gtfossum Skrevet 9. juni 2008 Del Skrevet 9. juni 2008 (endret) Jeg har i et svakt øyeblikk klikket på noe jeg trodde var en youtube link fra min kone. Har kjørt msnfix, mam og combofix og nå lurer jeg på om noen gidder å ta et blikk på loggen for å se om det er mer som bør gjøres: ComboFix 08-06-08.8 - Geir Fossum 2008-06-09 14:16:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1126 [GMT 2:00] Running from: C:\Documents and Settings\Geir Fossum\Mine dokumenter\Download\Sikkerhet\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 ))))))))))))))))))))))))))))))) . 2008-06-09 12:17 . 2008-06-09 12:17 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-06-09 12:17 . 2008-06-09 12:17 <DIR> d-------- C:\Documents and Settings\Geir Fossum\Programdata\Malwarebytes 2008-06-09 12:17 . 2008-06-09 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-06-09 12:17 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-09 12:17 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-06 23:22 . 2008-06-06 23:22 60,416 --a------ C:\WINDOWS\winudpmgr.MSNFix 2008-06-06 23:22 . 2008-06-06 23:22 60,416 --a------ C:\WINDOWS\2dj12.exe 2008-06-06 23:21 . 2008-06-06 23:21 1,860 --a------ C:\WINDOWS\2d12.exe 2008-06-06 23:17 . 2008-06-06 23:17 81,924 --a------ C:\WINDOWS\2ddds.exe 2008-06-06 23:01 . 2008-06-06 23:01 81,924 --a------ C:\WINDOWS\22ddds.exe 2008-06-06 22:33 . 2008-06-06 22:33 81,924 --a------ C:\WINDOWS\22dds.exe 2008-06-04 20:01 . 2008-06-04 20:01 53,254 --a------ C:\WINDOWS\ehSched.MSNFix 2008-06-01 22:45 . 2008-06-01 22:45 <DIR> d-------- C:\Programfiler\Apple Software Update 2008-06-01 22:45 . 2008-06-01 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Apple 2008-05-23 11:32 . 2008-05-23 11:32 <DIR> d-------- C:\Documents and Settings\Geir Fossum\Programdata\Uniblue . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-09 12:24 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\Skype 2008-06-09 08:36 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\Wave Systems Corp 2008-06-06 20:49 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\ZoomBrowser EX 2008-06-06 20:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\ZoomBrowser 2008-05-30 09:28 --------- d-----w C:\Programfiler\BIBEL 2008-05-21 21:05 --------- d-----w C:\Programfiler\Opera 2008-05-20 12:35 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\U3 2008-05-20 12:15 --------- d-----w C:\Programfiler\OpenTTD 2008-05-20 12:12 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-05-20 12:10 --------- d-----w C:\Programfiler\Hewlett-Packard 2008-05-15 10:27 --------- d-----w C:\Programfiler\BibleWorks 6 2008-05-14 17:30 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-05-02 16:47 --------- d-----w C:\Programfiler\vncviewer 2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys 2008-04-23 19:10 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\Canon 2008-04-19 20:29 --------- d-----w C:\Programfiler\Orbiter 2008-04-18 17:06 --------- d-----w C:\Documents and Settings\All Users\Programdata\Office Genuine Advantage 2008-04-15 22:54 --------- d-----w C:\Programfiler\Java 2007-11-26 12:50 88 --sh--r C:\WINDOWS\system32\ECD69C91B4.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] "Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "Uniblue RegistryBooster 2"="C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Document Manager"="C:\Programfiler\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 08:32 102400] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 19:05 8429568] "nwiz"="nwiz.exe" [2007-04-28 19:05 1626112 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-04-28 19:05 67584 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2007-04-28 19:05 81920 C:\WINDOWS\system32\nvmctray.dll] "Apoint"="C:\Programfiler\Apoint\Apoint.exe" [2005-10-07 14:13 176128] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe] "IntelZeroConfig"="C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296] "IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl] "ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184] "ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920] "DVDLauncher"="C:\Programfiler\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2001-11-16 21:23 135168] "MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 21:09 40960] "Corel Photo Downloader"="C:\Programfiler\Fellesfiler\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" [ ] "Corel File Shell Monitor"="C:\Programfiler\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 18:38 38400] "UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 01:56 1398024] "Dell QuickSet"="C:\Programfiler\Dell\QuickSet\Quickset.exe" [2007-05-14 14:23 1191936] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-03-24 10:28 185896] "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] "Nokia.PCSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Bluetooth Manager.lnk - C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416] Digital Line Detect.lnk - C:\Programfiler\Digital Line Detect\DLG.exe [2007-09-21 13:58:59 24576] EMBASSY Trust Suite Secure Update.lnk - C:\Programfiler\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-08-25 09:45:30 192512] OUTLOOK.lnk - C:\Programfiler\Microsoft Office\Office12\OUTLOOK.EXE [2007-12-13 00:56:18 12829216] PC-s›k i Windows.lnk - C:\Programfiler\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 16:39 294400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wxvault.