HiJackThis log, Treg masking muligens spyware

Freke88 · 21. mai 2008

Maskinen har bare blitt værre og værre med tidene, bruker CCleaner titt og ofte og defragmenterer 1 gang i uka.

for sikkerhets skyld legger jeg ved en HiJackThis log:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:22:50, on 21.05.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Mab2k\MAB2K.EXE

C:\MAB2K\mabutikk.exe

C:\MAB2K\schedule.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Programfiler\Outlook Express\msimn.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Documents and Settings\City Radio\Skrivebord\PC Rens\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programfiler\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {B9740DBF-EE2F-D07F-8461-1198EB2FE0C7} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [PaperPort PTD] C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Programfiler\Brother\Brmfl04g\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programfiler\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: MAB2K.lnk = C:\Mab2k\MAB2K.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.bleken.no

O15 - Trusted Zone: http://*.e-status.info

O15 - Trusted Zone: http://www.mab.as

O15 - Trusted Zone: http://ok.service-web.no

O15 - Trusted Zone: http://rapportering.service-web.no

O15 - Trusted Zone: http://www.service-web.no

O15 - Trusted Zone: http://ok.service-web.se

O15 - Trusted Zone: http://rapportering.service-web.se

O15 - Trusted Zone: http://www.service-web.se

O15 - Trusted Zone: http://www.bleken.no (HKLM)

O15 - Trusted Zone: http://*.e-status.info (HKLM)

O15 - Trusted Zone: http://www.mab.as (HKLM)

O15 - Trusted Zone: http://ok.service-web.no (HKLM)

O15 - Trusted Zone: http://rapportering.service-web.no (HKLM)

O15 - Trusted Zone: http://www.service-web.no (HKLM)

O15 - Trusted Zone: http://ok.service-web.se (HKLM)

O15 - Trusted Zone: http://rapportering.service-web.se (HKLM)

O15 - Trusted Zone: http://www.service-web.se (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163162613890

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 6587 bytes

Endret 21. mai 2008 av Freke88

norbat · 21. mai 2008

Loggen viser ikke noe malware.

Hvis du har scannet med AVG 8, og det ikke er funnet noe, så vil jeg tro tregheten skyldes andre ting.

Du kan la hjt fixe følgende to linjer:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {B9740DBF-EE2F-D07F-8461-1198EB2FE0C7} - (no file)

Freke88 · 21. mai 2008

AVG fant ingen "threats" men den fant noen "warnings"

masse stuff fra HKLM\SOFTWARE\microsoft\internet explorer\activex og masse verdier oppimot tusenvis

norbat · 21. mai 2008

Antar AVG lager logg av dette. Kunne du ha postet den?

Freke88 · 22. mai 2008

Antar AVG lager logg av dette. Kunne du ha postet den?

Jeg får ikke limt inn eller lastet opp scan loggen.. den er for stor.. Diskusjon.no bare slutter å svare

her er et skjermdump som bare viser litt av loggen, den bare fortsetter og fortsetter mot ca 30 - 40000 nøkkler

Endret 22. mai 2008 av Freke88

norbat · 22. mai 2008

Ja, med en CWS-infeksjon så er det ikke rart at PC-en kan oppleves treg. Antart AVG har fjernet oppføringene?

Kjør gjerne gjennom langversjonen i følgende post: https://www.diskusjon.no/index.php?showtopic=691246

For ditt vedkommende kan du bare kjøre Combofix og SAS.

Loggene poster du her i din egen tråd.

Freke88 · 22. mai 2008

SAS:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 05/22/2008 at 02:24 PM

Application Version : 4.1.1046

Core Rules Database Version : 3466

Trace Rules Database Version: 1457

Scan type : Complete Scan

Total Scan Time : 01:32:15

Memory items scanned : 353

Memory threats detected : 0

Registry items scanned : 5010

Registry threats detected : 1

File items scanned : 44560

File threats detected : 16

Adware.MyWebSearch

HKU\S-1-5-21-81941579-356085550-3994108283-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Adware.Tracking Cookie

C:\Documents and Settings\City Radio\Cookies\[email protected][3].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][2].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][3].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][2].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][1].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][2].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][1].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][2].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][1].txt

C:\Documents and Settings\City Radio\Cookies\city_radio@overture[1].txt

C:\Documents and Settings\City Radio\Cookies\city_radio@2o7[1].txt

C:\Documents and Settings\City Radio\Cookies\city_radio@doubleclick[2].txt

C:\Documents and Settings\City Radio\Cookies\[email protected][1].txt

Combofix

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-05-21.2 - City Radio 2008-05-22 14:41:26.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1044.18.480 [GMT 2:00]

Running from: C:\Documents and Settings\City Radio\Skrivebord\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\f3PSSavr.scr

.

