NorvegianDad Skrevet 21. januar 2008 Del Skrevet 21. januar 2008 ComboFix 08-01-20.1 - Nils Fredrik B›e 2008-01-21 23:50:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1389 [GMT 1:00] Running from: C:\Documents and Settings\Nils Fredrik B›e\Skrivebord\anti-virus\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\wvuusts.dll F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 ))))))))))))))))))))))))))))))) . 2008-01-21 23:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-21 20:56 . <DIR> C:\Documents and Settings\Nils Fredrik Bøe\Siste 2008-01-11 00:12 . 2008-01-21 00:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-11 00:12 . 2008-01-11 00:12 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-06 13:46 . 2008-01-06 13:59 8 --a------ C:\WINDOWS\system32\nvModes.dat 2008-01-03 12:26 . 2008-01-03 12:26 <DIR> d-------- C:\Programfiler\QuickTime 2008-01-03 12:26 . 2008-01-03 12:26 <DIR> d-------- C:\Programfiler\Apple Software Update 2008-01-03 12:26 . 2008-01-03 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Apple Computer 2008-01-03 12:26 . 2008-01-03 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Apple 2007-12-21 16:40 . 2007-12-21 16:40 <DIR> d-------- C:\Programfiler\DivX . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-21 20:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-01-21 20:41 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Skype 2008-01-21 20:41 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Skype 2008-01-21 20:41 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Skype 2008-01-21 16:07 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-01-21 13:12 4,276 ----a-w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\wklnhst.dat 2008-01-21 13:12 4,276 ----a-w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\wklnhst.dat 2008-01-21 13:12 4,276 ----a-w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\wklnhst.dat 2008-01-15 21:10 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-01-12 20:40 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\dvdcss 2008-01-12 20:40 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\dvdcss 2008-01-12 20:40 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\dvdcss 2008-01-04 14:03 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\InstallShield Installation Information 2008-01-04 14:03 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\InstallShield Installation Information 2008-01-04 14:03 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\InstallShield Installation Information 2008-01-04 13:59 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\My Games 2008-01-04 13:59 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\My Games 2008-01-04 13:59 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\My Games 2007-12-18 23:15 --------- d-----w C:\Programfiler\MagicDisc 2007-12-18 23:14 --------- d-----w C:\Programfiler\MagicISO 2007-12-17 15:40 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Microsoft 2007-12-17 15:40 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Microsoft 2007-12-17 15:40 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Microsoft 2007-12-15 11:55 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Image Zone Express 2007-12-15 11:55 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Image Zone Express 2007-12-15 11:55 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Image Zone Express 2007-12-15 11:47 --------- d-----w C:\Programfiler\Microsoft Digital Image 2006 2007-12-11 17:04 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\LimeWire 2007-12-11 17:04 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\LimeWire 2007-12-11 17:04 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\LimeWire 2007-12-06 18:55 --------- d-----w C:\Programfiler\Sony Ericsson 2007-12-06 18:04 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-12-06 18:04 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf 2007-12-05 16:50 20,520 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys 2007-12-05 16:50 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-01 13:11 --------- d-----w C:\Programfiler\BitComet 2007-11-30 19:08 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Sports Interactive 2007-11-30 19:08 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Sports Interactive 2007-11-30 19:08 --------- d-----w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\Sports Interactive 2007-11-30 10:31 --------- d-----w C:\Programfiler\Windows Live Toolbar 2007-11-25 16:05 --------- d-----w C:\Programfiler\Audacity 2007-11-06 17:27 22,328 ----a-w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\PnkBstrK.sys 2007-11-06 17:27 22,328 ----a-w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\PnkBstrK.sys 2007-11-06 17:27 22,328 ----a-w C:\Documents and Settings\Nils Fredrik Bøe\Programdata\PnkBstrK.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360] "WMPNSCFG"="C:\Programfiler\Windows Media Player\WMPNSCFG.exe" [2006-11-15 08:46 204288] "Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2006-08-21 15:37 20053032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008] "nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe] "IntelliPoint"="C:\Programfiler\Microsoft IntelliPoint\point32.exe" [2005-06-10 10:21 217088] "Sunkist2k"="C:\Programfiler\Multimedia Card Reader\shwicon2k.exe" [2004-08-06 15:01 135168] "Gainward"="C:\WINDOWS\TBPanel.exe" [2007-03-23 09:32 2173744] "CTDVDDET"="C:\Programfiler\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 23:00 45056] "AudioDrvEmulator"="C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 16:25 49152] "VolPanel"="C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 09:34 122880] "CTHelper"="CTHELPER.EXE" [2005-08-07 23:10 16384 C:\WINDOWS\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 23:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00 90112] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 23:11 132496] "amd_dc_opt"="C:\Programfiler\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 14:49 77824] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920] "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2007-12-11 10:56 286720] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360] "Spyware Doctor"="" [] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^CoreCenter.