NaughtyLittleDoggie Skrevet 16. april 2008 Del Skrevet 16. april 2008 (endret) Hei eher er de antivirusloggene som det blir spurt om unntatt SAS, fordi den laget ikke noe logg... håper det går bra og håper jeg får hjelp... tror mye ble borte med de to prgrammene også! Her Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:01:43, on 16.04.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16643) Boot mode: Normal Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\wininit.exe C:\Windows\system32\csrss.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\lsm.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\Windows\system32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\WUDFHost.exe C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Norman\Npm\Bin\Zlh.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\ehome\ehtray.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Norman\Nvc\bin\cclaw.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\conime.exe C:\Windows\System32\svchost.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\System32\rundll32.exe C:\Windows\Explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw" O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O13 - Gopher Prefix: O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE -- End of file - 7733 bytes ComboFix 08-04-15.4 - Diggi Diggi RägSkänk 2008-04-16 11:55:43.1 - NTFSx86Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1044.18.1248 [GMT 2:00] Running from: C:\Users\Diggi Diggi RägSkänk\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\Downloaded Program Files\setup.inf D:\Autorun.inf D:\RECYCLER\autorun.inf D:\RECYCLER\desktop.ini D:\RECYCLER\Folder.htt D:\RECYCLER\info.exe D:\RECYCLER\protect.ed D:\RECYCLER\warning.bmp . ((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-16 09:58 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat 2008-04-16 09:58 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat 2008-04-16 09:49 --------- d-----w C:\Program Files\Norman 2008-04-16 09:22 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\SUPERAntiSpyware.com 2008-04-16 09:22 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com 2008-04-16 09:22 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-04-16 09:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-16 09:13 --------- d-----w C:\Program Files\CCleaner 2008-04-16 08:35 --------- d-----w C:\Program Files\Enigma Software Group 2008-04-16 08:35 --------- d-----w C:\Program Files\3wPlayer 2008-04-16 08:06 --------- d-----w C:\ProgramData\That Face Camp Shim 2008-04-16 08:06 --------- d-----w C:\ProgramData\One Tons Tool 2008-04-15 15:27 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Adobe 2008-04-10 01:42 --------- d-----w C:\Program Files\BitLord2 2008-04-10 01:32 --------- d-----w C:\Program Files\Windows Mail 2008-04-09 21:42 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\dvdcss 2008-04-06 20:16 --------- d-s---w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft 2008-04-06 20:16 --------- d-----w C:\ProgramData\avg7 2008-04-06 18:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\AVG7 2008-04-06 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-06 18:18 --------- d-----w C:\Program Files\IK Multimedia 2008-04-05 17:21 --------- d-----w C:\ProgramData\Apple Computer 2008-04-05 17:21 --------- d-----w C:\Program Files\iTunes 2008-04-05 17:21 --------- d-----w C:\Program Files\iPod 2008-04-05 17:20 --------- d-----w C:\Program Files\QuickTime 2008-04-01 20:55 --------- d-----w C:\Program Files\Windows Live 2008-04-01 20:54 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-04-01 20:51 --------- d-----w C:\ProgramData\WLInstaller 2008-03-24 15:36 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Apple Computer 2008-03-23 21:16 --------- d-----w C:\Program Files\Safari 2008-03-23 21:06 --------- d-----w C:\Program Files\Bonjour 2008-03-23 21:04 --------- d-----w C:\Program Files\Apple Software Update 2008-03-23 21:03 --------- d-----w C:\ProgramData\Apple 2008-03-23 21:03 --------- d-----w C:\Program Files\Common Files\Apple 2008-03-20 00:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Real 2008-03-13 11:14 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-05 19:08 --------- d-----w C:\ProgramData\Adobe Systems 2008-03-02 20:07 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Mozilla 2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll 2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll 2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll 2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe 2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe 2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll 2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll 2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys 2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll 2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll 2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe 2008-02-14 00:15 194,560 ----a-w C:\Windows\System32\WebClnt.dll 2008-02-14 00:11 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-02-14 00:11 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-02-14 00:11 24,064 ----a-w C:\Windows\System32\netcfg.exe 2008-02-14 00:11 22,016 ----a-w C:\Windows\System32\netiougc.exe 2008-02-14 00:11 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll 2008-02-14 00:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-02-14 00:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-02-14 00:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll 2008-02-14 00:10 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll 2008-02-14 00:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-02-14 00:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-02-14 00:10 1,686,528 ----a-w C:\Windows\System32\gameux.dll 2008-02-14 00:08 1,244,672 ----a-w C:\Windows\System32\mcmde.dll 2008-01-29 10:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll 2007-08-29 22:39 174 --sha-w C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 17:09 171464] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ] "IdleCash"="C:\ProgramData\ReadmeBinBin.je9hftw" [2008-04-16 10:05 290832] "CAMP SHIM EXIT HECK"="C:\ProgramData\Tool Noun Base.sywmm" [2008-04-16 10:06 213008] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 08:20 1006264] "RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 17:10 4468736 C:\Windows\RtHDVCpl.exe] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-26 16:17 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-26 16:17 8429568] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-26 16:17 81920] "Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 15:40 183352] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-29 02:12 185896] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{2B1FA8B6-FC0A-4E58-BC95-CCFA87FF8536}C:\\program files\\bitlord2\\bitlord.exe"= UDP:C:\program files\bitlord2\bitlord.exe: "UDP Query User{2AFD3489-FB64-4009-865E-469FE0C83A43}C:\\program files\\bitlord2\\bitlord.exe"= TCP:C:\program files\bitlord2\bitlord.exe: "TCP Query User{91A031F7-9235-4AA0-8069-37E4B1EE402C}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{CA411E30-A23D-4CDE-A00A-7FD507DBDE4A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "TCP Query User{643B92B6-31AB-418A-9CEA-13C6826A88A7}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord "UDP Query User{87CD0CE5-BF97-4348-973F-A5FE5D575AC8}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord "{5F78BF4E-7277-4511-9FFA-A2A55C16AA55}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{5E808AC1-582B-463F-83D1-5D02D21CCD2E}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{72829EDB-8FBC-4885-BE98-82A4D602EC10}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{CC852D83-A025-4BC0-891F-3236FB2FCB31}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{D101A785-DD42-481E-8992-90C6810E1714}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 11:55] R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 14:23] S3 nvcfsr;nvcfsr;C:\Program Files\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 16:25] S3 nvcoafl4;nvcoafl4;C:\Program Files\Norman\Nvc\bin\nvcoafl4.sys [2007-01-09 16:25] S3 nvcoaft4;nvcoaft4;C:\Program Files\Norman\Nvc\bin\nvcoaft4.sys [2007-01-09 16:25] S3 nvcoarc4;nvcoarc4;C:\Program Files\Norman\Nvc\bin\nvcoarc4.sys [2007-01-09 16:25] *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-16 11:58:38 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Users\Diggi Diggi RägSkänk\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B8F0_24ED_F024_B412\$db_clean$ 0 bytes C:\Users\Diggi Diggi RägSkänk\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B8F0_24ED_F024_B412\fsr008DF.log 131072 bytes scan completed successfully hidden files: 65 ************************************************************************** . Completion time: 2008-04-16 11:59:42 ComboFix-quarantined-files.txt 2008-04-16 09:59:37 Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application. Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application. . 2008-04-10 01:04:14 --- E O F --- Endret 16. april 2008 av NaughtyLittleDoggie Lenke til kommentar
norbat Skrevet 16. april 2008 Del Skrevet 16. april 2008 Åpne notisblokk, kopier og lim inn det som står i fet skrift under. Lagre fila på skrivebordet som CFScript.txt Dra fila over Combofix-iconet. Combofix vil starte igjen. Folder:: C:\ProgramData\That Face Camp Shim Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IdleCash"=- "CAMP SHIM EXIT HECK"=- Post ny HJT-logg og fortell hvordan PC-en kjører. Lenke til kommentar
NaughtyLittleDoggie Skrevet 16. april 2008 Forfatter Del Skrevet 16. april 2008 fortsatt litt merkelig oppførsel... Her: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:44:05, on 16.04.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16643) Boot mode: Normal Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\wininit.exe C:\Windows\system32\csrss.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\lsm.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\Windows\system32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\WUDFHost.exe C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Windows\System32\rundll32.exe C:\Program Files\Norman\Npm\Bin\Zlh.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Norman\Nvc\BIN\NIP.EXE C:\Windows\System32\rundll32.exe C:\Program Files\Norman\Nvc\bin\cclaw.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw" O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O13 - Gopher Prefix: O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE -- End of file - 7653 bytes Lenke til kommentar
norbat Skrevet 16. april 2008 Del Skrevet 16. april 2008 Start hjt, velg "Do a systemscan only", sett merke framfor følgende linjer og klikk Fix checked: O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw" O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm" Loggen din ser fin ut etter dette. På hvilken måte er PC-en merkelig? Lenke til kommentar
NaughtyLittleDoggie Skrevet 16. april 2008 Forfatter Del Skrevet 16. april 2008 Start hjt, velg "Do a systemscan only", sett merke framfor følgende linjer og klikk Fix checked:O4 - HKCU\..\Run: [idleCash] "C:\ProgramData\ReadmeBinBin.je9hftw" O4 - HKCU\..\Run: [CAMP SHIM EXIT HECK] "C:\ProgramData\Tool Noun Base.sywmm" Loggen din ser fin ut etter dette. På hvilken måte er PC-en merkelig? Takk! Nei, det kommer ofte opp pop-ups, på dette forumet også. Oppgavebehandleren låser seg alltid, altså jeg får den aldri opp lenger. Den er bare nede i høyre hjørne, på den listen av programmer, og hvis du prøver å trykke på den så begynner den grønne cpu fargen å gå fort opp og ned... noe skrift på sider blir til liker av seg selv... osv. Lenke til kommentar
norbat Skrevet 16. april 2008 Del Skrevet 16. april 2008 Popups skyldtes en lop.com infeksjon. Den skulle være fjernet nå, så om du fortsatt får popups, må du si ifra SAS lagrer logg på følgende plass: Preferences->statistics/logs. Kunne vært interessant og sett hva den fant. Har du kjørt CCleaner? Hvis ikke, kan du gjøre det. I tillegg kan du også kjøre en register-rens med samme program (Register->Søk etter feil). Du vil bli spurt om du vil lage backup før du sletter noe. Det sier du ja til. Kjør registerrensen flere ganger til den ikke finner flere feil. Restart PC-en og se hvordan den oppfører seg. Lenke til kommentar
NaughtyLittleDoggie Skrevet 16. april 2008 Forfatter Del Skrevet 16. april 2008 Gjorde der du sa... I loggene til SAS, hver gangjeg kjører virus søk så er det de samme tolv som er der som ikke går vekk... --- SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 04/16/2008 at 08:53 PM Application Version : 4.0.1154 Core Rules Database Version : 3439 Trace Rules Database Version: 1431 Scan type : Complete Scan Total Scan Time : 00:20:04 Memory items scanned : 623 Memory threats detected : 0 Registry items scanned : 5121 Registry threats detected : 10 File items scanned : 19319 File threats detected : 7 Adware.Tracking Cookie C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@tradedoubler[2].txt C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskä[email protected][1].txt C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@statcounter[1].txt C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@imrworldwide[1].txt C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskä[email protected][1].txt C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskänk@atdmt[2].txt C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft\Windows\Cookies\diggi_diggi_rägskä[email protected][2].txt Unclassified.Oreans32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Capabilities --- Lenke til kommentar
norbat Skrevet 16. april 2008 Del Skrevet 16. april 2008 Hvilke 12 filer er det snakk om? Lenke til kommentar
NaughtyLittleDoggie Skrevet 16. april 2008 Forfatter Del Skrevet 16. april 2008 De som står over... Lenke til kommentar
