CID once again, norbat og snippsat er veldig velkommne ;)

Sertito · 7. mars 2008

Hey kjører vista (uheldigvis :thumbdown: ) og har problemer med CID, jeg sjekka etter linker for detta og lasta deretter ned SAS og hijakthis. SAS løste ikke problemet i det hle tatt og Hijackthis kjønte jeg ikke noe av. Takker for den hjelpen jeg måtte få

norbat · 7. mars 2008

Post gjerne hjt-loggen her.

r2d290 · 7. mars 2008

Håper jeg får låv å svare, selvom det bare er norbat og snippsat som er velkommen? :/

du skriver at du ikke skjønner noe av hijack this. se på http://www.trendsecure.com/portal/en-US/to.../hijackthis/qsg

Det øverste bildet skal komme opp når du starter hijackthis.exe. Du trykker da på det øverste alternativet (do a systemscan and save logfile).

deretter skal du vel trykke på analyze, og da kommer den lista (vist på det nest øverste bildet) samtidig som det kommer opp en notisbok med akurat de samme linjene. De linjene som kommer opp i dette vinduet, kopierer du, og limer inn her i denne tråden.

Sertito · 7. mars 2008

hmm den loggen var temmelig kort :S hvet ikke om det blei riktig

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:44:11, on 07.03.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16609)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\PixArt\Pac207\Monitor.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\conime.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\Alexander\Desktop\hijackthis\HijackThis\HijackThis.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--

End of file - 1798 bytes

r2d290 · 7. mars 2008

hmm. ja, den var litt merkelig kort. Det er hvertfall ikke noe galt i det lille som er der. Har du prøvd å kjøre på nytt, og se om resultatet blir det samme?

Sertito · 7. mars 2008

hmm. ja, den var litt merkelig kort. Det er hvertfall ikke noe galt i det lille som er der. Har du prøvd å kjøre på nytt, og se om resultatet blir det samme?

[/quoteHHvis jeg prøver å kjøre på nytt kommer det bare denne meldingen : HijackThis is already running :S

r2d290 · 7. mars 2008

Hvis du går helt ut av programmet, tar ctrl+alt+delete, og deretter prosesser, så kan du se om den fortsatt kjører.

Avslutt eventuell prosess som har med hijack this å gjøre.

Deretter avslutter du ALT av vinduer, msn+++ som du kjører, og så prøver du å kjøre hijack this på nytt.

Sertito · 7. mars 2008

Dette var litt større

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:42:59, on 07.03.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16609)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\PixArt\Pac207\Monitor.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\conime.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Alexander\Desktop\hijackthis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer levert av Komplett

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)

O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\DAEMON Tools SearchBar\Search.exe"

O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\DAEMON Tools SearchBar\whse.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [blue dumb] "C:\ProgramData\Cdrom City City.te9s6"

O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Grim itch win.v90e2"

O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')

O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O13 - Gopher Prefix:

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://luvar.himolde.no/activex/AxisCamControl.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--

End of file - 9085 bytes

norbat · 7. mars 2008

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix (c:\combofix.txt), så tar vi malwaren derfra.

Se også om du får avinstaller DAEMON Tools SearchBar

Sertito · 8. mars 2008

Daemon toolbar klarte jeg dessverre ikke fjerne

Combfix log:

ComboFix 08-03-07.4 - Alexander 2008-03-08 1:52:44.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1044.18.1053 [GMT 1:00]

Running from: C:\Drivers\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))

.

2008-03-07 14:41 . 2008-03-07 14:41 <DIR> d-------- C:\Program Files\RivaTuner v2.07

2008-03-07 12:32 . 2008-03-07 12:32 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com

2008-03-07 12:32 . 2008-03-07 12:32 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com

2008-03-07 12:31 . 2008-03-07 12:31 <DIR> d-------- C:\Users\Alexander\AppData\Roaming\SUPERAntiSpyware.com

2008-03-07 12:31 . 2008-03-07 12:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-03-04 19:17 . 2008-03-04 20:41 <DIR> d-------- C:\Users\Alexander\AppData\Roaming\Mount&Blade

2008-03-04 19:15 . 2008-03-04 19:16 <DIR> d-------- C:\Program Files\Mount&Blade

2008-02-28 21:56 . 2008-03-02 16:06 <DIR> d-------- C:\Users\Liv\AppData\Roaming\skypePM

2008-02-28 21:56 . 2008-03-07 22:30 <DIR> d-------- C:\Users\Alexander\AppData\Roaming\skypePM

2008-02-28 21:56 . 2008-02-28 21:56 32 --a------ C:\Users\All Users\ezsid.dat

2008-02-28 21:56 . 2008-02-28 21:56 32 --a------ C:\ProgramData\ezsid.dat

2008-02-28 21:55 . 2008-02-28 21:55 <DIR> d-------- C:\Program Files\Skype

2008-02-28 21:55 . 2008-02-28 21:55 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-02-26 20:35 . 2008-02-26 20:35 <DIR> d-------- C:\Windows\PixArt

2008-02-24 15:43 . 2008-03-03 22:09 <DIR> d-------- C:\Users\Alexander\AppData\Roaming\IMVU

2008-02-24 15:43 . 2008-02-24 15:45 <DIR> d-------- C:\Program Files\IMVU

2008-02-19 17:48 . 2008-02-19 17:48 <DIR> d-------- C:\Users\Alexander\AppData\Roaming\Petroglyph

2008-02-19 17:43 . 2008-02-19 17:43 <DIR> d-------- C:\Program Files\LucasArts

2008-02-19 00:16 . 2008-02-19 00:16 <DIR> d-------- C:\Program Files\NAMCO BANDAI Games

2008-02-17 00:34 . 2008-02-17 00:34 484 --a------ C:\Windows\eReg.dat

2008-02-17 00:24 . 2008-02-17 00:29 <DIR> d-------- C:\Program Files\ANNO 1503

2008-02-16 05:46 . 2008-02-16 05:46 <DIR> d-------- C:\Users\Alexander\AppData\Roaming\Bioshock

2008-02-15 19:42 . 2008-02-15 19:42 <DIR> d-------- C:\Users\All Users\Media Center Programs

2008-02-15 19:42 . 2008-02-15 19:42 <DIR> d-------- C:\ProgramData\Media Center Programs

2008-02-15 19:42 . 2008-01-10 06:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll

2008-02-15 19:36 . 2008-02-15 19:36 108,144 --a------ C:\Windows\System32\CmdLineExt.dll

2008-02-15 19:26 . 2008-02-15 19:26 <DIR> d-------- C:\Users\Alexander\AppData\Roaming\InstallShield

2008-02-15 19:26 . 2008-02-15 19:26 <DIR> d-------- C:\Program Files\2K Games

2008-02-15 17:22 . 2008-02-15 17:22 <DIR> d-------- C:\Program Files\D-Link

2008-02-14 11:30 . 2008-02-14 12:13 <DIR> d-------- C:\Nyno31

2008-02-14 11:30 . 2008-02-14 11:30 168 --a------ C:\Windows\nyno31.ini

2008-02-14 00:02 . 2008-02-14 00:02 194,560 --a------ C:\Windows\System32\WebClnt.dll

2008-02-14 00:02 . 2008-02-14 00:02 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys

2008-02-13 23:58 . 2008-02-13 23:58 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe

2008-02-13 23:57 . 2008-02-13 23:58 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-02-13 23:57 . 2008-02-13 23:57 1,686,528 --a------ C:\Windows\System32\gameux.dll

2008-02-13 23:55 . 2008-02-13 23:55 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl

2008-02-13 23:55 . 2008-02-13 23:55 56,320 --a------ C:\Windows\System32\iesetup.dll

2008-02-13 23:55 . 2008-02-13 23:55 26,624 --a------ C:\Windows\System32\ieUnatt.exe

2008-02-12 14:49 . 2008-02-15 17:53 <DIR> d-------- C:\Program Files\GStudio7

2008-02-12 14:48 . 2008-02-12 14:48 17,408 --a------ C:\psapi.dll

2008-02-11 14:54 . 2008-02-11 14:54 19 --a------ C:\Users\Alexander\cmd.bat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-08 00:36 --------- d-----w C:\ProgramData\DAEMON Tools Pro

2008-03-08 00:22 --------- d-----w C:\Program Files\Steam

2008-03-07 23:32 --------- d-----w C:\Users\Alexander\AppData\Roaming\uTorrent

2008-03-07 22:10 --------- d-----w C:\Users\Alexander\AppData\Roaming\Skype

2008-03-07 17:36 --------- d-----w C:\Program Files\Warcraft III

2008-03-07 11:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-03-02 15:47 --------- d-----w C:\Users\Liv\AppData\Roaming\Skype

2008-02-25 15:17 --------- d-----w C:\ProgramData\Thunk free

2008-02-25 15:17 --------- d-----w C:\ProgramData\That Face Camp Shim

2008-02-21 09:52 --------- d-----w C:\Program Files\Bethesda Softworks

2008-02-19 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-16 23:22 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-02-16 03:57 --------- d-----w C:\Program Files\Common Files\Steam

2008-02-15 17:52 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys

2008-02-15 17:51 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe

2008-02-13 22:58 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys

2008-02-13 22:56 824,832 ----a-w C:\Windows\System32\wininet.dll

2008-02-13 22:56 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-02-07 19:25 --------- d-----w C:\Program Files\GameSpy Arcade

2008-02-07 19:11 --------- d-----w C:\Program Files\The Creative Assembly

2008-02-06 19:58 --------- d-----w C:\Program Files\Veoh Networks

2008-02-06 19:30 --------- d-----w C:\Program Files\DivX

2008-02-06 17:03 --------- d-----w C:\Program Files\Common Files\Adobe

2008-02-06 16:36 --------- d-----w C:\Users\Alexander\AppData\Roaming\AdobeUM

2008-01-09 11:18 524,288 ----a-w C:\Windows\System32\DivXsm.exe

2008-01-09 11:18 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll

2008-01-09 11:18 200,704 ----a-w C:\Windows\System32\ssldivx.dll

2008-01-09 11:18 129,784 ------w C:\Windows\System32\pxafs.dll

2008-01-09 11:18 1,044,480 ----a-w C:\Windows\System32\libdivx.dll

2008-01-09 11:16 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll

2008-01-09 11:16 823,296 ----a-w C:\Windows\System32\divx_xx07.dll

2008-01-09 11:16 81,920 ----a-w C:\Windows\System32\dpl100.dll

2008-01-09 11:16 802,816 ----a-w C:\Windows\System32\divx_xx11.dll

2008-01-09 11:16 682,496 ----a-w C:\Windows\System32\DivX.dll

2008-01-09 11:16 196,608 ----a-w C:\Windows\System32\dtu100.dll

2007-12-18 08:43 36,864 ----a-w C:\Windows\System32\cdd.dll

2007-12-11 19:44 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll

2007-12-11 19:44 57,344 ----a-w C:\Windows\System32\dpv11.dll

2007-12-11 19:44 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll

2007-12-11 19:44 344,064 ----a-w C:\Windows\System32\dpus11.dll

2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu11.dll

2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu10.dll

2007-12-11 19:44 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe

2007-12-11 19:43 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll

2007-12-10 21:11 11,776 ----a-w C:\Windows\System32\sbunattend.exe

2007-11-26 21:43 89,779 ----a-w C:\Program Files\Lindsay%20Lohan%20from%20portland%20mercury1[1].jpg

2007-10-19 12:31 174 --sha-w C:\Program Files\desktop.ini

2007-11-25 17:15 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-11-25 17:15 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-11-25 17:15 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-12-10 22:11 1232896]

"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:34 2159104 C:\Windows\System32\oobefldr.dll]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-26 23:43 1266936]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 14:30 249856]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-30 12:55 3497984]

"blue dumb"="C:\ProgramData\Cdrom City City.te9s6" [2008-02-25 16:16 69648]

"CAMP SHIM EXIT HECK"="C:\ProgramData\Grim itch win.v90e2" [2008-02-25 16:17 86032]

"HitwarePKLite"="C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe" [ ]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-19 14:07 1006264]

"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 13:50 4702208 C:\Windows\RtHDVCpl.exe]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]

"CatalystRegistration"="C:\Program Files\ATI\CatalystRegistration\dolce.exe" [2007-07-27 11:04 274432]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06 79224]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16 528384]

"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-12-26 14:44 779776]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"Monitor"="C:\Windows\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]

C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2008-01-30 20:14:00 49408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"LogonHoursAction"= 2 (0x2)

"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{7DA715CB-3F9F-4330-A518-6C9E61734C21}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{00E0EE1B-95BE-4EAA-814E-F158857E00AC}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)|Edge=TRUE|

"TCP Query User{59136A40-2702-40D7-BC79-E14C7EB41ABD}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent

"UDP Query User{A7EED320-5BF2-4FC9-9175-4238D078FDC3}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent

"TCP Query User{4BD91CF7-C1CF-4AEE-A9AA-C6092A486BA1}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III

"UDP Query User{753E788D-C5E5-4692-836D-5B795F4FB774}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III

"TCP Query User{3109E5DE-E4A3-4F6D-8889-FC6BE1B3D608}C:\program files\steam\steamapps\sertito\counter-strike source\hl2.exe"= UDP:C:\program files\steam\steamapps\sertito\counter-strike source\hl2.exe:hl2|Desc=hl2

"UDP Query User{3AC3687B-D10D-42AF-B526-0B50A0F15C8E}C:\program files\steam\steamapps\sertito\counter-strike source\hl2.exe"= TCP:C:\program files\steam\steamapps\sertito\counter-strike source\hl2.exe:hl2|Desc=hl2

"TCP Query User{FA6F6A44-BA68-4EE1-984F-6A047FDCE11A}C:\program files\morpheus\morpheus.exe"= UDP:C:\program files\morpheus\morpheus.exe:Morpheus|Desc=Morpheus

"UDP Query User{7B7FBE84-3BCE-4113-9589-BAE7FAF5FE12}C:\program files\morpheus\morpheus.exe"= TCP:C:\program files\morpheus\morpheus.exe:Morpheus|Desc=Morpheus

"TCP Query User{9868A294-9AD7-4604-85CC-6BF439B47811}C:\program files\steam\steamapps\sertito\day of defeat source\hl2.exe"= UDP:C:\program files\steam\steamapps\sertito\day of defeat source\hl2.exe:hl2|Desc=hl2

"UDP Query User{2668330C-488C-4366-802A-CA2D4E9D77F4}C:\program files\steam\steamapps\sertito\day of defeat source\hl2.exe"= TCP:C:\program files\steam\steamapps\sertito\day of defeat source\hl2.exe:hl2|Desc=hl2

"{1AE073DE-016B-4D8A-AEC5-148AFE5A11D7}"= UDP:C:\Program Files\Electronic Arts\Kampen om Midgard II\game.dat:Kampen om Midgard™ II

"{60CCD238-5D38-47BD-9572-0D453D960CCE}"= TCP:C:\Program Files\Electronic Arts\Kampen om Midgard II\game.dat:Kampen om Midgard™ II

"TCP Query User{4E84900E-8AED-4A85-89E2-D267E2FE3F8C}C:\program files\electronic arts\kampen om midgard ii\patchget.dat"= UDP:C:\program files\electronic arts\kampen om midgard ii\patchget.dat:patchgrabber|Desc=patchgrabber

"UDP Query User{D89D85D1-70C1-4016-B743-F9EC877D0051}C:\program files\electronic arts\kampen om midgard ii\patchget.dat"= TCP:C:\program files\electronic arts\kampen om midgard ii\patchget.dat:patchgrabber|Desc=patchgrabber

"{A5423C69-2BE7-4445-8BA1-79EC81D5A3E6}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main

"{273F47E7-9CB3-4A4A-B678-37BF60745CB4}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main

"{02ABF4F9-3C5B-4895-ACB3-C83F43C7C324}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD

"{5EBE60E4-FFB6-4498-9D18-E38F4E68E01D}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD

"{A0A0FC2E-6768-43FA-9332-80B802D3E557}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater

"{89317A15-180A-44D3-84E0-0ABAC3CCF7F5}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater

"{D611690B-8193-46A5-9379-A70B989953AC}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server

"{6F670580-5F2F-464D-AE92-4A0EEE87BC5D}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server

"TCP Query User{D13992EC-EFBB-4795-8C33-A1307D589FF2}C:\flatout2\flatout2.exe"= UDP:C:\flatout2\flatout2.exe:FlatOut2|Desc=FlatOut2

"UDP Query User{024BE48A-664D-42E4-9CE1-37BC081961BC}C:\flatout2\flatout2.exe"= TCP:C:\flatout2\flatout2.exe:FlatOut2|Desc=FlatOut2

"{B3960BF5-632A-4DC2-A928-8D8235BDE2A5}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{F5C0923D-6C65-4586-8F99-7F8C7259F4BD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{DD75CAFB-6604-4993-9DEF-FC8A7102AA70}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2

"{1A980736-D0CF-4F10-BDF6-578BF8AD54CA}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2

"{60A95C91-B818-4F4B-9DE7-5A259057B474}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2

"{8659FDC7-6398-4312-86CB-ACB57F8422E2}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2

"TCP Query User{DD53D900-6073-4DDB-8163-15C8D63DE14A}C:\program files\ea games\battlefield 2\bf2.exe"= UDP:C:\program files\ea games\battlefield 2\bf2.exe:BF2|Desc=BF2

"UDP Query User{1B707F38-B865-466B-8214-0149C6FAE395}C:\program files\ea games\battlefield 2\bf2.exe"= TCP:C:\program files\ea games\battlefield 2\bf2.exe:BF2|Desc=BF2

"TCP Query User{DDDF69C1-8898-466F-A63E-288EC6DDE50C}C:\ijji\english\u_sf\soldierfront.exe"= Disabled:UDP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront|Desc=soldierfront

"UDP Query User{FDACC840-3455-4B93-8964-ED1373ACFF21}C:\ijji\english\u_sf\soldierfront.exe"= Disabled:TCP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront|Desc=soldierfront

"TCP Query User{1A89DE1E-AF76-4F00-A4B4-F441EE9BBFF0}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer

"UDP Query User{13425C5E-9FED-4F71-A50B-67685446F3A2}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer

"TCP Query User{E1D3093E-E527-4FFC-8FAE-79172FBD3219}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent

"UDP Query User{76AF023D-12C5-4909-BF13-6614FA34000A}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent

"TCP Query User{0FB282DF-2A66-4C18-B9D3-BEB4660CF10B}C:\program files\the creative assembly\rome - total war\rometw.exe"= UDP:C:\program files\the creative assembly\rome - total war\rometw.exe:Rome: Total War|Desc=Rome: Total War

"UDP Query User{4E5F8B54-6401-41B1-B392-0CF9EB091016}C:\program files\the creative assembly\rome - total war\rometw.exe"= TCP:C:\program files\the creative assembly\rome - total war\rometw.exe:Rome: Total War|Desc=Rome: Total War

"TCP Query User{E28BB261-5A07-483D-9F89-43E85DABD646}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III

"UDP Query User{9C742B8F-4497-4428-81D0-26CBB9F54A12}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III

"TCP Query User{43296CBD-CA66-444A-B236-165A76A632F1}C:\program files\namco bandai games\warhammer mark of chaos\warhammer.exe"= UDP:C:\program files\namco bandai games\warhammer mark of chaos\warhammer.exe:Warhammer®: Mark of Chaos™|Desc=Warhammer®: Mark of Chaos™

"UDP Query User{29AB6810-FD40-4985-8449-F4B1CFD0626C}C:\program files\namco bandai games\warhammer mark of chaos\warhammer.exe"= TCP:C:\program files\namco bandai games\warhammer mark of chaos\warhammer.exe:Warhammer®: Mark of Chaos™|Desc=Warhammer®: Mark of Chaos™

"{71AE937E-4112-4314-9C92-DC053EC4615E}"= UDP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War

"{0D1B0EB4-5082-4A75-A6EB-C260F833710F}"= TCP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War

"TCP Query User{FD69CB9A-5073-47BD-ABC9-8D0D90C3E266}C:\program files\steam\steamapps\manowar1993\counter-strike source\hl2.exe"= UDP:C:\program files\steam\steamapps\manowar1993\counter-strike source\hl2.exe:hl2|Desc=hl2

"UDP Query User{C89D1978-A46A-4AD0-AA5B-A57DAA9F1A42}C:\program files\steam\steamapps\manowar1993\counter-strike source\hl2.exe"= TCP:C:\program files\steam\steamapps\manowar1993\counter-strike source\hl2.exe:hl2|Desc=hl2

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 16:22]

R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-09-06 11:02]

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []

R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]

R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 04:13]

R3 PAC207;SoC PC-Camera;C:\Windows\system32\DRIVERS\PFC027.SYS [2006-12-05 11:34]

R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-01-15 21:28]

R3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-16 02:26]

S4 nvsmu;nvsmu;C:\Windows\system32\drivers\nvsmu.sys [2006-11-14 03:04]

S4 UGURU;UGURU;C:\Windows\system32\drivers\uguru.sys [2006-10-02 03:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{000f308a-7789-11dc-b097-0019db6c2716}]

\shell\AutoRun\command - I:\FarCryAutoCD.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-08 01:55:45

Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-03-08 1:56:48

.

2008-03-07 10:28:09 --- E O F ---

norbat · 8. mars 2008

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\ProgramData\Cdrom City City.te9s6

C:\ProgramData\Grim itch win.v90e2

Folder::

C:\Program Files\DAEMON Tools SearchBar

C:\ProgramData\That Face Camp Shim

C:\ProgramData\Thunk free

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"blue dumb"=-

"CAMP SHIM EXIT HECK"=-

Post Combofix-loggen + ny hjt-logg.

Sjekk også HOSTS-fila og se om det ligger noen oppføringer der knyttet til #CiD

(..system32\drivers\etc\hosts)

Sertito · 8. mars 2008

HEy, hosts fila var rein

Combofix: