Gå til innhold

[Løst] infisert med virusheat

runejors

Av runejors
i IKT-drift og sikkerhet

Anbefalte innlegg

runejors

runejors

Skrevet
Skrevet (endret)

Har klart å få dette fordømte greiene inn i maskinen. kjører i dag med avast som sikring. Avast detekterte denne rakkaren, men den klarte seg. hvordan blir jeg kvitt denne. har også prøvd med Cclean uten å lykkes

 

Rune

Endret av runejors
Lenke til kommentar

Videoannonse

Videoannonse
Annonse
runejors

runejors

Skrevet
  • Forfatter
Skrevet
Last ned HijackThis legg i egen mappe på skrivebordet.

Start hjt og velg "Do a system scan and save a logfile".

Loggfilen kopierer du og limer inn i posten din.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:34:18, on 29.02.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Programfiler\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

D:\Programfiler\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

c:\Programfiler\Microsoft IntelliPoint\dpupdchk.exe

C:\WINDOWS\System32\alg.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\MSN Messenger\msnmsgr.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\DOCUME~1\Rune\LOKALE~1\Temp\Midlertidig mappe 1 for HiJackThis.zip\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelliPoint] "c:\Programfiler\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Programfiler\Adobe\Photoshop Elements 4.0\apdproxy.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176964600078

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{673511D8-33EB-45A8-AC0C-AE3FDEBA7F03}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{8027DA87-9213-402F-94F3-6C0A1120EA03}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{D477BA97-32B1-4783-AA90-838DDDDA1C8E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA11D93E-A3AD-4E86-B804-9C647815194C}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: corduroyed - {699fabf8-1087-491f-b57c-80a68929d82b} - C:\WINDOWS\system32\heuvth.dll

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - F:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Microsoft System Management - Unknown owner - C:\WINDOWS\system32\system.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Programfiler\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 11168 bytes

Lenke til kommentar
snippsat

snippsat

Skrevet
Skrevet (endret)

Last ned SmitfraudFix legg det på skrivebordet.

Boot trykk flere ganger på f8 velg sikkerhetmodus.

Kjør Smitfraudfix, velg valg 2.

Post loggen C:\rapport.txt

 

I normalmodus.

 

Last Combofix ned ,legg på skrivebordet.

Ikke klikk på vindu mens programet kjører.

post logg C:\combofix.txt

 

Restart og en ny HijackThis logg.

Endret av SNIPPSAT
Lenke til kommentar
runejors

runejors

Skrevet
  • Forfatter
Skrevet
Last ned SmitfraudFix legg det på skrivebordet.

Boot trykk flere ganger på f8 velg sikkerhetmodus.

Kjør Smitfraudfix, velg valg 2.

Post loggen C:\rapport.txt

 

I normalmodus.

 

Last Combofix ned ,legg på skrivebordet.

Ikke klikk på vindu mens programet kjører.

post logg C:\combofix.txt

 

Restart og en ny HijackThis logg.

 

Ny logg kan se ut til at problemet er løst :new_woot:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:33:07, on 01.03.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

c:\Programfiler\Microsoft IntelliPoint\dpupdchk.exe

D:\Programfiler\iTunes\iTunesHelper.exe

C:\Programfiler\Windows Live\Family Safety\fssui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Programfiler\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\DOCUME~1\Rune\LOKALE~1\Temp\Midlertidig mappe 1 for HiJackThis.zip\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Programfiler\Windows Live\Family Safety\fssbho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelliPoint] "c:\Programfiler\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Programfiler\Adobe\Photoshop Elements 4.0\apdproxy.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [fssui] "C:\Programfiler\Windows Live\Family Safety\fssui.exe" -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176964600078

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{673511D8-33EB-45A8-AC0C-AE3FDEBA7F03}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{8027DA87-9213-402F-94F3-6C0A1120EA03}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{D477BA97-32B1-4783-AA90-838DDDDA1C8E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA11D93E-A3AD-4E86-B804-9C647815194C}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - F:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Microsoft System Management - Unknown owner - C:\WINDOWS\system32\system.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Programfiler\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 10949 bytes

Lenke til kommentar
snippsat

snippsat

Skrevet
Skrevet (endret)

Ja ser bra ut dette.

 

Kunne ta med hva SmitfraudFix fant.

 

Viss du kjørte combofix vil jeg gjerne se loggen.

Den må også avinnstallers.

 

Er dette en adresse du kjenner?

208.67.220.220

Address: 50 Freemont St.

Address: 16 Floor

Endret av SNIPPSAT
Lenke til kommentar
runejors

runejors

Skrevet
  • Forfatter
Skrevet
Ja ser bra ut dette.

 

Kunne ta med hva SmitfraudFix fant.

 

Viss du kjørte combofix vil jeg gjerne se loggen.

Den må også avinnstallers.

 

Er dette en adresse du kjenner?

208.67.220.220

Address: 50 Freemont St.

Address: 16 Floor

 

Kjenner ikke denne adressen :thumbdown:

 

helt ukjent.

Tok ikke vare på de loggene , skal jeg kjøre de på nytt ???

 

Rune

Lenke til kommentar
snippsat

snippsat

Skrevet
Skrevet (endret)

Nei du trenger ikke og kjøre på nytt.

 

Fra start->kjør

sc stop Microsoft System Management

sc delete Microsoft System Management

 

Start HijackThis finn disse linjene merk dem,så trykk fixed checked.

 

O23 - Service: Microsoft System Management - Unknown owner - C:\WINDOWS\system32\system.exe (file missing) )

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{673511D8-33EB-45A8-AC0C-AE3FDEBA7F03}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{8027DA87-9213-402F-94F3-6C0A1120EA03}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{D477BA97-32B1-4783-AA90-838DDDDA1C8E}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS2\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS3\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

Kunne du kjørt combofix en gang til og postet loggen.

 

Restart og en ny HijackThis logg.

Endret av SNIPPSAT
Lenke til kommentar
runejors

runejors

Skrevet
  • Forfatter
Skrevet
Nei du trenger ikke og kjøre på nytt.

 

Fra start->kjør

sc stop Microsoft System Management

sc delete Microsoft System Management

 

Start HijackThis finn disse linjene merk dem,så trykk fixed checked.

 

O23 - Service: Microsoft System Management - Unknown owner - C:\WINDOWS\system32\system.exe (file missing) )

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{673511D8-33EB-45A8-AC0C-AE3FDEBA7F03}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{8027DA87-9213-402F-94F3-6C0A1120EA03}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{D477BA97-32B1-4783-AA90-838DDDDA1C8E}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS2\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS3\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

Kunne du kjørt combofix en gang til og postet loggen.

 

Restart og en ny HijackThis logg.

 

Combo fix

 

ComboFix 08-03-01 - Rune 2008-03-02 12:13:40.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.602 [GMT 1:00]

Running from: C:\Documents and Settings\Rune\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))

.

 

2008-03-02 10:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-03-02 10:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2008-03-02 10:13 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-03-01 22:10 . 2008-03-01 22:10 <DIR> d-------- C:\Programfiler\Microsoft CAPICOM 2.1.0.2

2008-02-29 21:23 . 2008-02-29 21:23 2,352 --a------ C:\WINDOWS\system32\tmp.reg

2008-02-29 21:21 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-02-29 21:21 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-02-29 21:21 . 2008-02-28 11:37 86,016 --a------ C:\WINDOWS\system32\VACFix.exe

2008-02-29 21:21 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-02-29 21:21 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-02-29 21:21 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-02-29 21:21 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-02-29 21:13 . 2008-02-29 21:11 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-02-29 21:11 . 2008-02-29 21:13 <DIR> d-------- C:\Documents and Settings\Rune\.housecall6.6

2008-02-29 20:55 . 2008-03-01 21:37 <DIR> d-------- C:\Programfiler\Windows Live

2008-02-29 20:55 . 2008-02-29 21:00 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2008-02-29 20:55 . 2008-02-29 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-02-29 20:18 . 2008-02-29 20:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-02-29 20:18 . 2008-02-29 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab

2008-02-27 21:48 . 2008-03-02 12:03 <DIR> dr-h----- C:\Documents and Settings\Rune\Siste

2008-02-27 21:42 . 2008-02-27 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Yahoo! Companion

2008-02-27 21:34 . 2008-02-27 21:34 <DIR> d-------- C:\Programfiler\Yahoo!

2008-02-27 21:34 . 2008-02-27 21:39 <DIR> d-------- C:\Programfiler\CCleaner

2008-02-10 16:33 . 2008-02-10 16:33 <DIR> d-------- C:\Programfiler\R-Studio

2008-02-10 16:14 . 2008-02-10 16:14 <DIR> d-------- C:\Programfiler\Convar

2008-02-10 16:14 . 2003-07-18 13:58 516,784 -ra------ C:\WINDOWS\system32\XceedCry.dll

2008-02-10 16:14 . 2002-02-28 09:46 217,088 --a------ C:\WINDOWS\system32\DartSock.dll

2008-02-10 16:14 . 2002-02-21 10:12 118,784 --a------ C:\WINDOWS\system32\DartWeb.dll

2008-02-10 16:14 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL

2008-02-10 16:14 . 1998-06-13 22:53 44,544 --a------ C:\WINDOWS\system32\Gif89.dll

2008-02-10 16:14 . 2002-04-12 13:19 28,672 --a------ C:\WINDOWS\system32\DartWeb.oca

2008-02-09 16:10 . 2008-02-09 16:10 <DIR> d-------- C:\Programfiler\iPod

2008-02-09 16:09 . 2008-02-09 16:09 <DIR> d-------- C:\Programfiler\Bonjour

2008-02-09 16:08 . 2008-02-09 16:08 <DIR> d-------- C:\Programfiler\Fellesfiler\Apple

2008-02-09 16:03 . 2008-03-02 12:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-02-09 16:03 . 2008-02-09 16:03 1,409 --a------ C:\WINDOWS\QTFont.for

2008-02-09 12:54 . 2008-02-09 12:53 691,545 --a------ C:\WINDOWS\unins000.exe

2008-02-09 12:54 . 2008-02-09 12:54 3,443 --a------ C:\WINDOWS\unins000.dat

2008-02-05 18:12 . 2008-02-05 18:12 <DIR> d-------- C:\Documents and Settings\Rune\Programdata\vlc

2008-02-03 10:20 . 2008-02-03 10:20 <DIR> d-------- C:\Programfiler\Canon

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-27 20:49 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-02-11 19:26 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-02-09 17:27 --------- d-----w C:\Documents and Settings\Rune\Programdata\LimeWire

2008-02-09 15:10 --------- d-----w C:\Documents and Settings\Rune\Programdata\Apple Computer

2008-02-09 15:10 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2008-02-09 15:09 --------- d-----w C:\Programfiler\QuickTime

2008-02-09 11:54 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-02-03 15:17 --------- d-----w C:\Documents and Settings\All Users\Programdata\DVD Shrink

2008-02-03 10:37 --------- d-----w C:\Documents and Settings\Rune\Programdata\Canon

2008-01-26 11:44 --------- d-----w C:\Programfiler\SUPERAntiSpyware

2008-01-22 21:43 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-01-22 21:43 249,856 ------w C:\WINDOWS\Setup1.exe

2008-01-13 11:52 --------- d-----w C:\Documents and Settings\All Users\Programdata\espionServerData

2008-01-13 11:46 20,640 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys

2008-01-13 11:46 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-01-13 11:46 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-01-13 11:36 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-01-04 19:14 --------- d-----w C:\Programfiler\SoIP-player

2008-01-03 19:30 --------- d-----w C:\Documents and Settings\All Users\Programdata\Office Genuine Advantage

2007-12-11 17:31 22,328 ----a-w C:\Documents and Settings\Rune\Programdata\PnkBstrK.sys

2007-12-07 02:17 824,832 ----a-w C:\WINDOWS\system32\wininet.dll

2007-12-05 01:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE

2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-03-30 19:21 1 ----a-w C:\Documents and Settings\Rune\SI.bin

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

"IntelliPoint"="c:\Programfiler\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]

"Adobe Photo Downloader"="F:\Programfiler\Adobe\Photoshop Elements 4.0\apdproxy.exe" [ ]

"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-01-31 23:13 385024]

"iTunesHelper"="D:\Programfiler\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 18:03 152872 C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

--a------ 2006-05-22 13:26 694272 C:\Programfiler\dvd43\dvd43_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]

--a------ 2007-01-17 17:01 496640 C:\Programfiler\MSI\Live Update 3\LMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 14:57 153136 C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]

--a------ 2004-07-29 03:41 1122304 C:\Programfiler\Symantec\Norton Ghost\Agent\GhostTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]

--a------ 2007-01-22 16:22 81920 C:\Programfiler\NVIDIA Corporation\nTune\nTuneCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEPCI]

f:\PROGRA~1\Pinnacle\PPE\PPE.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

C:\WINDOWS\system32\PSDrvCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

f:\Programfiler\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-31 23:13 385024 C:\Programfiler\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2005-01-12 02:01 32768 C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-11-14 16:21 16270848 C:\WINDOWS\RTHDCPL.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

C:\Programfiler\Macrogaming\SweetIM\SweetIM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Fellesfiler\\Ahead\\Nero Web\\SetupX.exe"=

"C:\\Programfiler\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"D:\\Programfiler\\iTunes\\iTunes.exe"=

"D:\\Programfiler\\LimeWire\\LimeWire.exe"=

"D:\\Programfiler\\BitLord2\\BitLord.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

 

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 02:33]

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 13:46]

R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 03:13]

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:08]

R2 X4HSX32;X4HSX32;C:\Programfiler\SoIP-player\X4HSX32.Sys [2006-12-13 09:34]

R3 mssmbios;BIOS-driver for Microsoft System Management;C:\WINDOWS\system32\DRIVERS\mssmbios.sys [2004-08-04 13:00]

S4 Microsoft System Management;Microsoft System Management;C:\WINDOWS\system32\system.exe []

 

.

Contents of the 'Scheduled Tasks' folder

"2007-12-24 13:00:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-02 12:15:09

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-03-02 12:15:29

ComboFix-quarantined-files.txt 2008-03-02 11:15:27

ComboFix2.txt 2008-03-01 20:30:57

.

2008-03-01 21:10:28 --- E O F ---

 

 

 

Nei du trenger ikke og kjøre på nytt.

 

Fra start->kjør

sc stop Microsoft System Management

sc delete Microsoft System Management

 

Start HijackThis finn disse linjene merk dem,så trykk fixed checked.

 

O23 - Service: Microsoft System Management - Unknown owner - C:\WINDOWS\system32\system.exe (file missing) )

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{673511D8-33EB-45A8-AC0C-AE3FDEBA7F03}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{8027DA87-9213-402F-94F3-6C0A1120EA03}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{D477BA97-32B1-4783-AA90-838DDDDA1C8E}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS2\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS3\Services\Tcpip\..\{02BDD9BA-3735-4466-A66B-BAB8C6C384FD}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

Kunne du kjørt combofix en gang til og postet loggen.

 

Restart og en ny HijackThis logg.

 

Combo fix

 

ComboFix 08-03-01 - Rune 2008-03-02 12:13:40.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.602 [GMT 1:00]

Running from: C:\Documents and Settings\Rune\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))

.

 

2008-03-02 10:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-03-02 10:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2008-03-02 10:13 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-03-01 22:10 . 2008-03-01 22:10 <DIR> d-------- C:\Programfiler\Microsoft CAPICOM 2.1.0.2

2008-02-29 21:23 . 2008-02-29 21:23 2,352 --a------ C:\WINDOWS\system32\tmp.reg

2008-02-29 21:21 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-02-29 21:21 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-02-29 21:21 . 2008-02-28 11:37 86,016 --a------ C:\WINDOWS\system32\VACFix.exe

2008-02-29 21:21 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-02-29 21:21 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-02-29 21:21 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-02-29 21:21 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-02-29 21:13 . 2008-02-29 21:11 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-02-29 21:11 . 2008-02-29 21:13 <DIR> d-------- C:\Documents and Settings\Rune\.housecall6.6

2008-02-29 20:55 . 2008-03-01 21:37 <DIR> d-------- C:\Programfiler\Windows Live

2008-02-29 20:55 . 2008-02-29 21:00 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2008-02-29 20:55 . 2008-02-29 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-02-29 20:18 . 2008-02-29 20:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-02-29 20:18 . 2008-02-29 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab

2008-02-27 21:48 . 2008-03-02 12:03 <DIR> dr-h----- C:\Documents and Settings\Rune\Siste

2008-02-27 21:42 . 2008-02-27 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Yahoo! Companion

2008-02-27 21:34 . 2008-02-27 21:34 <DIR> d-------- C:\Programfiler\Yahoo!

2008-02-27 21:34 . 2008-02-27 21:39 <DIR> d-------- C:\Programfiler\CCleaner

2008-02-10 16:33 . 2008-02-10 16:33 <DIR> d-------- C:\Programfiler\R-Studio

2008-02-10 16:14 . 2008-02-10 16:14 <DIR> d-------- C:\Programfiler\Convar

2008-02-10 16:14 . 2003-07-18 13:58 516,784 -ra------ C:\WINDOWS\system32\XceedCry.dll

2008-02-10 16:14 . 2002-02-28 09:46 217,088 --a------ C:\WINDOWS\system32\DartSock.dll

2008-02-10 16:14 . 2002-02-21 10:12 118,784 --a------ C:\WINDOWS\system32\DartWeb.dll

2008-02-10 16:14 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL

2008-02-10 16:14 . 1998-06-13 22:53 44,544 --a------ C:\WINDOWS\system32\Gif89.dll

2008-02-10 16:14 . 2002-04-12 13:19 28,672 --a------ C:\WINDOWS\system32\DartWeb.oca

2008-02-09 16:10 . 2008-02-09 16:10 <DIR> d-------- C:\Programfiler\iPod

2008-02-09 16:09 . 2008-02-09 16:09 <DIR> d-------- C:\Programfiler\Bonjour

2008-02-09 16:08 . 2008-02-09 16:08 <DIR> d-------- C:\Programfiler\Fellesfiler\Apple

2008-02-09 16:03 . 2008-03-02 12:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-02-09 16:03 . 2008-02-09 16:03 1,409 --a------ C:\WINDOWS\QTFont.for

2008-02-09 12:54 . 2008-02-09 12:53 691,545 --a------ C:\WINDOWS\unins000.exe

2008-02-09 12:54 . 2008-02-09 12:54 3,443 --a------ C:\WINDOWS\unins000.dat

2008-02-05 18:12 . 2008-02-05 18:12 <DIR> d-------- C:\Documents and Settings\Rune\Programdata\vlc

2008-02-03 10:20 . 2008-02-03 10:20 <DIR> d-------- C:\Programfiler\Canon

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-27 20:49 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-02-11 19:26 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-02-09 17:27 --------- d-----w C:\Documents and Settings\Rune\Programdata\LimeWire

2008-02-09 15:10 --------- d-----w C:\Documents and Settings\Rune\Programdata\Apple Computer

2008-02-09 15:10 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2008-02-09 15:09 --------- d-----w C:\Programfiler\QuickTime

2008-02-09 11:54 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-02-03 15:17 --------- d-----w C:\Documents and Settings\All Users\Programdata\DVD Shrink

2008-02-03 10:37 --------- d-----w C:\Documents and Settings\Rune\Programdata\Canon

2008-01-26 11:44 --------- d-----w C:\Programfiler\SUPERAntiSpyware

2008-01-22 21:43 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-01-22 21:43 249,856 ------w C:\WINDOWS\Setup1.exe

2008-01-13 11:52 --------- d-----w C:\Documents and Settings\All Users\Programdata\espionServerData

2008-01-13 11:46 20,640 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys

2008-01-13 11:46 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-01-13 11:46 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-01-13 11:36 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-01-04 19:14 --------- d-----w C:\Programfiler\SoIP-player

2008-01-03 19:30 --------- d-----w C:\Documents and Settings\All Users\Programdata\Office Genuine Advantage

2007-12-11 17:31 22,328 ----a-w C:\Documents and Settings\Rune\Programdata\PnkBstrK.sys

2007-12-07 02:17 824,832 ----a-w C:\WINDOWS\system32\wininet.dll

2007-12-05 01:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE

2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-03-30 19:21 1 ----a-w C:\Documents and Settings\Rune\SI.bin

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

"IntelliPoint"="c:\Programfiler\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]

"Adobe Photo Downloader"="F:\Programfiler\Adobe\Photoshop Elements 4.0\apdproxy.exe" [ ]

"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-01-31 23:13 385024]

"iTunesHelper"="D:\Programfiler\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 18:03 152872 C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

--a------ 2006-05-22 13:26 694272 C:\Programfiler\dvd43\dvd43_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]

--a------ 2007-01-17 17:01 496640 C:\Programfiler\MSI\Live Update 3\LMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 14:57 153136 C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]

--a------ 2004-07-29 03:41 1122304 C:\Programfiler\Symantec\Norton Ghost\Agent\GhostTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]

--a------ 2007-01-22 16:22 81920 C:\Programfiler\NVIDIA Corporation\nTune\nTuneCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEPCI]

f:\PROGRA~1\Pinnacle\PPE\PPE.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

C:\WINDOWS\system32\PSDrvCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

f:\Programfiler\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-31 23:13 385024 C:\Programfiler\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2005-01-12 02:01 32768 C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-11-14 16:21 16270848 C:\WINDOWS\RTHDCPL.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

C:\Programfiler\Macrogaming\SweetIM\SweetIM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Fellesfiler\\Ahead\\Nero Web\\SetupX.exe"=

