Har fått et virus, firefox.exe

[Insomniatic]

Jeg har fått et virus, på prosesser er det en prosess som heter firefox.exe, i tillegg til den jeg bruker, og selvom jeg avbryter begge prosessene så kommer den ene tilbake HELE tiden, tok en full systemscan med AVG Anti-SpyWare, fikk fjerna mye men den er der FORTSATT! Hvordan skal jeg få den vekk?

[norbat]

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix (c:\combofix.txt)

[Insomniatic]

PC-en frøs totalt når den reboota. Hva skal jeg gjøre nå? btw, er det plutselig blitt en iexplorer.exe som aldri vil dø...

[norbat]

Fikk du kjørt combofix og finnes det en logg (c:\combofix.txt)?

 

Hvis det er problemer, prøv å kjør combofix på nytt.

[geir__hk]

Start opp i sikkerhetsmodus.

 

Installer windows fra scratch.

 

Ta backup/snapshot/diskimage

[Insomniatic]

Kan jeg ikke bare poste en HJT logg?

[norbat]

Skal ikke nekte deg det

[Insomniatic]

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:35, on 2008-05-23

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.diskusjon.no/index.php?autocom=my_forum

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programfiler\Winamp Toolbar\winamptb.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {61E294DD-80BC-4A35-9AB5-CF8022F82359} - C:\WINDOWS\system32\pmnli.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: (no name) - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programfiler\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Programfiler\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Programfiler\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: coresysd.exe

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Sothink SWF Catcher - C:\Programfiler\Fellesfiler\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programfiler\Fellesfiler\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programfiler\Fellesfiler\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} (get_atlcom Class) -

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installd...leanerstart.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab

O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABA6710-96B4-4197-AEDC-8741AE2F3712}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{63FBE47F-C984-4DFC-8EEA-59DD2FB2F045}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{9CC1C19F-BF39-4BFE-ACB4-50205B825569}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\..\{1ABA6710-96B4-4197-AEDC-8741AE2F3712}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\..\{1ABA6710-96B4-4197-AEDC-8741AE2F3712}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll (file missing)

O20 - Winlogon Notify: winghf - winghf.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Programfiler\dopewars-1.5.12\dopewars.exe

O23 - Service: GtFlashSwitch - OptionNV - C:\Programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\Shared\hpqwmi.exe

O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

O24 - Desktop Component 1: (no name) - https://www.diskusjon.no/index.php?autocom=my_forum

 

--

End of file - 7591 bytes

Her er loggen

[norbat]

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O2 - BHO: (no name) - {61E294DD-80BC-4A35-9AB5-CF8022F82359} - C:\WINDOWS\system32\pmnli.dll (file missing)

O3 - Toolbar: (no name) - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)

O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} (get_atlcom Class) -

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installd...leanerstart.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab

O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll (file missing)

O20 - Winlogon Notify: winghf - winghf.dll (file missing)

 

Last ned gratisversjonen til SAS. Installer og oppdater. Kjør en full scan og la SAS fjerne det den finner.

 

Last ned ny Combofix og kjør programmet. Post combofix-loggen.

[Insomniatic]

ComboFix 08-05-21.3 - Micke 2008-05-23 16:59:08.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.130 [GMT 2:00]

Running from: C:\Program Files\Mappe\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\Documents and Settings\Micke.MICKES\Programdata\ASEMBL~1

C:\Documents and Settings\Micke.MICKES\Programdata\ASEMBL~1\??mbols\

C:\Documents and Settings\Micke.MICKES\Programdata\ECURIT~1

C:\Documents and Settings\Micke.MICKES\Programdata\FNTS~1

C:\explorer.exe

C:\Programfiler\download plugin

C:\Programfiler\download plugin\DlPlugin-Moz\buddy.dat

C:\Programfiler\download plugin\DlPlugin-Moz\vendor.txt

C:\Programfiler\Google\googletoolbar1.dll

C:\Programfiler\IEToolbar

C:\Programfiler\IEToolbar\basis.xml

C:\Programfiler\IEToolbar\icons.bmp

C:\Programfiler\IEToolbar\inst.bat

C:\Programfiler\IEToolbar\metacrawl.ws.crc

C:\Programfiler\IEToolbar\metacrawl.ws.inf

C:\Programfiler\IEToolbar\metacrawlit.bmp

C:\Programfiler\IEToolbar\version.txt

C:\Programfiler\ipwins

C:\Programfiler\ipwins\count.dat

C:\Programfiler\ipwins\data.dat

C:\Programfiler\ipwins\date.dat

C:\Programfiler\ipwins\s3do.dat

C:\Programfiler\ipwins\settingsDate.dat

C:\Programfiler\ipwins\Uninst.exe

C:\Programfiler\windows

C:\Programfiler\winupdates

C:\Programfiler\winupdates\a.zip

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\SNMPAPI.DLL

C:\WINDOWS\sysk32.dll

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\system32\ilnmp.bak1

C:\WINDOWS\system32\ilnmp.bak2

C:\WINDOWS\system32\ilnmp.ini

C:\WINDOWS\system32\ilnmp.ini2

C:\WINDOWS\system32\ilnmp.tmp

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\mdm.exe

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\setup.exe.tmp

C:\WINDOWS\system32\sinvfct.dll

C:\WINDOWS\system32\WanPacket.dll

C:\WINDOWS\system32\wpcap.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_CMDSERVICE

-------\Legacy_NETWORK_MONITOR

-------\Service_NPF

 

 

((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))

.

 

2008-05-23 15:56 . 2008-05-23 15:56 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-05-23 15:56 . 2008-05-23 15:56 <DIR> d-------- C:\Documents and Settings\Micke.MICKES\Programdata\SUPERAntiSpyware.com

2008-05-23 15:56 . 2008-05-23 15:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Programdata\SUPERAntiSpyware.com

2008-05-22 17:56 . 2008-05-23 16:58 19,772 --a------ C:\WINDOWS\system32\nav32update

2008-05-22 17:54 . 2006-07-16 16:32 8,192 --a------ C:\WINDOWS\system32\nav32update.exe

2008-05-22 09:59 . 2008-05-23 16:57 <DIR> dr-h----- C:\Documents and Settings\Micke.MICKES\Siste

2008-05-20 19:11 . 2008-03-21 19:11 32 -ra------ C:\Documents and Settings\All Users\hash.dat

2008-05-18 23:29 . 2008-05-18 23:29 <DIR> d-------- C:\Programfiler\Dopewars

2008-05-16 23:13 . 2008-05-23 16:58 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Programdata\TEMP

2008-05-16 15:47 . 2008-05-16 15:47 <DIR> d-------- C:\Programfiler\dopewars-1.5.12

2008-05-16 15:47 . 2008-05-16 15:47 20,992 --a------ C:\WINDOWS\bw-uninstall.exe

2008-05-11 14:06 . 2002-02-18 10:23 172,304 --a------ C:\WINDOWS\system32\jview.exe

2008-05-11 14:06 . 2002-02-18 10:23 171,792 --a------ C:\WINDOWS\system32\wjview.exe

2008-05-11 14:06 . 2002-02-18 10:23 49,424 --a------ C:\WINDOWS\system32\clspack.exe

2008-05-11 13:40 . 2008-05-11 20:53 <DIR> d-------- C:\rscache

2008-05-10 15:11 . 2008-05-18 21:13 <DIR> d-------- C:\Programfiler\SwiftKit

2008-05-10 15:11 . 2008-05-10 15:11 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Programdata\SwiftKit

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-23 13:55 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-05-23 06:32 --------- d--h--w C:\Programfiler\XSoftware

2008-05-22 21:22 --------- d-----w C:\Documents and Settings\Micke.MICKES\Programdata\wsInspector

2008-05-22 18:37 --------- d-----w C:\Programfiler\Google

2008-05-22 18:28 --------- d-----w C:\Programfiler\Cheat Engine

2008-05-22 17:41 --------- d-----w C:\Programfiler\Corel

2008-05-20 14:13 9,394 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2008-05-11 12:06 155,995 ----a-w C:\WINDOWS\java\Packages\YV7RN9FL.ZIP

2008-04-26 19:56 --------- d-----w C:\Documents and Settings\Micke.MICKES\Programdata\Azureus

2008-04-26 19:34 --------- d-----w C:\Documents and Settings\Micke.MICKES\Programdata\LimeWire

2008-04-26 19:26 --------- d-----w C:\Programfiler\Azureus

2008-04-23 06:13 --------- d-----w C:\Documents and Settings\Micke.MICKES\Programdata\mIRC

2008-04-23 06:09 --------- d-----w C:\Programfiler\mIRC

2008-04-18 16:33 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-04-18 16:30 691,545 ----a-w C:\WINDOWS\unins000.exe

2008-04-15 17:39 --------- d-----w C:\Documents and Settings\Micke.MICKES\Programdata\tor

2008-04-06 13:22 --------- d-----w C:\Programfiler\Java

2008-04-06 13:15 --------- d-----w C:\Programfiler\Sun

2008-04-03 20:23 --------- d-----w C:\Programfiler\AV Music Morpher Gold

2008-03-29 15:04 --------- d-----w C:\Programfiler\MSN Messenger

2008-03-29 15:04 --------- d-----w C:\Programfiler\MessengerDiscovery

2008-03-28 21:15 --------- d-----w C:\Programfiler\Messenger Plus! Live

2008-02-01 13:50 4 ----a-w C:\Programfiler\KeyLog.txt

2008-01-31 13:05 167 ----a-w C:\Documents and Settings\All Users.WINDOWS\Programdata\saopts.dat

2007-08-28 19:51 152 ----a-w C:\Programfiler\HALLO.txt

2006-06-12 14:48 217,088 ----a-w C:\Programfiler\GLF71.tmp.exe

2006-04-18 12:55 834 ----a-w C:\Documents and Settings\Micke\Programdata\wklnhst.dat

2005-05-13 16:12 217,073 --sha-r C:\WINDOWS\meta4.exe

2005-10-24 10:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe

2005-10-13 20:27 422,400 --sha-r C:\WINDOWS\x2.64.exe

2006-06-18 19:27 80 --sh--r C:\WINDOWS\system32\744BE5167C.dll

2008-01-17 15:28 104 --sh--r C:\WINDOWS\system32\744BE5167C.sys

2008-02-03 18:30 168 --sh--r C:\WINDOWS\system32\7C16E54B74.sys

2005-10-07 18:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll

2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll

2005-06-26 14:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll

2005-06-21 21:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll

2006-07-17 09:26 65,210 --sha-w C:\WINDOWS\system32\fhgniw.dat

2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll

2006-04-27 09:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll

2006-06-15 21:03 8,384 --sha-w C:\WINDOWS\system32\srsc.dat

2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe

2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll

.

<pre>
----a-w		   360,448 2004-10-02 11:21:08  C:\Program Files\Mappe\Cheatpack\Auto Miners\Sythe's Powerminer .exe
</pre>

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

2007-10-04 22:06 1135968 --a------ C:\Programfiler\Winamp Toolbar\winamptb.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Programfiler\Winamp Toolbar\winamptb.dll" [2007-10-04 22:06 1135968]

 

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Programfiler\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

 

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ALUAlert"="C:\Programfiler\Symantec\LiveUpdate\ALUNotify.exe" [ ]

"msnmsgr"="C:\Programfiler\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]

 

C:\Documents and Settings\All Users.WINDOWS\Start-meny\Programmer\Oppstart\

coresysd.exe [2006-06-25 01:36:14 195461]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=61.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.yv12"= yv12vfw.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Mappe\\err41beta\\client.exe"=

"C:\\Programfiler\\MessengerDiscovery\\MessengerDiscovery Live.exe"=

"C:\\WINDOWS\\system32\\java.exe"=

"C:\\Programfiler\\Azureus\\Azureus.exe"=

"C:\\Program Files\\Mappe\\err31\\client.exe"=

"C:\\Programfiler\\Winamp Remote\\bin\\Orb.exe"=

"C:\\Programfiler\\Winamp Remote\\bin\\OrbTray.exe"=

"C:\\Programfiler\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

 

R2 GtFlashSwitch;GtFlashSwitch;C:\Programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe [2007-02-09 14:48]

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 17:18]

S3 C;C NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\C.sys []

S3 CSNPD51;CSNPD51 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\CSNPD51.sys []

S3 dopewars-server;dopewars server;C:\Programfiler\dopewars-1.5.12\dopewars.exe [2008-05-16 15:47]

S3 dsreader;MaxDrive Driver (dsreader.sys);C:\WINDOWS\system32\Drivers\dsreader.sys [2001-01-03 00:53]

S3 dump_wmimmc;dump_wmimmc;C:\WINDOWS\system32\drivers\dump_wmimmc.sys []

S3 GTFFBUS;GT FF BUS;C:\WINDOWS\system32\DRIVERS\gtffbus.sys [2007-01-15 16:48]

S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys [2007-01-15 16:48]

S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-01-15 16:48]

S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys [2007-01-15 16:48]

S3 PAC7311;VGA SoC PC-Camer@;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2005-09-16 13:34]

S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0E5F932B-6766-4624-0006-000602040807}]

C:\WINDOWS\system32\nav32update.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{30ADB197-4D38-660D-0707-080508000804}]

C:\WINDOWS\system32\virusdelete.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-23 17:06:02

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PsSdk30]

"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"

.

Completion time: 2008-05-23 17:14:47

ComboFix-quarantined-files.txt 2008-05-23 15:14:36

 

Pre-Run: 18,026,496,000 byte ledig

Post-Run: 18,024,304,640 byte ledig

 

221 --- E O F --- 2008-01-31 13:46:21

[norbat]

Hvis sponsorprogrammet til Messenger Plus! Live er installert, avinstallerer du det via legg til/fjern programmer.

 

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\system32\nav32update.exe

 

Folder::

C:\WINDOWS\system32\nav32update

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0E5F932B-6766-4624-0006-000602040807}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{30ADB197-4D38-660D-0707-080508000804}]

 

RenV::

----a-w 360,448 2004-10-02 11:21:08 C:\Program Files\Mappe\Cheatpack\Auto Miners\Sythe's Powerminer .exe

 

Post loggen den lager + ny hjt-logg.