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))

.

2008-05-22 12:50 . 2008-05-22 12:50 <DIR> dr-h----- C:\Documents and Settings\City Radio\Siste

2008-05-22 12:49 . 2008-05-22 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-05-22 12:48 . 2008-05-22 12:49 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-05-22 12:48 . 2008-05-22 12:48 <DIR> d-------- C:\Documents and Settings\City Radio\Programdata\SUPERAntiSpyware.com

2008-05-21 11:13 . 2008-05-21 11:13 <DIR> d-------- C:\Programfiler\IObit

2008-05-08 16:28 . 2008-05-20 09:26 <DIR> d-------- C:\Programfiler\Microsoft Silverlight

2008-05-08 11:24 . 2008-05-08 11:24 <DIR> d-------- C:\WINDOWS\system32\no

2008-05-08 11:16 . 2008-04-13 09:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys

2008-05-08 11:16 . 2008-04-13 11:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys

2008-05-08 09:46 . 2008-05-21 11:12 <DIR> d-------- C:\Programfiler\Dedaulus SC EN

2008-05-03 13:06 . 2008-05-21 15:13 <DIR> d--h----- C:\$AVG8.VAULT$

2008-05-02 16:00 . 2008-05-22 09:19 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg

2008-05-02 16:00 . 2008-05-02 16:00 <DIR> d-------- C:\Programfiler\AVG

2008-05-02 16:00 . 2008-05-02 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\avg8

2008-05-02 16:00 . 2008-05-02 16:00 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys

2008-05-02 16:00 . 2008-05-02 16:00 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys

2008-05-02 16:00 . 2008-05-02 16:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-22 10:48 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-05-10 09:40 --------- d-----w C:\Programfiler\MSN Messenger

2008-04-14 07:39 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-14 07:26 330,752 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 07:22 996,352 ----a-w C:\WINDOWS\system32\msgina.dll

2008-04-14 07:21 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll

2008-04-14 07:20 7,680 ------w C:\WINDOWS\system32\kbdsmsno.dll

2008-04-14 07:19 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll

2008-04-14 07:19 568,320 ----a-w C:\WINDOWS\system32\gpedit.dll

2008-04-14 07:19 3,584 ----a-w C:\WINDOWS\system32\icmp.dll

2008-04-14 07:19 3,072 ----a-w C:\WINDOWS\system32\dpnlobby.dll

2008-04-14 07:19 3,072 ----a-w C:\WINDOWS\system32\dpnaddr.dll

2008-04-14 07:19 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll

2008-04-14 07:19 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll

2008-04-14 06:56 73,344 ----a-w C:\WINDOWS\system32\drivers\sr.sys

2008-04-14 06:56 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys

2008-04-14 06:56 120,192 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys

2008-04-14 06:55 80,000 ----a-w C:\WINDOWS\system32\drivers\parport.sys

2008-04-14 06:55 46,592 ----a-w C:\WINDOWS\system32\drivers\p3.sys

2008-04-14 06:53 2,190,720 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-14 06:53 2,067,584 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-04-14 06:52 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll

2008-04-14 06:50 799,872 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys

2008-04-14 06:50 24,448 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys

2008-04-14 06:50 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys

2008-04-14 06:49 79,360 ------w C:\WINDOWS\system32\msxml6r.dll

2008-04-14 06:49 37,376 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys

2008-04-14 06:48 77,312 ------w C:\WINDOWS\system32\msshavmsg.dll

2008-04-14 06:48 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys

2008-04-14 06:48 40,576 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys

2008-04-14 06:48 40,192 ------w C:\WINDOWS\system32\drivers\intelppm.sys

2008-04-14 06:47 556,032 ----a-w C:\WINDOWS\system32\shdoclc.dll

2008-04-14 06:47 47,616 ----a-w C:\WINDOWS\system32\inetres.dll

2008-04-14 06:46 64,640 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-14 06:45 51,840 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-14 06:44 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys

2008-04-14 06:43 9,728 ----a-w C:\WINDOWS\system32\gpkrsrc.dll

2008-04-14 06:43 57,600 ----a-w C:\WINDOWS\system32\drivers\redbook.sys

2008-04-14 06:43 273,152 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-04-14 06:43 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-14 06:42 65,024 ----a-w C:\WINDOWS\system32\browselc.dll

2008-04-14 06:41 52,480 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys

2008-04-14 06:41 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys

2008-04-14 06:41 39,680 ----a-w C:\WINDOWS\system32\drivers\processr.sys

2008-04-14 06:39 41,600 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys

2008-04-14 06:39 41,216 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys

2008-04-14 06:38 22,912 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys

2008-04-14 06:37 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys

2008-04-14 06:37 187,776 ----a-w C:\WINDOWS\system32\drivers\acpi.sys

2008-04-13 10:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-13 10:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-13 10:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-13 10:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 10:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-13 10:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-13 10:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-13 10:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-13 10:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-13 10:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-13 10:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-13 10:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-13 10:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-13 10:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-13 10:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-13 10:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-13 10:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-13 10:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-13 10:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-13 10:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-13 10:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-13 10:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-13 09:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-13 09:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-13 09:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-13 09:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-13 09:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-13 09:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

2008-04-13 09:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys

2008-04-13 09:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys

2008-04-13 09:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys

2008-04-13 09:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys

2008-04-13 09:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys

2008-04-13 09:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys

2008-04-13 09:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys

2008-04-13 09:56 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys

2008-04-13 09:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys

2008-04-13 09:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys

2008-04-13 09:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys

2008-04-13 09:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-04-13 09:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys

2008-04-13 09:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys

2008-04-13 09:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys

2008-04-13 09:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-13 09:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys

2008-04-13 09:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys

2008-04-13 09:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys

2008-04-13 09:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys

2008-04-13 09:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys

2008-04-13 09:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys

2008-04-13 09:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 09:22 15360]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PaperPort PTD"="C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-31 10:27 57393]

"IndexSearch"="C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-31 10:47 40960]

"SetDefPrt"="C:\Programfiler\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]

"ControlCenter2.0"="C:\Programfiler\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 22:00 864256]

"Easy-PrintToolBox"="C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10 409600]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-02 16:00 1177368]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 09:22 15360]

C:\Documents and Settings\City Radio\Start-meny\Programmer\Oppstart\

MAB2K.lnk - C:\Mab2k\MAB2K.EXE [2003-03-12 15:37:18 32237]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Programfiler\WinFax\WfxSeh32.Dll [1998-07-27 06:54 38400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2008-04-14 09:22 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISDNStatus]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 09:23 1695232 C:\Programfiler\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2003-10-06 14:16 5058560 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a--c--- 2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2004-04-13 15:49 77824 C:\Programfiler\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

-ra--c--- 2003-10-14 10:22 155648 C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WFXSwtch]

-ra------ 2001-09-10 22:03 27648 C:\PROGRA~1\WinFax\WFXSWTCH.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]

--a------ 2001-09-10 22:03 45568 C:\WINDOWS\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Mab2k\\SCHEDULE.EXE"=

"C:\\WINDOWS\\system32\\ftp.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgemc.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-02 16:00]

R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-02 16:00]

R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-02 16:00]

R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-02 16:00]

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]

R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]

R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]

R3 WDMWANMP;NDIS WAN miniport;C:\WINDOWS\system32\DRIVERS\wdmwanmp.sys [2003-01-13 18:41]

S3 BIPAC_u;ISDN USB CAPI;C:\WINDOWS\system32\DRIVERS\BIPAC_u.sys [2002-12-25 13:14]

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys [2003-02-24 09:36]

S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

S3 Winacusb;Winacusb;C:\WINDOWS\system32\DRIVERS\winacusb.sys [2001-10-19 15:57]

S4 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE [2000-09-29 01:58]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-22 14:44:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

folder error: C:\DOCUME~1\CITYRA~1\LOKALE~1\Temp\

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-22 14:46:49

ComboFix-quarantined-files.txt 2008-05-22 12:46:24

Pre-Run: 22,638,272,512 byte ledig

Post-Run: 22,638,624,768 byte ledig

232 --- E O F --- 2008-05-20 07:26:16

HiJackThis

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:56:42, on 22.05.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\City Radio\Skrivebord\PC Rens\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896