Trojan og andre virus treng hjelp

Sovende Panda · 5. juni 2008

Hallo. Eg er ny på forumet. Og eg treng litt hjelp med virus på PC-en min.

Eg opna ein link i msn (som eg vanleg vis ikkje gjer) og fekk deretter viruset trojan, adware også vidare. Eg leste på forumet at SuperAntispyware skulle hjelpa og det hjalp i eit par dagar før viruset kom tilbake.

Nå er det enda verre og greier, eg får da ikkje vekk. Eg hadde Norton då eg fekk viruset men bytta til NOD32.

Her er noen logger som kanskje kan hjelpa...

HijackThis:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:19:21, on 05.06.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redi...&key=SEARCH

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nettavisen.no/spillmagasinet/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://online.no/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\qoMcddee.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: (no name) - {B3FA1A96-20AC-4D40-A249-13F314E8114C} - C:\WINDOWS\system32\yayyWopo.dll (file missing)

O2 - BHO: {889b2071-e5b9-c25b-9124-b501600f489d} - {d984f006-105b-4219-b52c-9b5e1702b988} - C:\WINDOWS\system32\vowopsmm.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe

O4 - HKLM\..\Run: [94c98163] rundll32.exe "C:\WINDOWS\system32\seqvnfkx.dll",b

O4 - HKLM\..\Run: [Windows svchost] service.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [bM97fab2ff] Rundll32.exe "C:\WINDOWS\system32\caupgnag.dll",s

O4 - HKCU\..\Run: [smpcSys] C:\APPS\SMP\SmpSys.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'Default user')

O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe

O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ImageMixer HDD Camera Monitor.lnk = C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe

O4 - Global Startup: Ressursovervåking for Extender-enhet.lnk = C:\WINDOWS\ehome\RMSysTry.exe

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1212139842265

O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar ) - http://img.pvw.od2.com/installation/Plugin...nagerPlugin.CAB

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: qoMcddee - C:\WINDOWS\SYSTEM32\qoMcddee.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--

End of file - 9655 bytes

SuperAntispyware:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 06/05/2008 at 03:40 PM

Application Version : 4.1.1046

Core Rules Database Version : 3473

Trace Rules Database Version: 1464

Scan type : Complete Scan

Total Scan Time : 00:21:48

Memory items scanned : 277

Memory threats detected : 1

Registry items scanned : 4524

Registry threats detected : 6

File items scanned : 20781

File threats detected : 3

Trojan.Vundo-Variant/Small-GEN

C:\WINDOWS\SYSTEM32\QOMCDDEE.DLL

Trojan.Vundo-Variant/Small

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}

HKCR\CLSID\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}

HKCR\CLSID\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}\InprocServer32

HKCR\CLSID\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{487C9905-26A8-42C8-8033-C58AD3D2AEC3}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\qoMcddee

Adware.Tracking Cookie

C:\Documents and Settings\Ørjan\Cookies\ørjan@adtech[1].txt

C:\Documents and Settings\Ørjan\Cookies\ø[email protected][2].txt

Eg sett pris på all hjelp eg kan få.

Endret 10. juni 2008 av mutu

r2d290 · 5. juni 2008

Følg denne veiledningen: https://www.diskusjon.no/index.php?showtopi...;#entry11305102

Sovende Panda · 5. juni 2008

Takk for raskt svar.

Jeg kjørte MSNFix og restartet PC-en. Nå kan ikkje SAS finne trojan viruset meir. Og eg kan slå på automatiske oppdateringer igjen.

Takk for hjelp

norbat · 5. juni 2008

Kunne du også ha kjørt combofix og posten loggen den lager?

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix (c:\combofix.txt)

Sovende Panda · 5. juni 2008

Eg gjorde som du sa, men eg hadde Combofix på PC-en fra før, så no får eg opp ein feilmelding. Eg heiv combofix i papirkurven, uten å avinstallera, og no kan eg ikkje avinstallera da så eg kan kjøra da på nytt. Kva skal eg gjer?

norbat · 5. juni 2008

Last ned ny versjon av combofix og kjør denne.

Endret 5. juni 2008 av norbat

Sovende Panda · 5. juni 2008

Ok, her er den.

Combofix logg:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-06-04.5 - Ørjan 2008-06-05 17:03:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1180 [GMT 2:00]

Running from: C:\Documents and Settings\Ørjan\Desktop\ComboFix.exe

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\BM97fab2ff.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\CLknWvut.ini

C:\WINDOWS\system32\CLknWvut.ini2

C:\WINDOWS\system32\epuavuss.ini

C:\WINDOWS\system32\gqtvvguo.ini

C:\WINDOWS\system32\NWFgPqss.ini

C:\WINDOWS\system32\NWFgPqss.ini2

C:\WINDOWS\system32\odidlovr.ini

C:\WINDOWS\system32\opoWyyay.ini

C:\WINDOWS\system32\opoWyyay.ini2

C:\WINDOWS\system32\sfgnweyu.ini

C:\WINDOWS\system32\uFhkRqru.ini

C:\WINDOWS\system32\uFhkRqru.ini2

C:\WINDOWS\system32\xkfnvqes.ini

C:\WINDOWS\system32\xoaonpav.ini

.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))

.

2008-06-02 14:35 . 2008-06-03 17:18 93,184 --------- C:\WINDOWS\is154890.exe

2008-05-31 17:01 . 2008-05-31 17:06 <DIR> d-------- C:\VideoOutput

2008-05-31 17:00 . 2008-05-31 17:01 <DIR> d-------- C:\Program Files\Ultra Video Converter

2008-05-31 17:00 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll

2008-05-31 17:00 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll

2008-05-31 15:35 . 2008-05-31 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PIXELA

2008-05-31 15:31 . 2006-10-18 03:00 32,784 --------- C:\WINDOWS\system32\drivers\pxhelper.sys

2008-05-31 15:31 . 2006-10-18 03:00 12,345 --------- C:\WINDOWS\system32\drivers\pxhelper.vxd

2008-05-31 15:30 . 2008-05-31 15:30 <DIR> d-------- C:\Program Files\PIXELA

2008-05-31 13:12 . 2008-05-31 13:12 86,512 --------- C:\setup1.exe

2008-05-31 13:06 . 2008-06-02 14:36 3,423 --a------ C:\bot.MSNFix

2008-05-30 20:10 . 2008-05-30 20:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-05-30 20:10 . 2008-05-30 20:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-30 20:10 . 2008-05-30 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-05-30 20:07 . 2008-05-30 20:07 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-30 18:30 . 2008-05-30 18:30 <DIR> d-------- C:\Program Files\ESET

2008-05-30 18:30 . 2008-05-30 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-30 18:20 . 2008-05-30 18:20 667,648 --a------ C:\Program Files\Norton_Removal_Tool.exe

2008-05-30 18:20 . 2008-05-30 18:20 137,568 --a------ C:\Program Files\buDump.exe

2008-05-30 16:42 . 2008-05-30 19:15 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-05-30 16:28 . 2008-05-30 19:56 86,498 --a------ C:\WINDOWS\service.MSNFix

2008-05-28 15:49 . 2008-05-30 18:29 143 --a------ C:\WINDOWS\system32\mcrh.MSNFix

2008-05-28 14:38 . 2008-05-30 20:30 1,107 --a------ C:\WINDOWS\cookies.MSNFix

2008-05-27 22:51 . 2008-05-27 22:51 40,960 --------- C:\dciz.exe

2008-05-27 19:42 . 2008-05-27 19:42 <DIR> d--h----- C:\WINDOWS\PIF

2008-05-27 19:38 . 2008-05-27 19:38 40,960 --------- C:\dchi.exe

2008-05-27 19:33 . 2008-05-27 19:33 56,832 -r-hs---- C:\WINDOWS\winudspm.exe

2008-05-27 19:33 . 2008-05-27 19:33 40,960 --------- C:\dci.exe

2008-05-26 14:17 . 2008-05-26 14:17 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

2008-05-22 11:56 . 2008-05-22 11:56 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

2008-05-22 10:52 . 2008-05-22 10:52 <DIR> d-------- C:\Program Files\Strategy First

2008-05-22 09:44 . 2008-05-22 09:44 <DIR> d-------- C:\Program Files\Desktop

2008-05-22 09:35 . 2008-05-22 09:35 361,480 --a------ C:\Program Files\Download_Emergency3setup_now.exe

2008-05-21 11:23 . 2008-05-29 12:56 30 --a------ C:\WINDOWS\iedit.INI

2008-05-19 18:25 . 2008-05-19 18:25 <DIR> d-------- C:\Program Files\WMA-MP3.com

2008-05-19 18:25 . 2008-05-31 15:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-18 15:16 . 2008-05-18 15:16 <DIR> d-------- C:\WINDOWS\Cache

2008-05-18 15:16 . 2008-05-18 15:16 <DIR> d-------- C:\Program Files\Sierra

2008-05-18 15:15 . 2006-03-20 16:33 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl

2008-05-18 14:47 . 2008-05-18 14:47 142,784 --a------ C:\Program Files\PoliceQuestCol-dm.exe

2008-05-12 22:24 . 2008-05-12 22:24 <DIR> d-------- C:\Program Files\Apple Software Update

2008-05-10 14:54 . 2008-05-10 14:54 268 --ah----- C:\sqmdata19.sqm

2008-05-10 14:54 . 2008-05-10 14:54 244 --ah----- C:\sqmnoopt19.sqm

2008-05-09 23:31 . 2008-05-09 23:31 268 --ah----- C:\sqmdata18.sqm

2008-05-09 23:31 . 2008-05-09 23:31 244 --ah----- C:\sqmnoopt18.sqm

2008-05-09 14:09 . 2008-05-09 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-05-09 12:24 . 2008-05-09 12:24 268 --ah----- C:\sqmdata17.sqm

2008-05-09 12:24 . 2008-05-09 12:24 244 --ah----- C:\sqmnoopt17.sqm

2008-05-08 22:13 . 2008-05-08 22:13 268 --ah----- C:\sqmdata16.sqm

2008-05-08 22:13 . 2008-05-08 22:13 244 --ah----- C:\sqmnoopt16.sqm

2008-05-08 21:09 . 2008-05-08 21:09 268 --ah----- C:\sqmdata15.sqm

2008-05-08 21:09 . 2008-05-08 21:09 244 --ah----- C:\sqmnoopt15.sqm

2008-05-07 22:53 . 2008-05-07 22:53 268 --ah----- C:\sqmdata14.sqm

2008-05-07 22:53 . 2008-05-07 22:53 244 --ah----- C:\sqmnoopt14.sqm

2008-05-07 19:17 . 2004-01-14 03:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE

2008-05-07 19:15 . 2008-05-07 19:15 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information

2008-05-07 19:15 . 2008-05-07 19:15 <DIR> d--h----- C:\Program Files\CanonBJ

2008-05-07 19:15 . 2008-05-07 19:15 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ

2008-05-07 19:15 . 2006-07-31 07:00 161,792 --a------ C:\WINDOWS\system32\CNMLM7X.DLL

2008-05-07 19:14 . 2008-05-07 20:00 <DIR> d-------- C:\Program Files\Canon

2008-05-07 19:07 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-05-07 19:07 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys

2008-05-06 16:30 . 2008-05-06 16:30 268 --ah----- C:\sqmdata13.sqm

2008-05-06 16:30 . 2008-05-06 16:30 244 --ah----- C:\sqmnoopt13.sqm

2008-05-05 23:04 . 2008-05-05 23:04 268 --ah----- C:\sqmdata12.sqm

2008-05-05 23:04 . 2008-05-05 23:04 244 --ah----- C:\sqmnoopt12.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-31 13:30 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-30 16:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-05-30 16:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-05-30 16:23 20,465,152 ----a-w C:\Program Files\eav_nt32_enu.msi

2008-05-30 09:25 320,512 ----a-w C:\WINDOWS\Tele2Uninstall.exe

2008-05-24 08:06 --------- d-----w C:\Program Files\Common Files\Adobe

2008-05-09 07:11 --------- d-----w C:\Program Files\Google

2008-05-04 14:17 --------- d-----w C:\Program Files\iTunes

2008-05-04 14:17 --------- d-----w C:\Program Files\iPod

2008-05-04 14:17 --------- d-----w C:\Program Files\Bonjour

2008-05-04 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-05-04 14:16 --------- d-----w C:\Program Files\QuickTime

2008-05-04 14:15 --------- d-----w C:\Program Files\Common Files\Apple

2008-05-04 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2008-05-04 13:48 --------- d-----w C:\Program Files\Amazon

2008-05-04 13:18 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-05-03 08:24 --------- d-----w C:\Program Files\ZD Soft

2008-04-29 09:51 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2008-04-29 09:51 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2008-04-26 19:52 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2008-04-26 10:42 --------- d-----w C:\Program Files\San Andreas Mod Installer

2008-04-26 10:40 --------- d-----w C:\Program Files\Rockstar Games

2008-04-26 07:35 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-04-26 07:13 --------- d-----w C:\Program Files\sixteen tons entertainment

2008-04-25 18:51 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller

2008-04-25 18:51 --------- d-----w C:\Program Files\Windows Live

2008-04-25 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-04-25 18:30 --------- d-----w C:\Program Files\OpenOffice.org 2.3

2008-04-25 18:21 93,767,048 ----a-w C:\Program Files\n360.exe

2008-04-25 17:42 --------- d-----w C:\Program Files\Windows XP MUI Pack

2008-04-25 17:38 --------- d-----w C:\Program Files\Common Files\Ulead Systems

2008-04-25 17:38 --------- d-----w C:\Program Files\Common Files\SureThing Shared

2008-04-25 17:38 --------- d-----w C:\Program Files\Common Files\Sonic Shared

2008-04-25 17:36 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec

2008-04-25 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems

2008-04-25 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3FA1A96-20AC-4D40-A249-13F314E8114C}]

C:\WINDOWS\system32\yayyWopo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d984f006-105b-4219-b52c-9b5e1702b988}]

C:\WINDOWS\system32\vowopsmm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmpcSys"="C:\APPS\SMP\SmpSys.exe" [2005-12-08 18:39 975360]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-03 13:23 68856]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 16:00 455168]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56 64512]

"ATICCC"="c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 13:12 90112]

"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 10:28 16049664 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-08-23 10:30 2879488 C:\WINDOWS\SkyTel.exe]

"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-08-23 10:31 53248]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 05:52 36975]

"DetectorApp"="C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 08:15 102400]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 16:40 213936]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 16:40 86960]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 16:00 208952]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 12:31 24576]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10 409600]

"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:40 213936]

"Windows UDP Control"="winudspm.exe" [2008-05-27 19:33 56832 C:\WINDOWS\winudspm.exe]

"94c98163"="C:\WINDOWS\system32\seqvnfkx.dll" [ ]

"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

"BM97fab2ff"="C:\WINDOWS\system32\caupgnag.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 16:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Hurtigstart.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

ImageMixer HDD Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe [2008-05-31 15:30:36 2117632]

Ressursoverv†king for Extender-enhet.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

"VIDC.ZDSV"= scrvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Ekstern Media Center-opplevelse

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]

S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 16:00]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 13:54]

S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2008-02-18 11:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbfa519e-12b9-11dd-98ea-001921b2474b}]

\Shell\AutoRun\command - I:\wd_windows_tools\setup.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-06-02 13:18:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-05 17:07:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

C:\WINDOWS\ehome\McrdSvc.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\APPS\ABOARD\AOSD.EXE

C:\WINDOWS\ehome\ehmsas.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\OpenOffice.org 2.3\program\soffice.exe

C:\Program Files\OpenOffice.org 2.3\program\soffice.bin

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\WINDOWS\system32\verclsid.exe

.

**************************************************************************

.

Completion time: 2008-06-05 17:10:25 - machine was rebooted [rjan]

ComboFix-quarantined-files.txt 2008-06-05 15:10:20

Pre-Run: 262,384,537,600 bytes free

Post-Run: 262,399,545,344 bytes free

262 --- E O F --- 2008-05-31 10:33:15

norbat · 5. juni 2008

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen.

File::

C:\WINDOWS\is154890.exe

C:\bot.MSNFix

C:\WINDOWS\service.MSNFix

C:\WINDOWS\system32\mcrh.MSNFix

C:\WINDOWS\cookies.MSNFix

C:\WINDOWS\winudspm.exe

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3FA1A96-20AC-4D40-A249-13F314E8114C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d984f006-105b-4219-b52c-9b5e1702b988}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows UDP Control"=-

"94c98163"=-

"BM97fab2ff"=-

Gå til nettstedet http://virusscan.jotti.org/ og last opp følgende filer for sjekk:

C:\setup1.exe

C:\dci.exe

C:\dciz.exe

C:\dchi.exe

Gi tilbakemelding på om og hva som evt. ble funnet på de.

Sovende Panda · 5. juni 2008

Her er combofix filen igjen:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-06-04.5 - Ørjan 2008-06-05 19:19:13.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1183 [GMT 2:00]

Running from: C:\Documents and Settings\Ørjan\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Ørjan\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

FILE ::

C:\bot.MSNFix

C:\WINDOWS\cookies.MSNFix

C:\WINDOWS\is154890.exe

C:\WINDOWS\service.MSNFix

C:\WINDOWS\system32\mcrh.MSNFix

C:\WINDOWS\winudspm.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\bot.MSNFix

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\Documents and Settings\MCX1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\WINDOWS\cookies.MSNFix

C:\WINDOWS\is154890.exe

C:\WINDOWS\service.MSNFix

C:\WINDOWS\system32\mcrh.MSNFix

C:\WINDOWS\winudspm.exe

.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))

.

2008-06-05 17:10 . 2008-06-05 17:10 <DIR> d-------- C:\Documents and Settings\Ïrjan