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\CoreCenter.lnk backup=C:\WINDOWS\pss\CoreCenter.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Hurtigstart for Adobe Reader.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Hurtigstart for Adobe Reader.lnk backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Nils Fredrik Bøe^Start-meny^Programmer^Oppstart^MagicDisc.lnk] path=C:\Documents and Settings\Nils Fredrik Bøe\Start-meny\Programmer\Oppstart\MagicDisc.lnk backup=C:\WINDOWS\pss\MagicDisc.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector] --------- 2004-12-02 16:23 102400 C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG] C:\Programfiler\D-Link\AirPlus XtremeG\AirPlusCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-08-22 13:06 167368 C:\Programfiler\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-11 21:12 49152 C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 17:24 1694208 C:\Programfiler\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 10:54 5674352 C:\Programfiler\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem] --------- 2005-06-16 16:25 49152 C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2007-08-31 14:46 1460560 C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 14:45 313472 C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "Irmon"=2 (0x2) R0 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-04 00:07] R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 22:54] S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 12:32] S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-07-26 12:35] S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2007-12-05 17:50] S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [] S3 RushTopDevice;RushTopDevice;C:\Programfiler\MSI\Core Center\RushTop.sys [2006-03-22 14:42] S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys [] S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 12:55] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\autorun.exe . Contents of the 'Scheduled Tasks' folder "2008-01-12 16:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe "2008-01-21 22:28:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE "2008-01-21 19:00:00 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job" - C:\Programfiler\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-21 23:55:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-21 23:58:53 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-21 22:58:50 . 2008-01-09 15:23:17 --- E O F --- Lenke til kommentar
NorvegianDad Skrevet 21. januar 2008 Forfatter Del Skrevet 21. januar 2008 Konge!takker for veiledningen din! Lenke til kommentar
norbat Skrevet 21. januar 2008 Del Skrevet 21. januar 2008 Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Lenke til kommentar
NorvegianDad Skrevet 22. januar 2008 Forfatter Del Skrevet 22. januar 2008 Jeg har faktisk funnet to trojanere etter "clean-up'en" igår,så jeg venter litt med det,til jeg er helt kvitt det,har ikke mange minuttene foran dataen idag,så får lete videre imorgen. Men er det trygt å ta en systemoppretting til et punkt før infekjsonen? Eller kan det bli enda mer gravd ned og skjult da? Jeg vet nøyaktig når jeg fikk det. Lenke til kommentar
norbat Skrevet 22. januar 2008 Del Skrevet 22. januar 2008 Kunne du si hvor du fant disse trojanerene (mulig de ligger i restore-mappe, det er den som 'tømmes' når du 'nullstiller' den som nevnt over.) (Nei, du skal ikke kjøre en systemgjenopretting. Du skal nullstille gjenopprettingsmappa.) Lenke til kommentar
r2d290 Skrevet 22. januar 2008 Del Skrevet 22. januar 2008 kan jeg bare spørre om en ting litt utenfor? den systemgjennoprettingen: det er noe du kan gjøre i stede for å reformatere? er dette like effektivt som å reformatre? var en gang jeg gjorde dette (tror jeg)... stilte dataen tilbake 2 uker, og da var det ingen .exe-filer som funka... er det noe jeg gjorde feil da? Lenke til kommentar
norbat Skrevet 22. januar 2008 Del Skrevet 22. januar 2008 Systemgjenoppretting er en enkel og grei løsning i mange tilfeller der PC-en begynner å oppføre seg litt rart etter at man f.eks. har installert/avinstallert ett eller annet. Det er lurt å prøve en systemgjenoppretting til en dato der man vet ting og tang fungerte greit, før man evt. hiver seg på en reinstallering. At ingen exe-filer fungerte etter en slik sys.gj.retting forekommer normalt ikke. Hva det skyldes i ditt tilfelle, vet jeg ikke. Du gjorde nok ingen feil. Lenke til kommentar
NorvegianDad Skrevet 22. januar 2008 Forfatter Del Skrevet 22. januar 2008 Kunne du si hvor du fant disse trojanerene (mulig de ligger i restore-mappe, det er den som 'tømmes' når du 'nullstiller' den som nevnt over.) (Nei, du skal ikke kjøre en systemgjenopretting. Du skal nullstille gjenopprettingsmappa.) Jeg fant de som i c:\systemvolumeinformation\restore\A001524.dll (husker ikke tallene eksakt,men doe i den duren) Så greit,jeg nullstiller nå. Lenke til kommentar
norbat Skrevet 22. januar 2008 Del Skrevet 22. januar 2008 Ja, fordi de filene ligger nettopp i gjenopprettingsmappa. Derfor er det lurt å 'nullstille' denne. Da slipper du å bli infisert ved en evt. systemgjenoppretting senere Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå