[LØST] HiJackThislog msn virus mm.

m4nia · 30. mai 2008

Msn virus mm.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:38, on 2008-05-30

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\InterVideo\RegMgr\iviRegMgr.exe

C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programfiler\Eset\nod32krn.exe

C:\Programfiler\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\Programfiler\Analog Devices\Core\smax4pnp.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe

C:\Programfiler\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\WINDOWS\service.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jucheck.exe

C:\Documents and Settings\kjanor2\Skrivebord\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skoleportalen.no

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skoleportalen.no

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skoleportalen.no

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ISAFarm:8080/array.dll?Get.Routing.Script

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.134.121.190:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

F1 - win.ini: load=C:\WINDOWS\MiXedVeX.bat

F1 - win.ini: run=C:\WINDOWS\MiXedVeX.bat

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programfiler\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {11A33645-7958-4747-9CE6-B85609DF623A} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5430195E-0259-45C1-BB34-3BE3886E43EA} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {b32cfb69-fa5e-49f0-9027-726fd8542eed} - (no file)

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O2 - BHO: (no name) - {CBD4C273-5F03-49D8-86E9-510CA8E9996A} - (no file)

O2 - BHO: (no name) - {D1E45498-D865-4E91-A579-D0AAD8D3B5A4} - (no file)

O2 - BHO: (no name) - {D637D630-A90E-4790-A867-DA62A4A58471} - C:\WINDOWS\system32\rqRLdCVN.dll (file missing)

O2 - BHO: {1c7116a6-3448-7b09-c174-aa1a008e9d8d} - {d8d9e800-a1aa-471c-90b7-84436a6117c1} - C:\WINDOWS\system32\kbymmhbq.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programfiler\TechSmith\SnagIt 8\SnagItIEAddin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe

O4 - HKLM\..\Run: [Windows svchost] service.exe

O4 - HKCU\..\Run: [startCCC] C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: CCC.lnk = ? (User 'SYSTEM')

O4 - .DEFAULT Startup: CCC.lnk = ? (User 'Default user')

O4 - .DEFAULT User Startup: CCC.lnk = ? (User 'Default user')

O4 - Startup: CCC.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182858104968

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182934295515

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hfk.vgs.no

O17 - HKLM\Software\..\Telephony: DomainName = hfk.vgs.no

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hfk.vgs.no

O20 - Winlogon Notify: cbXQIaWN - C:\WINDOWS\SYSTEM32\cbXQIaWN.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programfiler\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Programfiler\Fellesfiler\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe

O23 - Service: stllssvr - Unknown owner - C:\Programfiler\Fellesfiler\SureThing Shared\stllssvr.exe (file missing)

--

End of file - 8533 bytes

Malwarebytes' Anti-Malware 1.12

Database version: 799

Scan type: Full Scan (C:\|)

Objects scanned: 33919

Time elapsed: 11 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 6

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\byXQGvsq.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\gdxkgcjh.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\qoMgefca.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85124600-750f-4124-a69c-f303a3331f8f} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{85124600-750f-4124-a69c-f303a3331f8f} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomgefca (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxqgvsq -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\byXQGvsq.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\qsvGQXyb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qsvGQXyb.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gdxkgcjh.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\hjcgkxdg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jxcuklim.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\milkucxj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qoMgefca.dll (Trojan.Vundo) -> Delete on reboot.

C:\Downloads\WinRAR.v3.70.Incl.Keymaker.And.Patch-CORE\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

Endret 2. juni 2008 av m4nia

snippsat · 30. mai 2008

Du har en del grums.

Du kan gjøre dette så skal jeg hjelpe deg.

Last Combofix ned ,legg på skrivebordet.

Ikke klikk på vindu mens programet kjører.

post logg C:\combofix.txt

Endret 31. mai 2008 av fredrik

snippsat · 30. mai 2008

Combofix er det krafigste programet for Scanning og manual fjerning av virus-spyware.

Brukes kun av personer som har brukt mye tid på dette feltet,eller fått opplæring i bruk av combofix.

Endret 31. mai 2008 av fredrik

Fredrik · 31. mai 2008

Tråden har fått endel spamposter fjernet, og får under tvil leve videre.

Ser ut til at enkelte brukere synes det er rasende festlig å ha det gøy sammen på skolen, samme som at moderatorer synes det er rasende festlig å få listet opp brukte IP-adresser på brukere. Forventer et høyere seriøsitetsnivå fra brukerene det gjelder fremover.

Tråden får leve videre, med det formålet å rense opp i en eventuell virusinfisert maskin, og ingenting annet.

m4nia · 1. juni 2008

Virusene jeg har spammer ut virus på msn, gjør browsing saktere på firefox/iexplorer, pop-ups på firefox/iexplorer og lager en haug med filer under C:\Windows og C:\ feks. C:\sexy.com.exe osv.

De gangene jeg har stengt explorer.exe og browset med firefox har det funket bedre...

ComboFix

ComboFix 08-06-01.6 - kjanor2 2008-06-02 1:28:40.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.438 [GMT 2:00]

Running from: C:\Documents and Settings\kjanor2\Skrivebord\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\bot.exe

C:\WINDOWS\BMe3e742b6.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\service.exe

C:\WINDOWS\system32\byXRiiIC.dll

C:\WINDOWS\system32\CIiiRXyb.ini

C:\WINDOWS\system32\CIiiRXyb.ini2

C:\WINDOWS\system32\dkgmnkjm.ini

C:\WINDOWS\system32\gfqhgehm.ini

C:\WINDOWS\system32\gjddloxr.dll

C:\WINDOWS\system32\gludqhdy.dll

C:\WINDOWS\system32\hqqtcnhj.dll

C:\WINDOWS\system32\khfCstst.dll

C:\WINDOWS\system32\lauhxkvs.ini

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\NVCdLRqr.ini

C:\WINDOWS\system32\NVCdLRqr.ini2

C:\WINDOWS\system32\qfllgeqp.dll

C:\WINDOWS\system32\ssqNHyxY.dll

C:\WINDOWS\system32\svkxhual.dll

C:\WINDOWS\system32\urqOHyvT.dll

C:\WINDOWS\system32\vtUnkkKB.dll

C:\WINDOWS\system32\wtjcsvsi.dll

.

((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))

.

2008-06-02 00:37 . 2008-06-02 01:24 93,184 --------- C:\WINDOWS\is154890.exe

2008-05-31 10:46 . 2008-05-31 10:46 <DIR> d-------- C:\Programfiler\Fellesfiler\Funk Software

2008-05-31 10:45 . 2004-08-25 11:11 450,619 -r------- C:\WINDOWS\system32\wbocx.ocx

2008-05-31 10:45 . 2004-08-25 11:11 50,688 -r------- C:\WINDOWS\system32\wbhelp2.dll

2008-05-31 10:45 . 2004-08-25 11:11 28,160 -r------- C:\WINDOWS\system32\anim.dll

2008-05-31 09:53 . 2008-05-31 09:53 <DIR> d-------- C:\Programfiler\Option

2008-05-31 09:51 . 2008-05-31 09:51 <DIR> d-------- C:\Programfiler\Telenor

2008-05-30 12:12 . 2008-05-30 12:12 <DIR> d-------- C:\Programfiler\Lavasoft

2008-05-30 12:12 . 2008-05-30 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-05-30 00:54 . 2008-05-30 00:54 132,608 --a------ C:\WINDOWS\system32\kbymmhbq.dll

2008-05-30 00:54 . 2008-05-30 00:54 126,976 --a------ C:\WINDOWS\system32\sitnhswo.dll

2008-05-30 00:24 . 2008-05-30 00:24 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-05-30 00:24 . 2008-05-30 00:24 <DIR> d-------- C:\Documents and Settings\kjanor2\Programdata\Malwarebytes

2008-05-30 00:24 . 2008-05-30 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-05-30 00:24 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-30 00:24 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-05-30 00:23 . 2007-01-18 14:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys

2008-05-30 00:07 . 2008-05-30 00:07 268 --ah----- C:\sqmdata11.sqm

2008-05-30 00:07 . 2008-05-30 00:07 244 --ah----- C:\sqmnoopt11.sqm

2008-05-29 13:52 . 2008-05-29 13:52 244 --ah----- C:\sqmnoopt10.sqm

2008-05-29 13:52 . 2008-05-29 13:52 232 --ah----- C:\sqmdata10.sqm

2008-05-29 00:45 . 2008-05-29 00:45 268 --ah----- C:\sqmdata09.sqm

2008-05-29 00:45 . 2008-05-29 00:45 244 --ah----- C:\sqmnoopt09.sqm

2008-05-28 19:30 . 2008-05-28 19:30 244 --ah----- C:\sqmnoopt08.sqm

2008-05-28 19:30 . 2008-05-28 19:30 232 --ah----- C:\sqmdata08.sqm

2008-05-28 19:09 . 2008-05-28 19:09 244 --ah----- C:\sqmnoopt07.sqm

2008-05-28 19:09 . 2008-05-28 19:09 232 --ah----- C:\sqmdata07.sqm

2008-05-28 18:12 . 2008-05-28 18:12 244 --ah----- C:\sqmnoopt06.sqm

2008-05-28 18:12 . 2008-05-28 18:12 232 --ah----- C:\sqmdata06.sqm

2008-05-28 17:51 . 2008-05-28 17:51 244 --ah----- C:\sqmnoopt05.sqm

2008-05-28 17:51 . 2008-05-28 17:51 232 --ah----- C:\sqmdata05.sqm

2008-05-28 17:45 . 2008-05-28 17:45 244 --ah----- C:\sqmnoopt04.sqm

2008-05-28 17:45 . 2008-05-28 17:45 232 --ah----- C:\sqmdata04.sqm

2008-05-28 17:15 . 2008-05-28 17:15 268 --ah----- C:\sqmdata03.sqm

2008-05-28 17:15 . 2008-05-28 17:15 244 --ah----- C:\sqmnoopt03.sqm

2008-05-27 19:46 . 2008-05-27 19:46 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy

2008-05-27 19:46 . 2008-05-27 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-05-27 19:34 . 2008-06-02 01:25 <DIR> dr-h----- C:\Documents and Settings\kjanor2\Siste

2008-05-27 19:01 . 2008-05-27 19:01 <DIR> d-------- C:\Programfiler\Windows Live Toolbar

2008-05-27 08:43 . 2008-05-27 08:43 56,832 -r-hs---- C:\WINDOWS\winudspm.exe

2008-05-26 10:22 . 2008-05-26 10:22 <DIR> d-------- C:\Programfiler\SystemRequirementsLab

2008-05-21 12:40 . 2008-05-21 12:44 <DIR> d-------- C:\Programfiler\Hunting Unlimited 2008

2008-05-20 10:55 . 2008-05-20 10:58 <DIR> d-------- C:\WINDOWS\Lhsp

2008-05-20 09:23 . 2008-05-28 21:04 <DIR> d-------- C:\Programfiler\ESET

2008-05-20 09:23 . 2008-05-20 09:23 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2008-05-20 09:23 . 2008-05-20 09:23 298,104 --a------ C:\WINDOWS\system32\imon.dll

2008-05-20 09:23 . 2008-05-20 09:23 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-05 11:12 . 2008-05-05 11:12 52 --a------ C:\WINDOWS\system32\tbm.set

2008-05-05 11:09 . 2008-05-05 11:09 <DIR> d-------- C:\Programfiler\Askarya

2008-05-05 11:09 . 2008-05-05 11:11 70 --a------ C:\WINDOWS\TaskbarManager.INI

2008-05-05 11:09 . 2008-05-05 11:09 9 --a------ C:\WINDOWS\system32\tbmlic

2008-05-05 09:07 . 2008-05-05 09:07 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-31 22:35 --------- d-----w C:\Programfiler\Steam

2008-05-31 07:52 --------- d-----w C:\Programfiler\Fellesfiler\InstallShield

2008-05-31 07:51 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-05-30 10:10 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-05-27 16:58 --------- d-----w C:\Programfiler\Windows Live

2008-05-27 07:00 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-05-22 06:40 --------- d-----w C:\Programfiler\Clue

2008-05-20 11:16 --------- d-----w C:\Documents and Settings\kjanor2\Programdata\dvdcss

2008-05-19 10:03 --------- d-----w C:\Programfiler\mIRC

2008-05-15 00:34 --------- d-----w C:\Documents and Settings\kjanor2\Programdata\uTorrent

2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-21 21:19 --------- d-----w C:\Programfiler\Quick Batch File Compiler

2008-04-21 10:59 --------- d-----w C:\Programfiler\CCleaner

2008-04-21 10:49 --------- d-----w C:\Documents and Settings\kjanor2\Programdata\U3

2008-04-21 09:17 --------- d-----w C:\Programfiler\NoIQ Poker

2008-04-15 17:54 --------- d-----w C:\Programfiler\TechSmith

2008-04-15 17:54 --------- d-----w C:\Documents and Settings\All Users\Programdata\TechSmith

2008-04-15 17:42 --------- d-----w C:\Programfiler\Cheat Engine

2008-04-15 16:04 --------- d-----w C:\Documents and Settings\kjanor2\Programdata\mIRC

2008-04-15 09:40 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-04-14 17:22 --------- d-----w C:\Documents and Settings\kjanor2\Programdata\Ventrilo

2008-04-14 17:20 --------- d-----w C:\Programfiler\Ventrilo

2008-04-14 08:02 --------- d-----w C:\Programfiler\Fellesfiler\Roxio Shared

2008-04-14 08:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Roxio

2008-04-14 07:56 --------- d-----w C:\Programfiler\Roxio

2008-04-14 07:37 --------- d-----w C:\Programfiler\Symantec

2008-04-14 07:37 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2008-04-14 07:37 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec

2008-04-11 10:37 --------- d-----w C:\Programfiler\Google

2008-04-07 21:12 --------- d-----w C:\Programfiler\mplayer

2008-04-07 21:12 --------- d-----w C:\Documents and Settings\kjanor2\Programdata\Media Player Classic

2007-06-29 08:04 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Programdata\Microsoft\Feeds Cache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D637D630-A90E-4790-A867-DA62A4A58471}]

C:\WINDOWS\system32\rqRLdCVN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 20:36 827392]

"SoundMAXPnP"="C:\Programfiler\Analog Devices\Core\smax4pnp.exe" [2007-01-05 23:36 872448]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

"nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2008-05-20 09:23 949376]

"Windows UDP Control"="winudspm.exe" [2008-05-27 08:43 56832 C:\WINDOWS\winudspm.exe]

"Windows svchost"="service.exe" []

"Connect Update Agent"="C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe" [2005-02-08 09:34 462848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

"DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Default User\Start-meny\Programmer\Oppstart\

CCC.lnk - C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 09:57:36 49152]

C:\Documents and Settings\Administrator\Start-meny\Programmer\Oppstart\

CCC.lnk - C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 09:57:36 49152]

C:\Documents and Settings\kjanor2\Start-meny\Programmer\Oppstart\

CCC.lnk - C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 09:57:36 49152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"= C:\WINDOWS\system32\khfCstst.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-489248529-1699838375-1845911597-285817\Scripts\Logon\0\0]

"Script"=logon_elever.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]

--a------ 2007-01-24 14:28 124928 C:\WINDOWS\system32\AccelerometerSt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe3e742b6]

--a------ 2008-05-30 00:54 126976 C:\WINDOWS\system32\sitnhswo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

--a------ 2004-08-22 18:05 81920 C:\Programfiler\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 11:34 5724184 C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

--a------ 2007-01-20 08:41 159744 C:\Programfiler\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-01-28 11:43 2097488 C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taskbar Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

C:\Programfiler\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows svchost]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\utorrent\\utorrent.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-01-24 02:13]

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-11-18 10:01]

S3 G3GRSC;G3G R Smart Card;C:\WINDOWS\system32\DRIVERS\g3grsc.sys [2004-09-27 16:53]

S3 G3GRUMDM;G3G R USB Modem;C:\WINDOWS\system32\DRIVERS\g3grumdm.sys [2004-09-25 14:29]

S3 G3GRUSER;G3G R USB Serial;C:\WINDOWS\system32\DRIVERS\g3gruser.sys [2004-09-25 14:29]

S3 HP24X;HP PC Card Smart Card Reader;C:\WINDOWS\system32\DRIVERS\HP24X.sys [2006-10-19 01:23]

S3 W8100PCI;Marvell Libertas 802.11b/g Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2004-08-13 11:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e548f782-23dd-11dc-ab50-001a734a4008}]

\Shell\AutoRun\command - E:\WD_Windows_Tools\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {C7099049-4779-1634-2C83-372EE984396F} /qb

.

Contents of the 'Scheduled Tasks' folder

"2008-06-01 23:14:03 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"

- C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-02 01:37:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [432] 0x82405020

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP\NSFD.tmp

scan completed successfully

hidden files: 1

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\scardsvr.exe

C:\Programfiler\Fellesfiler\InterVideo\RegMgr\iviRegMgr.exe

C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programfiler\ESET\nod32krn.exe

C:\Programfiler\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\wbem\wmiadap.exe

.

**************************************************************************

.

Completion time: 2008-06-02 1:42:12 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-01 23:42:04

Pre-Run: 5,459,202,048 byte ledig

Post-Run: 5,381,042,176 byte ledig

234 --- E O F --- 2008-02-28 07:31:53

snippsat · 2. juni 2008

Kopiere fet tekst under bildet->åpne notisblokk og lim inn.

Lagre på skrivebordet som CFScript.txt

Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt

File::

C:\WINDOWS\is154890.exe

C:\WINDOWS\system32\kbymmhbq.dll

C:\WINDOWS\system32\sitnhswo.dll

C:\sqmdata11.sqm

C:\sqmnoopt11.sqm

C:\sqmnoopt10.sqm

C:\sqmdata09.sqm

C:\sqmnoopt09.sqm

C:\sqmnoopt08.sqm

C:\sqmdata08.sqm

C:\sqmnoopt07.sqm

C:\sqmdata07.sqm

C:\sqmnoopt06.sqm

C:\sqmdata06.sqm

C:\sqmnoopt05.sqm

C:\sqmdata05.sqm

C:\sqmnoopt04.sqm

C:\sqmdata04.sqm

C:\sqmdata03.sqm

C:\sqmnoopt03.sqm

C:\WINDOWS\winudspm.exe

C:\WINDOWS\TEMP\NSFD.tmp

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D637D630-A90E-4790-A867-DA62A4A58471}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe3e742b6]

---

Last ned kjør CCleaner

'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t.

Kjør register-renser og"svar ja til og reparere"

---

Last ned oppdatere og kjør full scan SAS free

Post loggen fra SAS (preferences->statistics/logs)

---

Restart og en ny HijackThis logg.

m4nia · 2. juni 2008

ComboFix log (før SAS scan)

ComboFix 08-06-01.6 - kjanor2 2008-06-02 11:19:57.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.483 [GMT 2:00]

Running from: C:\Documents and Settings\kjanor2\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\kjanor2\Skrivebord\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmdata05.sqm

C:\sqmdata06.sqm

C:\sqmdata07.sqm

C:\sqmdata08.sqm

C:\sqmdata09.sqm

C:\sqmdata11.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

C:\sqmnoopt06.sqm

C:\sqmnoopt07.sqm

C:\sqmnoopt08.sqm

C:\sqmnoopt09.sqm

C:\sqmnoopt10.sqm

C:\sqmnoopt11.sqm

C:\WINDOWS\is154890.exe

C:\WINDOWS\system32\kbymmhbq.dll

C:\WINDOWS\system32\sitnhswo.dll

C:\WINDOWS\TEMP\NSFD.tmp

C:\WINDOWS\winudspm.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmdata05.sqm

C:\sqmdata06.sqm

C:\sqmdata07.sqm

C:\sqmdata08.sqm

C:\sqmdata09.sqm

C:\sqmdata11.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

C:\sqmnoopt06.sqm

C:\sqmnoopt07.sqm

C:\sqmnoopt08.sqm

C:\sqmnoopt09.sqm

C:\sqmnoopt10.sqm

C:\sqmnoopt11.sqm

C:\WINDOWS\is154890.exe

C:\WINDOWS\system32\kbymmhbq.dll

C:\WINDOWS\system32\sitnhswo.dll

C:\WINDOWS\winudspm.exe

.

((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))