Gå til innhold

Antivirus loggene som det ble spurt etter!

NaughtyLittleDoggie

Anbefalte innlegg

NaughtyLittleDoggie

NaughtyLittleDoggie

Skrevet
Skrevet (endret)

Hei eher er de antivirusloggene som det blir spurt om unntatt SAS, fordi den laget ikke noe logg... håper det går bra og håper jeg får hjelp... tror mye ble borte med de to prgrammene også! :)

 

 

Her

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:01:43, on 16.04.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Boot mode: Normal

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE

C:\Program Files\Norman\Npm\Bin\Zanda.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

C:\Program Files\Norman\Nvc\bin\nvcoas.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Norman\Npm\Bin\Zlh.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Norman\Nvc\BIN\NIP.EXE

C:\Program Files\Norman\Nvc\bin\cclaw.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\conime.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\System32\rundll32.exe

C:\Windows\Explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw"

O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O13 - Gopher Prefix:

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

 

--

End of file - 7733 bytes

 

ComboFix 08-04-15.4 - Diggi Diggi RägSkänk 2008-04-16 11:55:43.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1044.18.1248 [GMT 2:00]

Running from: C:\Users\Diggi Diggi RägSkänk\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Windows\Downloaded Program Files\setup.inf

D:\Autorun.inf

D:\RECYCLER\autorun.inf

D:\RECYCLER\desktop.ini

D:\RECYCLER\Folder.htt

D:\RECYCLER\info.exe

D:\RECYCLER\protect.ed

D:\RECYCLER\warning.bmp

 

.

((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))

.

 

No new files created in this timespan

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-16 09:58 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat

2008-04-16 09:58 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat

2008-04-16 09:49 --------- d-----w C:\Program Files\Norman

2008-04-16 09:22 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\SUPERAntiSpyware.com

2008-04-16 09:22 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com

2008-04-16 09:22 --------- d-----w C:\Program Files\SUPERAntiSpyware

2008-04-16 09:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-04-16 09:13 --------- d-----w C:\Program Files\CCleaner

2008-04-16 08:35 --------- d-----w C:\Program Files\Enigma Software Group

2008-04-16 08:35 --------- d-----w C:\Program Files\3wPlayer

2008-04-16 08:06 --------- d-----w C:\ProgramData\That Face Camp Shim

2008-04-16 08:06 --------- d-----w C:\ProgramData\One Tons Tool

2008-04-15 15:27 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Adobe

2008-04-10 01:42 --------- d-----w C:\Program Files\BitLord2

2008-04-10 01:32 --------- d-----w C:\Program Files\Windows Mail

2008-04-09 21:42 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\dvdcss

2008-04-06 20:16 --------- d-s---w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft

2008-04-06 20:16 --------- d-----w C:\ProgramData\avg7

2008-04-06 18:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\AVG7

2008-04-06 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-06 18:18 --------- d-----w C:\Program Files\IK Multimedia

2008-04-05 17:21 --------- d-----w C:\ProgramData\Apple Computer

2008-04-05 17:21 --------- d-----w C:\Program Files\iTunes

2008-04-05 17:21 --------- d-----w C:\Program Files\iPod

2008-04-05 17:20 --------- d-----w C:\Program Files\QuickTime

2008-04-01 20:55 --------- d-----w C:\Program Files\Windows Live

2008-04-01 20:54 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller

2008-04-01 20:51 --------- d-----w C:\ProgramData\WLInstaller

2008-03-24 15:36 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Apple Computer

2008-03-23 21:16 --------- d-----w C:\Program Files\Safari

2008-03-23 21:06 --------- d-----w C:\Program Files\Bonjour

2008-03-23 21:04 --------- d-----w C:\Program Files\Apple Software Update

2008-03-23 21:03 --------- d-----w C:\ProgramData\Apple

2008-03-23 21:03 --------- d-----w C:\Program Files\Common Files\Apple

2008-03-20 00:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Real

2008-03-13 11:14 --------- d-----w C:\Program Files\Common Files\Adobe

2008-03-05 19:08 --------- d-----w C:\ProgramData\Adobe Systems

2008-03-02 20:07 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Mozilla

2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll

2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll

2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll

2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe

2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe

2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll

2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll

2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys

2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll

2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll

2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe

2008-02-14 00:15 194,560 ----a-w C:\Windows\System32\WebClnt.dll

2008-02-14 00:11 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe

2008-02-14 00:11 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe

2008-02-14 00:11 24,064 ----a-w C:\Windows\System32\netcfg.exe

2008-02-14 00:11 22,016 ----a-w C:\Windows\System32\netiougc.exe

2008-02-14 00:11 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll

2008-02-14 00:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-02-14 00:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-02-14 00:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll

2008-02-14 00:10 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-02-14 00:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-02-14 00:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-02-14 00:10 1,686,528 ----a-w C:\Windows\System32\gameux.dll

2008-02-14 00:08 1,244,672 ----a-w C:\Windows\System32\mcmde.dll

2008-01-29 10:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll

2007-08-29 22:39 174 --sha-w C:\Program Files\desktop.ini

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 17:09 171464]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

"IdleCash"="C:\ProgramData\ReadmeBinBin.je9hftw" [2008-04-16 10:05 290832]

"CAMP SHIM EXIT HECK"="C:\ProgramData\Tool Noun Base.sywmm" [2008-04-16 10:06 213008]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 08:20 1006264]

"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 17:10 4468736 C:\Windows\RtHDVCpl.exe]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-26 16:17 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-26 16:17 8429568]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-26 16:17 81920]

"Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 15:40 183352]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-29 02:12 185896]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"TCP Query User{2B1FA8B6-FC0A-4E58-BC95-CCFA87FF8536}C:\\program files\\bitlord2\\bitlord.exe"= UDP:C:\program files\bitlord2\bitlord.exe:

"UDP Query User{2AFD3489-FB64-4009-865E-469FE0C83A43}C:\\program files\\bitlord2\\bitlord.exe"= TCP:C:\program files\bitlord2\bitlord.exe:

"TCP Query User{91A031F7-9235-4AA0-8069-37E4B1EE402C}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{CA411E30-A23D-4CDE-A00A-7FD507DBDE4A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"TCP Query User{643B92B6-31AB-418A-9CEA-13C6826A88A7}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord

"UDP Query User{87CD0CE5-BF97-4348-973F-A5FE5D575AC8}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord

"{5F78BF4E-7277-4511-9FFA-A2A55C16AA55}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{5E808AC1-582B-463F-83D1-5D02D21CCD2E}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{72829EDB-8FBC-4885-BE98-82A4D602EC10}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{CC852D83-A025-4BC0-891F-3236FB2FCB31}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{D101A785-DD42-481E-8992-90C6810E1714}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

 

R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 11:55]

R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2008-02-11 15:56]

R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 14:23]

S3 nvcfsr;nvcfsr;C:\Program Files\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 16:25]

S3 nvcoafl4;nvcoafl4;C:\Program Files\Norman\Nvc\bin\nvcoafl4.sys [2007-01-09 16:25]

S3 nvcoaft4;nvcoaft4;C:\Program Files\Norman\Nvc\bin\nvcoaft4.sys [2007-01-09 16:25]

S3 nvcoarc4;nvcoarc4;C:\Program Files\Norman\Nvc\bin\nvcoarc4.sys [2007-01-09 16:25]

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-16 11:58:38

Windows 6.0.6000 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\Users\Diggi Diggi RägSkänk\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B8F0_24ED_F024_B412\$db_clean$ 0 bytes

C:\Users\Diggi Diggi RägSkänk\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B8F0_24ED_F024_B412\fsr008DF.log 131072 bytes

 

scan completed successfully

hidden files: 65

 

**************************************************************************

.

Completion time: 2008-04-16 11:59:42

ComboFix-quarantined-files.txt 2008-04-16 09:59:37

 

Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application.

Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application.

.

2008-04-10 01:04:14 --- E O F ---

Endret av NaughtyLittleDoggie
Lenke til kommentar

Videoannonse

Videoannonse
Annonse
norbat

norbat

Skrevet
Skrevet

Åpne notisblokk, kopier og lim inn det som står i fet skrift under. Lagre fila på skrivebordet som

CFScript.txt

Dra fila over Combofix-iconet. Combofix vil starte igjen.

Folder::

C:\ProgramData\That Face Camp Shim

 

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IdleCash"=-

"CAMP SHIM EXIT HECK"=-

 

Post ny HJT-logg og fortell hvordan PC-en kjører.

Lenke til kommentar
NaughtyLittleDoggie

NaughtyLittleDoggie

Skrevet
  • Forfatter
Skrevet

fortsatt litt merkelig oppførsel... :)

 

 

Her:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:44:05, on 16.04.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Boot mode: Normal

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE

C:\Program Files\Norman\Npm\Bin\Zanda.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Program Files\Norman\Nvc\bin\nvcoas.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Norman\Npm\Bin\Zlh.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Norman\Nvc\BIN\NIP.EXE

C:\Windows\System32\rundll32.exe

C:\Program Files\Norman\Nvc\bin\cclaw.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw"

O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O13 - Gopher Prefix:

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

 

--

End of file - 7653 bytes

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Start hjt, velg "Do a systemscan only", sett merke framfor følgende linjer og klikk Fix checked:

O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw"

O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm"

 

Loggen din ser fin ut etter dette. På hvilken måte er PC-en merkelig?

Lenke til kommentar
NaughtyLittleDoggie

NaughtyLittleDoggie

Skrevet
  • Forfatter
Skrevet
Start hjt, velg "Do a systemscan only", sett merke framfor følgende linjer og klikk Fix checked:

O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw"

O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm"

 

Loggen din ser fin ut etter dette. På hvilken måte er PC-en merkelig?

 

Takk! :)

Nei, det kommer ofte opp pop-ups, på dette forumet også. Oppgavebehandleren låser seg alltid, altså jeg får den aldri opp lenger. Den er bare nede i høyre hjørne, på den listen av programmer, og hvis du prøver å trykke på den så begynner den grønne cpu fargen å gå fort opp og ned... noe skrift på sider blir til liker av seg selv... osv.

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Popups skyldtes en lop.com infeksjon. Den skulle være fjernet nå, så om du fortsatt får popups, må du si ifra :)

 

SAS lagrer logg på følgende plass: Preferences->statistics/logs. Kunne vært interessant og sett hva den fant.

 

Har du kjørt CCleaner? Hvis ikke, kan du gjøre det. I tillegg kan du også kjøre en register-rens med samme program (Register->Søk etter feil). Du vil bli spurt om du vil lage backup før du sletter noe. Det sier du ja til. Kjør registerrensen flere ganger til den ikke finner flere feil.

 

Restart PC-en og se hvordan den oppfører seg.

Lenke til kommentar
NaughtyLittleDoggie

NaughtyLittleDoggie

Skrevet
  • Forfatter
Skrevet

Gjorde der du sa... I loggene til SAS, hver gangjeg kjører virus søk så er det de samme tolv som er der som ikke går vekk...

 

---

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 04/16/2008 at 08:53 PM

 

Application Version : 4.0.1154

 

Core Rules Database Version : 3439

Trace Rules Database Version: 1431

 

Scan type : Complete Scan

Total Scan Time : 00:20:04

 

Memory items scanned : 623

Memory threats detected : 0

Registry items scanned : 5121

Registry threats detected : 10

File items scanned : 19319

File threats detected : 7

 

Adware.Tracking Cookie

C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@tradedoubler[2].txt

C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskä[email protected][1].txt

C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@statcounter[1].txt

C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@imrworldwide[1].txt

C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskä[email protected][1].txt

C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@atdmt[2].txt

C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskä[email protected][2].txt

 

Unclassified.Oreans32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#DeviceDesc

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Capabilities

 

---

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Disse tracking cookies kan vi se bort ifra.

Registeroppføringene burde blitt fjernet når SAS finner dem.

Kunne du ha kjørt SAS en gang til, sjekk at det er avmerket framfor det SAS finner. Restart PC-en og kjør SAS på ny. Hvis de fortsatt dukker opp, så tar vi dem manuelt.

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Heisann,

Du begynner sikker å bli litt lei scanning, men jeg vil nok be deg om å gjøre følgende:

 

Last ned M_A-M og installer programmet. Kjør en scan og se om dette programmet tagger de registeroppføringene som SAS finner. Hvis, så sletter du de og restarter PC-en.

 

Gi tilbakemelding.

Lenke til kommentar
NaughtyLittleDoggie

NaughtyLittleDoggie

Skrevet
  • Forfatter
Skrevet

Hei, Nei blir ikke lei, man må jo bare gjøre det hvis man skal få dataen frisk... :)

 

Gjorde som du sa, det nye programmet fant ikke like mange feil som SAS... De feilene den fant slettet jeg og restartet dataen... Når jeg slo den på igjen så tok jeg å kjørte det nye programmet engang til, da fant den ingenting... Så kjørte jeg SAS og den fant sånn 16 feil... Har ikke de feilene noe å si eller må jeg gjøre noe annet?

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet (endret)

Nja, ikke nødvendigvis :)

Når MAM var ferdig med å fjerne det den hadde funnet, ble det antakelig åpnet en logg i notisblokk. Kunne du finne den igjen og posten den her?

 

Ønsker også at du kjører combofix en gang til og poster loggen. Du har bla. 3wPlayer (i allefall mappa) Denne ansees som lite heldig å ha på PC-en.

Endret av norbat
Lenke til kommentar
NaughtyLittleDoggie

NaughtyLittleDoggie

Skrevet
  • Forfatter
Skrevet (endret)

Ja, jeg veit, dummet ut meg skikkelig med å laste ned det programmet...

 

Hvilken MAM logg, regner med at du mener den første, fordi den andre gangen jeg kjørte MAM fant den ingenting... uansett her er den første loggen:

 

Malwarebytes' Anti-Malware 1.11

Database version: 642

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 134370

Time elapsed: 53 minute(s), 33 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

C:\Program Files\3wPlayer (Trojan.Downloader) -> Quarantined and deleted successfully.

 

Files Infected:

(No malicious items detected)

Endret av NaughtyLittleDoggie
Lenke til kommentar
norbat

norbat

Skrevet
Skrevet (endret)

Sånt skjer :)

Mest sannsynlig så er det bare mappa som ligger tilbake.

 

Før vi evt. fjerner disse registeroppføringene som SAS finner, så har jeg sendt en forespørsel til dem (SAS) om hva og hvorfor SAS ikke fjerner dem. Det kan være noen restriksjoner i registeret som gjør at du ikke får slettet dem via SAS. Det kan også være falske positiver. Jeg holder en knapp på det første, men vi får avvente litt før vi gjør noe med dem.

 

Edit:

Ser MAM fjernet mappa 3wPlayer, så da skulle den være ute av verden

Registeroppføringen HKEY_CURRENT_USER\Software\WakeNet er noe rusk etter 3wPlayer

 

Vi avventer altså litt med det som SAS registerer. PC-en ser forøvrig grei ut (ut fra de loggene du har postet), så du trenger ikke å bekymre deg nevneverdig for om det ligger ulumskheter på den :)

Endret av norbat
Lenke til kommentar
NaughtyLittleDoggie

NaughtyLittleDoggie

Skrevet
  • Forfatter
Skrevet

Ok, skjønner, er ikke så flink med diss sakene, så det er veldig fint å få litt hjelp...

 

Her er combofix loggen:

 

ComboFix 08-04-15.4 - Diggi Diggi RägSkänk 2008-04-18 18:06:30.2 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1044.18.1525 [GMT 2:00]

Running from: C:\Users\Diggi Diggi RägSkänk\Desktop\ComboFix.exe

* Resident AV is active

 

.

 

((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))

.

 

No new files created in this timespan

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-18 16:09 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat

2008-04-18 16:09 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat

2008-04-18 13:45 --------- d-----w C:\Program Files\Norman

2008-04-17 21:30 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Malwarebytes

2008-04-17 21:30 --------- d-----w C:\ProgramData\Malwarebytes

2008-04-17 21:30 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware

2008-04-17 21:29 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Download Manager

2008-04-16 09:22 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\SUPERAntiSpyware.com

2008-04-16 09:22 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com

2008-04-16 09:22 --------- d-----w C:\Program Files\SUPERAntiSpyware

2008-04-16 09:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-04-16 09:13 --------- d-----w C:\Program Files\CCleaner

2008-04-16 08:35 --------- d-----w C:\Program Files\Enigma Software Group

2008-04-16 08:06 --------- d-----w C:\ProgramData\That Face Camp Shim

2008-04-16 08:06 --------- d-----w C:\ProgramData\One Tons Tool

2008-04-15 15:27 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Adobe

2008-04-10 01:42 --------- d-----w C:\Program Files\BitLord2

2008-04-10 01:32 --------- d-----w C:\Program Files\Windows Mail

2008-04-09 21:42 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\dvdcss

2008-04-06 20:16 --------- d-s---w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft

2008-04-06 20:16 --------- d-----w C:\ProgramData\avg7

2008-04-06 18:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\AVG7

2008-04-06 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-06 18:18 --------- d-----w C:\Program Files\IK Multimedia

2008-04-05 17:21 --------- d-----w C:\ProgramData\Apple Computer

2008-04-05 17:21 --------- d-----w C:\Program Files\iTunes

2008-04-05 17:21 --------- d-----w C:\Program Files\iPod

2008-04-05 17:20 --------- d-----w C:\Program Files\QuickTime

2008-04-01 20:55 --------- d-----w C:\Program Files\Windows Live

2008-04-01 20:54 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller

2008-04-01 20:51 --------- d-----w C:\ProgramData\WLInstaller

2008-03-24 15:36 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Apple Computer

2008-03-23 21:16 --------- d-----w C:\Program Files\Safari

2008-03-23 21:06 --------- d-----w C:\Program Files\Bonjour

2008-03-23 21:04 --------- d-----w C:\Program Files\Apple Software Update

2008-03-23 21:03 --------- d-----w C:\ProgramData\Apple

2008-03-23 21:03 --------- d-----w C:\Program Files\Common Files\Apple

2008-03-20 00:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Real

2008-03-13 11:14 --------- d-----w C:\Program Files\Common Files\Adobe

2008-03-05 19:08 --------- d-----w C:\ProgramData\Adobe Systems

2008-03-02 20:07 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Mozilla

2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll

2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll

2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll

2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe

2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe

2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll

2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll

2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys

2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll

2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll

2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe

2008-02-14 00:15 194,560 ----a-w C:\Windows\System32\WebClnt.dll

2008-02-14 00:11 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe

2008-02-14 00:11 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe

2008-02-14 00:11 24,064 ----a-w C:\Windows\System32\netcfg.exe

2008-02-14 00:11 22,016 ----a-w C:\Windows\System32\netiougc.exe

2008-02-14 00:11 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll

2008-02-14 00:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-02-14 00:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-02-14 00:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll

2008-02-14 00:10 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-02-14 00:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-02-14 00:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-02-14 00:10 1,686,528 ----a-w C:\Windows\System32\gameux.dll

2008-02-14 00:08 1,244,672 ----a-w C:\Windows\System32\mcmde.dll

2008-01-29 10:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll

2007-08-29 22:39 174 --sha-w C:\Program Files\desktop.ini

.

 

((((((((((((((((((((((((((((( snapshot@2008-04-16_11.59.11,81 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-16 09:49:39 67,584 --s-a-w C:\Windows\bootstat.dat

+ 2008-04-18 16:01:34 67,584 --s-a-w C:\Windows\bootstat.dat

- 2008-04-16 09:49:46 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2008-04-18 13:45:37 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2008-04-16 09:49:46 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2008-04-18 13:45:37 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2008-04-16 09:51:23 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat

+ 2008-04-18 16:01:40 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat

- 2008-04-16 09:51:20 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat

+ 2008-04-18 13:47:13 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat

- 2008-04-16 09:52:54 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat

+ 2008-04-18 16:06:54 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat

- 2008-04-16 09:51:14 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat

+ 2008-04-18 13:47:02 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat

+ 2008-04-18 13:47:02 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1

- 2008-04-16 09:54:53 103,726 ----a-w C:\Windows\System32\perfc009.dat

+ 2008-04-18 13:52:05 103,726 ----a-w C:\Windows\System32\perfc009.dat

- 2008-04-16 09:54:53 79,202 ----a-w C:\Windows\System32\perfc014.dat

+ 2008-04-18 13:52:05 79,202 ----a-w C:\Windows\System32\perfc014.dat

- 2008-04-16 09:54:53 609,944 ----a-w C:\Windows\System32\perfh009.dat

+ 2008-04-18 13:52:05 609,944 ----a-w C:\Windows\System32\perfh009.dat

- 2008-04-16 09:54:53 476,620 ----a-w C:\Windows\System32\perfh014.dat

+ 2008-04-18 13:52:05 476,620 ----a-w C:\Windows\System32\perfh014.dat

- 2008-04-16 09:51:38 6,096 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2031152331-2556321075-1077571338-1000_UserData.bin

+ 2008-04-16 12:38:38 6,096 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2031152331-2556321075-1077571338-1000_UserData.bin

- 2008-04-16 09:51:38 63,414 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2008-04-16 23:59:30 64,062 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin

- 2008-04-16 08:22:42 37,332 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2008-04-17 22:41:35 37,848 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

- 2008-04-08 08:17:40 279,266 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin

+ 2008-04-18 16:01:39 285,034 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

"IdleCash"="C:\ProgramData\ReadmeBinBin.oz4jea" [2008-04-16 15:21 221200]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 08:20 1006264]

"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 17:10 4468736 C:\Windows\RtHDVCpl.exe]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-26 16:17 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-26 16:17 8429568]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-26 16:17 81920]

"Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 15:40 183352]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-29 02:12 185896]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"TCP Query User{2B1FA8B6-FC0A-4E58-BC95-CCFA87FF8536}C:\\program files\\bitlord2\\bitlord.exe"= UDP:C:\program files\bitlord2\bitlord.exe:

"UDP Query User{2AFD3489-FB64-4009-865E-469FE0C83A43}C:\\program files\\bitlord2\\bitlord.exe"= TCP:C:\program files\bitlord2\bitlord.exe:

"TCP Query User{91A031F7-9235-4AA0-8069-37E4B1EE402C}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{CA411E30-A23D-4CDE-A00A-7FD507DBDE4A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"TCP Query User{643B92B6-31AB-418A-9CEA-13C6826A88A7}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord

"UDP Query User{87CD0CE5-BF97-4348-973F-A5FE5D575AC8}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord

"{5F78BF4E-7277-4511-9FFA-A2A55C16AA55}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{5E808AC1-582B-463F-83D1-5D02D21CCD2E}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{72829EDB-8FBC-4885-BE98-82A4D602EC10}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{CC852D83-A025-4BC0-891F-3236FB2FCB31}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{D101A785-DD42-481E-8992-90C6810E1714}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

 

R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 11:55]

R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2008-02-11 15:56]

R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 14:23]

S3 nvcfsr;nvcfsr;C:\Program Files\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 16:25]

S3 nvcoafl4;nvcoafl4;C:\Program Files\Norman\Nvc\bin\nvcoafl4.sys [2007-01-09 16:25]

S3 nvcoaft4;nvcoaft4;C:\Program Files\Norman\Nvc\bin\nvcoaft4.sys [2007-01-09 16:25]

S3 nvcoarc4;nvcoarc4;C:\Program Files\Norman\Nvc\bin\nvcoarc4.sys [2007-01-09 16:25]

 

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-18 18:09:12

Windows 6.0.6000 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\Users\Diggi Diggi RägSkänk\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B8F0_24ED_F024_B412\$db_clean$ 0 bytes

 

scan completed successfully

hidden files: 64

 

**************************************************************************

.

Completion time: 2008-04-18 18:10:18

ComboFix-quarantined-files.txt 2008-04-18 16:10:12

ComboFix2.txt 2008-04-16 09:59:43

 

Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application.

Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application.

.

2008-04-17 23:17:29 --- E O F ---

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste
×
×
  • Opprett ny...