Hjelp til analyse av Combofixlog

[Maila]

Har hatt en del virus og dritt på maskinen min. Har prøvd å få bort det meste og lurte på om noen her ville se

på/analysere Combofixloggen min, og eventuellt si hva jeg bør gjøre. På forhånd takk.

 

 

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-05-27.4 - 2008-05-28 11:31:45.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.87 [GMT 2:00]

Running from: C:\Documents and settings\\Skrivebord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))

.

 

2008-05-28 09:27 . 2008-05-28 09:27 <DIR> dr-h----- C:\Documents and settings\\Siste

2008-05-28 09:27 . 2008-05-28 09:27 <DIR> dr-h----- C:\Documents and settings\\Siste

2008-05-27 21:06 . 2008-05-27 22:05 <DIR> d--hs---- C:\RECYCLER(2)

2008-05-25 14:21 . 2008-05-25 14:21 <DIR> d-------- C:\Documents and settings\All Users\Programdata\SUPERAntiSpyware.com

2008-05-25 14:20 . 2008-05-25 14:20 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-05-25 14:20 . 2008-05-25 14:20 <DIR> d-------- C:\Documents and settings\\Programdata\SUPERAntiSpyware.com

2008-05-14 11:41 . 2008-05-27 22:06 <DIR> d-------- C:\Programfiler\AskSBar

2008-05-14 11:39 . 2008-05-14 11:39 164 --a------ C:\install.dat

2008-05-11 11:52 . 2008-05-11 11:52 <DIR> d-------- C:\Programfiler\Lavasoft

2008-05-11 11:51 . 2008-05-11 11:55 <DIR> d-------- C:\Documents and settings\All Users\Programdata\Lavasoft

2008-05-11 11:49 . 2008-05-25 14:19 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-05-11 10:14 . 2008-05-11 11:22 <DIR> d-a------ C:\Documents and settings\All Users\Programdata\TEMP

2008-05-06 10:43 . 2008-05-06 10:43 <DIR> d-------- C:\Documents and settings\\Programdata\Kazaa Lite

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-27 20:06 --------- d-----w C:\Documents and settings\\Programdata\Uniblue

2008-04-17 17:29 --------- d-----w C:\Programfiler\Yahoo!

2008-04-17 17:06 --------- d-----w C:\Programfiler\CCleaner

2008-04-17 16:13 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS

2008-04-15 12:16 --------- d-----w C:\Programfiler\Opera

2008-04-14 15:54 --------- d-----w C:\Programfiler\HP

2008-04-14 15:26 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-04-14 15:25 --------- d-----w C:\Programfiler\ArcSoft

2008-04-14 15:02 --------- d-----w C:\Programfiler\Fellesfiler\sndp202

2008-04-11 15:07 --------- d-----w C:\Programfiler\Winamp

2008-04-11 15:06 --------- d-----w C:\Documents and settings\\Programdata\elitefoto-bildearkiv

2008-04-11 15:01 --------- d-----w C:\Programfiler\Bud Redhead

2008-04-04 12:33 --------- d-----w C:\Documents and settings\\Programdata\ArcSoft

2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:05 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2007-03-03 08:53 2,148 -c--a-w C:\Documents and settings\\minf.dat

2007-03-03 08:53 2,148 -c--a-w C:\Documents and settings\\minf.dat

2006-12-06 21:27 104 -csh--r C:\WINDOWS\system32\0848DEF344.sys

2006-11-05 22:06 88 -csh--r C:\WINDOWS\system32\44F3DE4808.sys

2006-12-06 21:28 6,686 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Programfiler\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]

 

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Programfiler\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HTpatch"="C:\WINDOWS\htpatch.exe" [ ]

"XTNDConnect PC - ErPhn2"="C:\PROGRA~1\FELLES~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe" [2003-02-13 09:41 53248]

"msnappau"="C:\Programfiler\MSN Apps\Updater\01.02.0002.1001\no\msnappau.exe" [ ]

"CARPService"="carpserv.exe" [2001-12-23 13:02 4608 C:\WINDOWS\system32\carpserv.exe]

"REGSHAVE"="C:\Programfiler\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and settings^All Users^Start-meny^Programmer^Oppstart^Hurtigstart for Adobe Reader.lnk]

path=C:\Documents and settings\All Users\Start-meny\Programmer\Oppstart\Hurtigstart for Adobe Reader.lnk

backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LemmingsRevolutionSetup.exe]

C:\DOWNLO~1\LEMMIN~1.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

--a------ 2001-07-09 12:50 155648 C:\WINDOWS\System32\\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2003-01-20 11:48 47104 C:\WINDOWS\SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-07-30 10:47 68856 C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2004-12-20 20:41 33792 C:\Programfiler\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"gusvc"=3 (0x3)

"bgsvcgen"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Programfiler\\WinMX\\WinMX.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\Internet Explorer\\iexplore.exe"=

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}]

rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\fpxpress.inf,PerUserRemove

.

Contents of the 'Scheduled Tasks' folder

"2008-05-28 04:00:00 C:\WINDOWS\Tasks\{BE4CD9EF-748A-4956-912E-497444D7CB90}_FIRMANAV-EPCCU5_.job"

- C:\WINDOWS\system32\mobsync.exeS /Schedule=

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-28 11:35:04

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HTpatch = C:\WINDOWS\htpatch.exe?ows\CurrentVersion\Run???\?????)[????`?+[??+[`?+[??????????????)[??)[??+[??+[$?????)[??????????????)[??????????)[???w????(????3?w???w?????3?w ??w??)[:???????d???r?)[1?)[??+[d?????)[?-)[????z??w8h)[\2)[?1)[htinst.INI?[?u)[????d????????G?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-28 11:39:47

ComboFix-quarantined-files.txt 2008-05-28 09:39:43

 

Pre-Run: 11,815,424,000 byte ledig

Post-Run: 11,800,014,848 byte ledig

 

125 --- E O F --- 2008-05-20 14:33:43 [skjul/]

Endret 28. mai 2008 av Maila

[norbat]

Ser rimelig greit ut dette.

 

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.

[Maila]

Ser rimelig greit ut dette.

 

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.

 

Takker for svar. Her er loggfil. En ting til jeg lurer på. Har en ganske treg maskin og har derfor deaktivert ctfmon filene. (tror jeg). Hva er forskjell på ctfmon og CTFMON, små og store bokstaver?

Sikkert et dumt spørsmål, men ser at CTFMON kjører på maskinen.

 

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:32:25, on 30.05.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\carpserv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Documents and settings\Marit Mæland\Skrivebord\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar1.02.0002.1001\no\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar1.02.0002.1001\no\msntb.dll

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [REGSHAVE] "C:\Programfiler\REGSHAVE\REGSHAVE.EXE" /AUTORUN

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.197.24.43/activex/AxisCamControl.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

--

End of file - 6040 bytes

[sKJUL/]

[r2d290]

Loggen ser ren ut.

 

vet ikke forskjellen på store og små bokstaver, men så lenge det er akurat samme navn, og plassering, tror jeg det er trygt. Vet ikke hvor lurt det er å deaktivere dem though. sikkert noen andre som kan svare på det