norbat Skrevet 16. april 2008 Del Skrevet 16. april 2008 Disse tracking cookies kan vi se bort ifra. Registeroppføringene burde blitt fjernet når SAS finner dem. Kunne du ha kjørt SAS en gang til, sjekk at det er avmerket framfor det SAS finner. Restart PC-en og kjør SAS på ny. Hvis de fortsatt dukker opp, så tar vi dem manuelt. Lenke til kommentar
NaughtyLittleDoggie Skrevet 17. april 2008 Forfatter Del Skrevet 17. april 2008 Det må vi nok... gjorde som du sa... og det kom bare mer... Lenke til kommentar
NaughtyLittleDoggie Skrevet 17. april 2008 Forfatter Del Skrevet 17. april 2008 Bump! Lenke til kommentar
norbat Skrevet 17. april 2008 Del Skrevet 17. april 2008 Heisann, Du begynner sikker å bli litt lei scanning, men jeg vil nok be deg om å gjøre følgende: Last ned M_A-M og installer programmet. Kjør en scan og se om dette programmet tagger de registeroppføringene som SAS finner. Hvis, så sletter du de og restarter PC-en. Gi tilbakemelding. Lenke til kommentar
NaughtyLittleDoggie Skrevet 18. april 2008 Forfatter Del Skrevet 18. april 2008 Hei, Nei blir ikke lei, man må jo bare gjøre det hvis man skal få dataen frisk... Gjorde som du sa, det nye programmet fant ikke like mange feil som SAS... De feilene den fant slettet jeg og restartet dataen... Når jeg slo den på igjen så tok jeg å kjørte det nye programmet engang til, da fant den ingenting... Så kjørte jeg SAS og den fant sånn 16 feil... Har ikke de feilene noe å si eller må jeg gjøre noe annet? Lenke til kommentar
norbat Skrevet 18. april 2008 Del Skrevet 18. april 2008 Og de filene M_A-M fant var bare cookies? Lenke til kommentar
NaughtyLittleDoggie Skrevet 18. april 2008 Forfatter Del Skrevet 18. april 2008 M_A-M fant følgende: Trojan.Downloader Trojan.Adware Malware.Trace Malware.Trace Det var disse, ganske ille er det ikke? Lenke til kommentar
norbat Skrevet 18. april 2008 Del Skrevet 18. april 2008 (endret) Nja, ikke nødvendigvis Når MAM var ferdig med å fjerne det den hadde funnet, ble det antakelig åpnet en logg i notisblokk. Kunne du finne den igjen og posten den her? Ønsker også at du kjører combofix en gang til og poster loggen. Du har bla. 3wPlayer (i allefall mappa) Denne ansees som lite heldig å ha på PC-en. Endret 18. april 2008 av norbat Lenke til kommentar
NaughtyLittleDoggie Skrevet 18. april 2008 Forfatter Del Skrevet 18. april 2008 (endret) Ja, jeg veit, dummet ut meg skikkelig med å laste ned det programmet... Hvilken MAM logg, regner med at du mener den første, fordi den andre gangen jeg kjørte MAM fant den ingenting... uansett her er den første loggen: Malwarebytes' Anti-Malware 1.11 Database version: 642 Scan type: Full Scan (C:\|D:\|) Objects scanned: 134370 Time elapsed: 53 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\3wPlayer (Trojan.Downloader) -> Quarantined and deleted successfully. Files Infected: (No malicious items detected) Endret 18. april 2008 av NaughtyLittleDoggie Lenke til kommentar
norbat Skrevet 18. april 2008 Del Skrevet 18. april 2008 (endret) Sånt skjer Mest sannsynlig så er det bare mappa som ligger tilbake. Før vi evt. fjerner disse registeroppføringene som SAS finner, så har jeg sendt en forespørsel til dem (SAS) om hva og hvorfor SAS ikke fjerner dem. Det kan være noen restriksjoner i registeret som gjør at du ikke får slettet dem via SAS. Det kan også være falske positiver. Jeg holder en knapp på det første, men vi får avvente litt før vi gjør noe med dem. Edit: Ser MAM fjernet mappa 3wPlayer, så da skulle den være ute av verden Registeroppføringen HKEY_CURRENT_USER\Software\WakeNet er noe rusk etter 3wPlayer Vi avventer altså litt med det som SAS registerer. PC-en ser forøvrig grei ut (ut fra de loggene du har postet), så du trenger ikke å bekymre deg nevneverdig for om det ligger ulumskheter på den Endret 18. april 2008 av norbat Lenke til kommentar
NaughtyLittleDoggie Skrevet 18. april 2008 Forfatter Del Skrevet 18. april 2008 Ok, skjønner, er ikke så flink med diss sakene, så det er veldig fint å få litt hjelp... Her er combofix loggen: ComboFix 08-04-15.4 - Diggi Diggi RägSkänk 2008-04-18 18:06:30.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1044.18.1525 [GMT 2:00] Running from: C:\Users\Diggi Diggi RägSkänk\Desktop\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-18 16:09 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat 2008-04-18 16:09 2,883,584 --sha-w C:\Users\Diggi Diggi RägSkänk\ntuser.dat 2008-04-18 13:45 --------- d-----w C:\Program Files\Norman 2008-04-17 21:30 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Malwarebytes 2008-04-17 21:30 --------- d-----w C:\ProgramData\Malwarebytes 2008-04-17 21:30 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-04-17 21:29 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Download Manager 2008-04-16 09:22 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\SUPERAntiSpyware.com 2008-04-16 09:22 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com 2008-04-16 09:22 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-04-16 09:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-16 09:13 --------- d-----w C:\Program Files\CCleaner 2008-04-16 08:35 --------- d-----w C:\Program Files\Enigma Software Group 2008-04-16 08:06 --------- d-----w C:\ProgramData\That Face Camp Shim 2008-04-16 08:06 --------- d-----w C:\ProgramData\One Tons Tool 2008-04-15 15:27 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Adobe 2008-04-10 01:42 --------- d-----w C:\Program Files\BitLord2 2008-04-10 01:32 --------- d-----w C:\Program Files\Windows Mail 2008-04-09 21:42 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\dvdcss 2008-04-06 20:16 --------- d-s---w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Microsoft 2008-04-06 20:16 --------- d-----w C:\ProgramData\avg7 2008-04-06 18:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\AVG7 2008-04-06 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-06 18:18 --------- d-----w C:\Program Files\IK Multimedia 2008-04-05 17:21 --------- d-----w C:\ProgramData\Apple Computer 2008-04-05 17:21 --------- d-----w C:\Program Files\iTunes 2008-04-05 17:21 --------- d-----w C:\Program Files\iPod 2008-04-05 17:20 --------- d-----w C:\Program Files\QuickTime 2008-04-01 20:55 --------- d-----w C:\Program Files\Windows Live 2008-04-01 20:54 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-04-01 20:51 --------- d-----w C:\ProgramData\WLInstaller 2008-03-24 15:36 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Apple Computer 2008-03-23 21:16 --------- d-----w C:\Program Files\Safari 2008-03-23 21:06 --------- d-----w C:\Program Files\Bonjour 2008-03-23 21:04 --------- d-----w C:\Program Files\Apple Software Update 2008-03-23 21:03 --------- d-----w C:\ProgramData\Apple 2008-03-23 21:03 --------- d-----w C:\Program Files\Common Files\Apple 2008-03-20 00:19 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Real 2008-03-13 11:14 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-05 19:08 --------- d-----w C:\ProgramData\Adobe Systems 2008-03-02 20:07 --------- d-----w C:\Users\Diggi Diggi RägSkänk\AppData\Roaming\Mozilla 2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll 2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll 2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll 2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe 2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe 2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll 2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll 2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys 2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll 2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll 2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe 2008-02-14 00:15 194,560 ----a-w C:\Windows\System32\WebClnt.dll 2008-02-14 00:11 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-02-14 00:11 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-02-14 00:11 24,064 ----a-w C:\Windows\System32\netcfg.exe 2008-02-14 00:11 22,016 ----a-w C:\Windows\System32\netiougc.exe 2008-02-14 00:11 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll 2008-02-14 00:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-02-14 00:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-02-14 00:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll 2008-02-14 00:10 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll 2008-02-14 00:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-02-14 00:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-02-14 00:10 1,686,528 ----a-w C:\Windows\System32\gameux.dll 2008-02-14 00:08 1,244,672 ----a-w C:\Windows\System32\mcmde.dll 2008-01-29 10:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll 2007-08-29 22:39 174 --sha-w C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((( snapshot@2008-04-16_11.59.11,81 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-16 09:49:39 67,584 --s-a-w C:\Windows\bootstat.dat + 2008-04-18 16:01:34 67,584 --s-a-w C:\Windows\bootstat.dat - 2008-04-16 09:49:46 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2008-04-18 13:45:37 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2008-04-16 09:49:46 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2008-04-18 13:45:37 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2008-04-16 09:51:23 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat + 2008-04-18 16:01:40 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat - 2008-04-16 09:51:20 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat + 2008-04-18 13:47:13 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat - 2008-04-16 09:52:54 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat + 2008-04-18 16:06:54 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat - 2008-04-16 09:51:14 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat + 2008-04-18 13:47:02 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat + 2008-04-18 13:47:02 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 - 2008-04-16 09:54:53 103,726 ----a-w C:\Windows\System32\perfc009.dat + 2008-04-18 13:52:05 103,726 ----a-w C:\Windows\System32\perfc009.dat - 2008-04-16 09:54:53 79,202 ----a-w C:\Windows\System32\perfc014.dat + 2008-04-18 13:52:05 79,202 ----a-w C:\Windows\System32\perfc014.dat - 2008-04-16 09:54:53 609,944 ----a-w C:\Windows\System32\perfh009.dat + 2008-04-18 13:52:05 609,944 ----a-w C:\Windows\System32\perfh009.dat - 2008-04-16 09:54:53 476,620 ----a-w C:\Windows\System32\perfh014.dat + 2008-04-18 13:52:05 476,620 ----a-w C:\Windows\System32\perfh014.dat - 2008-04-16 09:51:38 6,096 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2031152331-2556321075-1077571338-1000_UserData.bin + 2008-04-16 12:38:38 6,096 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2031152331-2556321075-1077571338-1000_UserData.bin - 2008-04-16 09:51:38 63,414 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-04-16 23:59:30 64,062 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-04-16 08:22:42 37,332 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-04-17 22:41:35 37,848 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin - 2008-04-08 08:17:40 279,266 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin + 2008-04-18 16:01:39 285,034 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968] "IdleCash"="C:\ProgramData\ReadmeBinBin.oz4jea" [2008-04-16 15:21 221200] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 08:20 1006264] "RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 17:10 4468736 C:\Windows\RtHDVCpl.exe] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-26 16:17 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-26 16:17 8429568] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-26 16:17 81920] "Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 15:40 183352] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-29 02:12 185896] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{2B1FA8B6-FC0A-4E58-BC95-CCFA87FF8536}C:\\program files\\bitlord2\\bitlord.exe"= UDP:C:\program files\bitlord2\bitlord.exe: "UDP Query User{2AFD3489-FB64-4009-865E-469FE0C83A43}C:\\program files\\bitlord2\\bitlord.exe"= TCP:C:\program files\bitlord2\bitlord.exe: "TCP Query User{91A031F7-9235-4AA0-8069-37E4B1EE402C}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{CA411E30-A23D-4CDE-A00A-7FD507DBDE4A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "TCP Query User{643B92B6-31AB-418A-9CEA-13C6826A88A7}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord "UDP Query User{87CD0CE5-BF97-4348-973F-A5FE5D575AC8}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord "{5F78BF4E-7277-4511-9FFA-A2A55C16AA55}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{5E808AC1-582B-463F-83D1-5D02D21CCD2E}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{72829EDB-8FBC-4885-BE98-82A4D602EC10}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{CC852D83-A025-4BC0-891F-3236FB2FCB31}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{D101A785-DD42-481E-8992-90C6810E1714}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 11:55] R3 NvcMFlt;NvcMFlt;C:\Windows\system32\DRIVERS\nvcv32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 14:23] S3 nvcfsr;nvcfsr;C:\Program Files\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 16:25] S3 nvcoafl4;nvcoafl4;C:\Program Files\Norman\Nvc\bin\nvcoafl4.sys [2007-01-09 16:25] S3 nvcoaft4;nvcoaft4;C:\Program Files\Norman\Nvc\bin\nvcoaft4.sys [2007-01-09 16:25] S3 nvcoarc4;nvcoarc4;C:\Program Files\Norman\Nvc\bin\nvcoarc4.sys [2007-01-09 16:25] . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-18 18:09:12 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Users\Diggi Diggi RägSkänk\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B8F0_24ED_F024_B412\$db_clean$ 0 bytes scan completed successfully hidden files: 64 ************************************************************************** . Completion time: 2008-04-18 18:10:18 ComboFix-quarantined-files.txt 2008-04-18 16:10:12 ComboFix2.txt 2008-04-16 09:59:43 Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application. Finner ikke meldingstekst for melding nummer 0x2379 i meldingsfilen for Application. . 2008-04-17 23:17:29 --- E O F --- Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå