

2007-12-12 11:49 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys

2007-12-12 11:49 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys

2007-12-12 11:47 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe

2007-12-12 11:47 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe

2007-12-11 22:34 200,704 ----a-w C:\Windows\System32\ssldivx.dll

2007-12-11 22:34 1,044,480 ----a-w C:\Windows\System32\libdivx.dll

2007-12-10 10:28 --------- d-----w C:\Program Files\Picasa2

2007-12-10 10:25 --------- d-----w C:\Program Files\Google

2007-12-08 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-08 18:47 --------- d-----w C:\Program Files\Caplio Software

2007-12-05 11:41 --------- d-----w C:\Program Files\OpenTTD

2007-11-28 20:42 --------- d-----w C:\ProgramData\Ahead

2007-11-28 20:40 --------- d-----w C:\Program Files\Common Files\Ahead

2007-11-28 20:38 --------- d-----w C:\ProgramData\Nero

2007-11-28 16:40 --------- d-----w C:\Program Files\OO Software

2007-11-26 16:26 --------- d-----w C:\ProgramData\Office Genuine Advantage

2007-11-23 11:03 --------- d--h--w C:\Program Files\Zenographics

2007-11-23 11:03 --------- d-----w C:\Program Files\Hewlett-Packard

2007-11-21 10:08 --------- d-----w C:\Program Files\XNeat Windows Manager

2007-11-20 10:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy

2007-11-16 13:17 --------- d-----w C:\Program Files\Graph

2007-11-14 07:35 1,244,672 ----a-w C:\Windows\System32\mcmde.dll

2007-09-07 11:39 174 --sha-w C:\Program Files\desktop.ini

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-09-18 16:16 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 12:34 1232896]

"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 12:58 495616]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:34 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-07 12:33 1006264]

"Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40 183352]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-15 23:32 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-15 23:32 8433664]

"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-06-15 23:32 67584]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll]

"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll]

"XNeat Windows Manager"="C:\Program Files\XNeat Windows Manager\XNeatWM.exe" [2007-11-14 22:51 188416]

"OODefragTray"="C:\Windows\system32\oodtray.exe" [2007-05-11 02:08 2512392]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative SB Monitoring Utility]

--a------ 2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN]

-r-hs---- 2008-01-11 18:27 36864 C:\Windows\ntmngr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]

--a------ 2007-10-01 11:29 3104768 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-06-15 23:32 81920 C:\Windows\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SbUsb AudCtrl]

--a------ 2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

C:\Windows\UpdReg.EXE

R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]

R3 BTCAMDRV;Mobiola Web Camera driver;C:\Windows\system32\DRIVERS\BTCamDrv.sys [2005-06-02 18:19]

R3 ksaud;Creative USB Audio Driver;C:\Windows\system32\drivers\ksaud.sys [2007-08-06 15:36]

R3 NETw3v32;Intel® PRO/trådløs 3945ABG-kortdriver for Windows Vista, 32-bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 08:30]

R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2007-07-09 09:50]

R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-07-12 10:38]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]

S2 TimerStop;TimerStop;C:\Windows\system32\TimerStop.sys [2006-12-22 23:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8178c875-5d4d-11dc-986e-0016419ed03f}]

\shell\AutoRun\command - G:\setup.exe

\shell\readme\command - G:\SEW.EXE bin\ACADFeui\docs\readme_acade.htm

\shell\setupwizard\command - G:\setup.exe

*Newly Created Service* - PROCEXP90

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 00:49:08

Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]

-> C:\Program Files\RocketDock\RocketDock.dll

-> C:\Program Files\XNeat Windows Manager\XNeatDrv.dll

-> C:\Program Files\XNeat Windows Manager\scripts\taskabarbuttons\tbsorter.dll

.

Completion time: 2008-01-13 0:51:03

.

2008-01-11 10:25:22 --- E O F ---

Kan du se over den?

Har slettet en fil som het image.zip som jeg fant ved lesing i denne tråden.

Tror du det kan være mer?