"C:\\Programfiler\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"D:\\Programfiler\\iTunes\\iTunes.exe"=

"D:\\Programfiler\\LimeWire\\LimeWire.exe"=

"D:\\Programfiler\\BitLord2\\BitLord.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

 

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 02:33]

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 13:46]

R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 03:13]

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:08]

R2 X4HSX32;X4HSX32;C:\Programfiler\SoIP-player\X4HSX32.Sys [2006-12-13 09:34]

R3 mssmbios;BIOS-driver for Microsoft System Management;C:\WINDOWS\system32\DRIVERS\mssmbios.sys [2004-08-04 13:00]

S4 Microsoft System Management;Microsoft System Management;C:\WINDOWS\system32\system.exe []

 

.

Contents of the 'Scheduled Tasks' folder

"2007-12-24 13:00:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-02 12:15:09

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-03-02 12:15:29

ComboFix-quarantined-files.txt 2008-03-02 11:15:27

ComboFix2.txt 2008-03-01 20:30:57

.

2008-03-01 21:10:28 --- E O F ---

 

Hijackthis log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:17:53, on 02.03.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

D:\Programfiler\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

c:\Programfiler\Microsoft IntelliPoint\dpupdchk.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Programfiler\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

C:\DOCUME~1\Rune\LOKALE~1\Temp\Midlertidig mappe 1 for HiJackThis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelliPoint] "c:\Programfiler\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Programfiler\Adobe\Photoshop Elements 4.0\apdproxy.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176964600078

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA11D93E-A3AD-4E86-B804-9C647815194C}: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - F:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Programfiler\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 9598 bytes

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Bruk Norton Removal Tool til å fjerne rester etter Norton.

 

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA11D93E-A3AD-4E86-B804-9C647815194C}: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

 

Hvordan kjører forøvrig PC-en?

Lenke til kommentar
runejors

runejors

Skrevet
  • Forfatter
Skrevet
Bruk Norton Removal Tool til å fjerne rester etter Norton.

 

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA11D93E-A3AD-4E86-B804-9C647815194C}: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

 

Hvordan kjører forøvrig PC-en?

 

Virker forsåvidt greit nå. kanskje litt mange prosesser som går. Nå er ikke jeg så kyndig at jeg kan slå av disse.

 

ellers så har jeg denne konfigurasjonen. må vel kunne si at problemet er løst :new_woot:

------------------

System Information

------------------

Time of this report: 11/6/2007, 18:06:58

Machine name: SPILL

Operating System: Windows XP Home Edition (5.1, Build 2600) Service Pack 2 (2600.xpsp_sp2_gdr.070227-2254)

Language: Norwegian (Bokmål) (Regional Setting: Norwegian (Bokmål))

System Manufacturer: MSI

System Model: MS-7250

BIOS: Default System BIOS

Processor: AMD Athlon 64 X2 Dual Core Processor 3800+, MMX, 3DNow (2 CPUs), ~2.0GHz

Memory: 1024MB RAM

Page File: 269MB used, 2192MB available

Windows Dir: C:\WINDOWS

DirectX Version: DirectX 9.0c (4.09.0000.0904)

DX Setup Parameters: Not found

DxDiag Version: 5.03.2600.2180 32bit Unicode

 

---------------

Display Devices

---------------

Card name: NVIDIA GeForce 8800 GTS

Manufacturer: NVIDIA

Chip type: GeForce 8800 GTS

DAC type: Integrated RAMDAC

Device Key: Enum\PCI\VEN_10DE&DEV_0193&SUBSYS_042110DE&REV_A2

Display Memory: 640.0 MB

Current Mode: 1024 x 768 (32 bit) (60Hz)

Monitor: Plug and Play-skjerm

Monitor Max Res: 1600,1200

Driver Name: nv4_disp.dll

Driver Version: 6.14.0011.6904 (English)

DDI Version: 9 (or higher)

Driver Attributes: Final Retail

Driver Date/Size: 10/28/2007 16:52:00, 5768320 bytes

Lenke til kommentar
r2d290

r2d290

Skrevet
Skrevet

Da kan du avinstallere combofix:

 

Start ->kjør

Skriv: combofix /u

dette avinstallerer programmet, og sletter minnet for systemgjennopretting, så du slipper å gjennoprette maskinen til en gang du hadde virus.

 

Når dette er gjort, skriver du "[LØST]" i starten av emnetittelen din (rediger første post med full redigering).

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste
×
×
  • Opprett ny...