Denne fila skal bort: C:\Windows\ntmngr.exe

Du kan gjøre følgende:

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\Windows\ntmngr.exe

Post loggen sammen med en hjt-logg (Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.)

Her er combofix loggen:

ComboFix 08-01-13.1 - Peavey 2008-01-13 1:54:46.2 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1044.18.316 [GMT 1:00]

Running from: C:\Users\Peavey\Desktop\ComboFix.exe

Command switches used :: C:\Users\Peavey\Desktop\CFScript.txt

* Created a new restore point

FILE

C:\Windows\ntmngr.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Windows\ntmngr.exe

.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

2008-01-13 00:42 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\Users\All Users\Grisoft

2008-01-12 00:44 . 2008-01-12 00:44 <DIR> d-------- C:\ProgramData\Grisoft

2008-01-12 00:44 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys

2008-01-11 21:19 . 2008-01-11 21:18 286,720 --a------ C:\Windows\iun506.exe

2008-01-11 21:18 . 2008-01-11 21:19 <DIR> d-------- C:\Program Files\Risk 2

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\Users\All Users\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:20 <DIR> d-------- C:\ProgramData\Lavasoft

2008-01-11 19:12 . 2008-01-11 19:12 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-10 18:35 . 2005-06-02 18:19 228,352 --a------ C:\Windows\System32\drivers\BTCamDrv.sys

2008-01-10 16:12 . 2008-01-10 16:17 <DIR> d-------- C:\Program Files\Wings Of Fury

2008-01-10 15:12 . 2008-01-10 15:12 <DIR> d--h----- C:\Windows\PIF

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\Users\All Users\TEMP

2008-01-10 10:37 . 2008-01-10 17:02 <DIR> d-a------ C:\ProgramData\TEMP

2008-01-10 10:37 . 2007-09-20 12:04 114,688 --a------ C:\Windows\System32\btcamvideosource.dll

2008-01-10 10:37 . 2008-01-10 10:37 8,192 -ra-s---- C:\BOOTSECT.BAK

2008-01-10 10:17 . 2008-01-10 10:19 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Hamachi

2008-01-10 10:17 . 2008-01-10 10:17 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys

2008-01-09 14:34 . 2008-01-09 14:34 <DIR> d-------- C:\Program Files\Timios

2008-01-09 12:37 . 2008-01-09 12:37 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys

2008-01-09 12:37 . 2008-01-09 12:37 216,760 --a------ C:\Windows\System32\drivers\netio.sys

2008-01-09 12:37 . 2008-01-09 12:37 167,424 --a------ C:\Windows\System32\tcpipcfg.dll

2008-01-09 12:37 . 2008-01-09 12:37 24,064 --a------ C:\Windows\System32\netcfg.exe

2008-01-09 12:37 . 2008-01-09 12:37 22,016 --a------ C:\Windows\System32\netiougc.exe

2008-01-09 12:35 . 2008-01-09 12:35 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,686,016 --a------ C:\Windows\System32\gameux.dll

2008-01-09 12:35 . 2008-01-09 12:35 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys

2008-01-09 12:35 . 2008-01-09 12:35 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys

2008-01-09 12:35 . 2008-01-09 12:35 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys

2008-01-09 12:35 . 2008-01-09 12:35 109,624 --a------ C:\Windows\System32\drivers\ataport.sys

2008-01-09 12:35 . 2008-01-09 12:35 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys

2008-01-09 12:35 . 2008-01-09 12:35 21,560 --a------ C:\Windows\System32\drivers\atapi.sys

2008-01-09 12:35 . 2008-01-09 12:35 17,464 --a------ C:\Windows\System32\drivers\intelide.sys

2008-01-09 12:34 . 2008-01-09 12:34 11,776 --a------ C:\Windows\System32\sbunattend.exe

2008-01-06 23:56 . 2008-01-06 23:56 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\VoipDiscount

2008-01-06 23:54 . 2008-01-06 23:54 <DIR> d-------- C:\Program Files\VoipDiscount.com

2008-01-03 01:41 . 2008-01-03 03:36 <DIR> d-------- C:\Program Files\SignSIS-GUI

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Users\All Users\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\ProgramData\Nokia

2007-12-29 19:11 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Common Files\Nokia

2007-12-29 19:04 . 2007-12-29 19:04 <DIR> d-------- C:\Program Files\Common Files\PCSuite

2007-12-19 01:07 . 2007-12-19 01:07 <DIR> d-------- C:\Program Files\DivX

2007-12-15 19:17 . 2007-12-15 19:18 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\NSeries

2007-12-15 18:53 . 2007-12-15 18:59 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\Nokia

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\Users\All Users\PC Suite

2007-12-15 18:53 . 2007-12-15 19:12 <DIR> d-------- C:\ProgramData\PC Suite

2007-12-15 18:52 . 2007-12-15 18:52 <DIR> d-------- C:\Windows\Downloaded Installations

2007-12-15 18:50 . 2007-12-15 18:53 <DIR> d-------- C:\Users\Peavey\AppData\Roaming\PC Suite

2007-12-15 18:49 . 2007-12-15 18:49 <DIR> d-------- C:\Program Files\PC Connectivity Solution

2007-12-15 18:45 . 2007-12-29 19:11 <DIR> d-------- C:\Program Files\Nokia

2007-12-15 18:45 . 2007-02-22 10:15 90,624 --a------ C:\Windows\System32\nmwcdcls.dll

2007-12-14 15:38 . 2007-12-14 16:15 <DIR> d-------- C:\Program Files\FreeRIP3

2007-12-14 15:38 . 2007-12-14 16:15 4,510 --a------ C:\Windows\cdplayer.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Start-meny

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Skrivebord

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Programdata

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Maler

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Favoritter

2079-12-31 11:53 --------- d-sh--w C:\ProgramData\Dokumenter

2079-12-31 11:53 --------- d-sh--w C:\Program Files\Fellesfiler

2008-01-12 23:10 --------- d-----w C:\Users\Peavey\AppData\Roaming\uTorrent

2008-01-12 13:29 --------- d-----w C:\Program Files\Norman

2008-01-11 20:22 120,022 ----a-w C:\Users\Peavey\AppData\Roaming\nvModes.dat

2008-01-11 18:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Sidebar

2008-01-09 14:29 --------- d-----w C:\Program Files\Windows Mail

2008-01-09 13:39 --------- d-----w C:\ProgramData\Microsoft Help

2008-01-09 11:35 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-01-09 11:35 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-01-09 11:35 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-01-09 11:35 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-01-03 23:22 --------- d-----w C:\Program Files\MediaMonkey

2007-12-27 23:50 --------- d-----w C:\Users\Peavey\AppData\Roaming\dvdcss

2007-12-12 11:57 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL

2007-12-12 11:57 223,232 ----a-w C:\Windows\System32\WMASF.DLL

2007-12-12 11:57 1,327,104 ----a-w C:\Windows\System32\quartz.dll

2007-12-12 11:56 824,832 ----a-w C:\Windows\System32\wininet.dll

2007-12-12 11:56 56,320 ----a-w C:\Windows\System32\iesetup.dll

2007-12-12 11:56 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2007-12-12 11:56 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2007-12-12 11:49 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys

2007-12-12 11:49 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys

2007-12-12 11:49 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys

2007-12-12 11:49 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys

2007-12-12 11:47 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe

2007-12-12 11:47 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe

2007-12-11 22:34 200,704 ----a-w C:\Windows\System32\ssldivx.dll

2007-12-11 22:34 1,044,480 ----a-w C:\Windows\System32\libdivx.dll

2007-12-10 10:28 --------- d-----w C:\Program Files\Picasa2

2007-12-10 10:25 --------- d-----w C:\Program Files\Google

2007-12-08 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-08 18:47 --------- d-----w C:\Program Files\Caplio Software

2007-12-05 11:41 --------- d-----w C:\Program Files\OpenTTD

2007-11-28 20:42 --------- d-----w C:\ProgramData\Ahead

2007-11-28 20:40 --------- d-----w C:\Program Files\Common Files\Ahead

2007-11-28 20:38 --------- d-----w C:\ProgramData\Nero

2007-11-28 16:40 --------- d-----w C:\Program Files\OO Software

2007-11-26 16:26 --------- d-----w C:\ProgramData\Office Genuine Advantage

2007-11-23 11:03 --------- d--h--w C:\Program Files\Zenographics

2007-11-23 11:03 --------- d-----w C:\Program Files\Hewlett-Packard

2007-11-21 10:08 --------- d-----w C:\Program Files\XNeat Windows Manager

2007-11-20 10:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy

2007-11-16 13:17 --------- d-----w C:\Program Files\Graph

2007-11-14 07:35 1,244,672 ----a-w C:\Windows\System32\mcmde.dll

2007-09-07 11:39 174 --sha-w C:\Program Files\desktop.ini

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-09-18 16:16 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-09-18 16:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

((((((((((((((((((((((((((((( snapshot@2008-01-13_ 0.49.57,20 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-12 23:43:48 1,339,392 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-13 00:53:58 1,339,392 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-12 23:43:48 1,335,296 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT

+ 2008-01-13 00:53:58 1,335,296 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT

- 2008-01-12 23:43:49 3,448,832 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-13 00:53:59 3,448,832 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-12 23:43:49 2,711,552 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-13 00:54:00 2,715,648 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-12 13:30:51 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2008-01-13 00:50:26 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2008-01-12 13:30:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-13 00:50:26 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2008-01-12 13:30:51 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2008-01-13 00:50:26 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2008-01-12 23:44:17 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat

+ 2008-01-13 00:54:30 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat

+ 2008-01-13 00:54:30 262,144 ---ha-w C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 12:34 1232896]

"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 12:58 495616]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:34 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-07 12:33 1006264]

"Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40 183352]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-15 23:32 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-15 23:32 8433664]

"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-06-15 23:32 67584]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll]

"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll]

"XNeat Windows Manager"="C:\Program Files\XNeat Windows Manager\XNeatWM.exe" [2007-11-14 22:51 188416]

"OODefragTray"="C:\Windows\system32\oodtray.exe" [2007-05-11 02:08 2512392]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative SB Monitoring Utility]

--a------ 2007-06-28 16:27 93696 C:\Windows\System32\SBAVMon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]

--a------ 2007-10-01 11:29 3104768 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-06-15 23:32 81920 C:\Windows\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SbUsb AudCtrl]

--a------ 2004-07-09 03:27 119296 C:\Windows\System32\sbusbdll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

C:\Windows\UpdReg.EXE

R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]

R3 BTCAMDRV;Mobiola Web Camera driver;C:\Windows\system32\DRIVERS\BTCamDrv.sys [2005-06-02 18:19]

R3 ksaud;Creative USB Audio Driver;C:\Windows\system32\drivers\ksaud.sys [2007-08-06 15:36]

R3 NETw3v32;Intel® PRO/trådløs 3945ABG-kortdriver for Windows Vista, 32-bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 08:30]

R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2007-07-09 09:50]

R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-07-12 10:38]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]

S2 TimerStop;TimerStop;C:\Windows\system32\TimerStop.sys [2006-12-22 23:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8178c875-5d4d-11dc-986e-0016419ed03f}]

\shell\AutoRun\command - G:\setup.exe

\shell\readme\command - G:\SEW.EXE bin\ACADFeui\docs\readme_acade.htm

\shell\setupwizard\command - G:\setup.exe

*Newly Created Service* - PROCEXP90

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 01:58:17

Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-01-13 1:59:32

ComboFix-quarantined-files.txt 2008-01-13 00:59:27

ComboFix2.txt 2008-01-12 23:51:04

.

2008-01-11 10:25:22 --- E O F ---

HJT logg:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:01:59, on 13.01.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Boot mode: Normal

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\winlogon.exe