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys [2005-12-09 15:35] R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 10:46] R2 ASFIPmon;Broadcom ASF IP Monitor;C:\Programfiler\Broadcom\ASFIPMon\AsfIpMon.exe [2005-10-18 17:11] R3 BCMTPM;BCMTPM;C:\WINDOWS\system32\DRIVERS\btpmw32.sys [2005-10-14 06:54] R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 14:01] R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-01-16 09:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d876242e-be8b-11dc-82b0-0015c5082970}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb157db2-bec7-11dc-82b6-0016414d2007}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-06-05 14:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-09 14:22:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\pbadrvdll.dll -> C:\WINDOWS\system32\BioAPI100.dll -> C:\WINDOWS\system32\BIOAPI_MDS300.dll PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\Tsp.dll -> C:\WINDOWS\system32\TspPopup_ENU.dll -> C:\WINDOWS\system32\BioAPI100.dll -> C:\WINDOWS\system32\BIOAPI_MDS300.dll PROCESS: C:\WINDOWS\Explorer.exe -> C:\WINDOWS\system32\nview.dll . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\BRSS01A.EXE C:\WINDOWS\system32\scardsvr.exe C:\Programfiler\Wave Systems Corp\Common\DataServer.exe C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Dell\OpenManage\Client\Iap.exe C:\Programfiler\Dell\QuickSet\NicConfigSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe C:\Programfiler\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\Programfiler\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\system32\searchindexer.exe C:\Programfiler\Trend Micro\BM\TMBMSRV.exe C:\Programfiler\Canon\CAL\CALMAIN.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\Apoint\hidfind.exe C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe C:\Programfiler\Apoint\ApntEx.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\Programfiler\Intel\Wireless\Bin\Dot1XCfg.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe C:\Programfiler\Skype\Plugin Manager\skypePM.exe C:\Programfiler\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\searchprotocolhost.exe C:\WINDOWS\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2008-06-09 14:29:22 - machine was rebooted [Geir Fossum] ComboFix-quarantined-files.txt 2008-06-09 12:29:10 Pre-Run: 25,733,181,440 byte ledig Post-Run: 25,958,617,088 byte ledig 194 --- E O F --- 2008-05-16 22:10:56 Endret 9. juni 2008 av gtfossum Lenke til kommentar
norbat Skrevet 9. juni 2008 Del Skrevet 9. juni 2008 Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. File:: C:\WINDOWS\winudpmgr.MSNFix C:\WINDOWS\ehSched.MSNFix C:\WINDOWS\2dj12.exe C:\WINDOWS\2d12.exe C:\WINDOWS\2ddds.exe C:\WINDOWS\22ddds.exe C:\WINDOWS\22dds.exe Post loggen. Lenke til kommentar
gtfossum Skrevet 10. juni 2008 Forfatter Del Skrevet 10. juni 2008 Her er loggen fra andre kjøring av Combofix med nevnte script: ComboFix 08-06-08.8 - 2008-06-10 13:38:48.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1130 [GMT 2:00] Running from: C:\Documents and Settings\Geir Fossum\Skrivebord\ComboFix.exe Command switches used :: C:\Documents and Settings\Geir Fossum\Skrivebord\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\22ddds.exe C:\WINDOWS\22dds.exe C:\WINDOWS\2d12.exe C:\WINDOWS\2ddds.exe C:\WINDOWS\2dj12.exe C:\WINDOWS\ehSched.MSNFix C:\WINDOWS\winudpmgr.MSNFix . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\22ddds.exe C:\WINDOWS\22dds.exe C:\WINDOWS\2d12.exe C:\WINDOWS\2ddds.exe C:\WINDOWS\2dj12.exe C:\WINDOWS\ehSched.MSNFix C:\WINDOWS\winudpmgr.MSNFix . ((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 ))))))))))))))))))))))))))))))) . 2008-06-09 12:17 . 2008-06-09 12:17 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-06-09 12:17 . 2008-06-09 12:17 <DIR> d-------- C:\Documents and Settings\Geir Fossum\Programdata\Malwarebytes 2008-06-09 12:17 . 2008-06-09 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-06-09 12:17 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-09 12:17 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-01 22:45 . 2008-06-01 22:45 <DIR> d-------- C:\Programfiler\Apple Software Update 2008-06-01 22:45 . 2008-06-01 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Apple 2008-05-23 11:32 . 2008-05-23 11:32 <DIR> d-------- C:\Documents and Settings\Geir Fossum\Programdata\Uniblue . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-10 11:46 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\Wave Systems Corp 2008-06-10 11:22 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\Skype 2008-06-10 09:07 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\ZoomBrowser EX 2008-06-09 16:28 --------- d-----w C:\Programfiler\BIBEL 2008-06-06 20:22 --------- d-----w C:\Documents and Settings\All Users\Programdata\ZoomBrowser 2008-05-21 21:05 --------- d-----w C:\Programfiler\Opera 2008-05-20 12:35 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\U3 2008-05-20 12:12 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-05-20 12:10 --------- d-----w C:\Programfiler\Hewlett-Packard 2008-05-15 10:27 --------- d-----w C:\Programfiler\BibleWorks 6 2008-05-14 17:30 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-05-02 16:47 --------- d-----w C:\Programfiler\vncviewer 2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys 2008-04-23 19:10 --------- d-----w C:\Documents and Settings\Geir Fossum\Programdata\Canon 2008-04-19 20:29 --------- d-----w C:\Programfiler\Orbiter 2008-04-18 17:06 --------- d-----w C:\Documents and Settings\All Users\Programdata\Office Genuine Advantage 2008-04-15 22:54 --------- d-----w C:\Programfiler\Java 2007-11-26 12:50 88 --sh--r C:\WINDOWS\system32\ECD69C91B4.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-09_14.28.54.01 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-09 12:20:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-10 11:45:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-09 09:20:31 148,083 ----a-w C:\WINDOWS\system32\nvModes.dat + 2008-06-10 08:58:34 148,083 ----a-w C:\WINDOWS\system32\nvModes.dat - 2008-06-09 08:40:19 72,486 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-06-10 11:50:14 72,036 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-06-09 08:40:19 89,712 ----a-w C:\WINDOWS\system32\perfc014.dat + 2008-06-10 11:50:15 89,208 ----a-w C:\WINDOWS\system32\perfc014.dat - 2008-06-09 08:40:19 444,862 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-06-10 11:50:14 444,220 ----a-w C:\WINDOWS\system32\perfh009.dat - 2008-06-09 08:40:19 468,448 ----a-w C:\WINDOWS\system32\perfh014.dat + 2008-06-10 11:50:15 467,602 ----a-w C:\WINDOWS\system32\perfh014.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] "Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "Uniblue RegistryBooster 2"="C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Document Manager"="C:\Programfiler\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 08:32 102400] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 19:05 8429568] "nwiz"="nwiz.exe" [2007-04-28 19:05 1626112 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-04-28 19:05 67584 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2007-04-28 19:05 81920 C:\WINDOWS\system32\nvmctray.dll] "Apoint"="C:\Programfiler\Apoint\Apoint.exe" [2005-10-07 14:13 176128] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe] "IntelZeroConfig"="C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296] "IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl] "ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184] "ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920] "DVDLauncher"="C:\Programfiler\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2001-11-16 21:23 135168] "MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 21:09 40960] "Corel Photo Downloader"="C:\Programfiler\Fellesfiler\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" [ ] "Corel File Shell Monitor"="C:\Programfiler\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 18:38 38400] "UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 01:56 1398024] "Dell QuickSet"="C:\Programfiler\Dell\QuickSet\Quickset.exe" [2007-05-14 14:23 1191936] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-03-24 10:28 185896] "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] "Nokia.PCSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Bluetooth Manager.lnk - C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416] Digital Line Detect.lnk - C:\Programfiler\Digital Line Detect\DLG.exe [2007-09-21 13:58:59 24576] EMBASSY Trust Suite Secure Update.lnk - C:\Programfiler\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-08-25 09:45:30 192512] OUTLOOK.lnk - C:\Programfiler\Microsoft Office\Office12\OUTLOOK.EXE [2007-12-13 00:56:18 12829216] PC-s›k i Windows.lnk - C:\Programfiler\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 16:39 294400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wxvault.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys [2005-12-09 15:35] R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 10:46] R2 ASFIPmon;Broadcom ASF IP Monitor;C:\Programfiler\Broadcom\ASFIPMon\AsfIpMon.exe [2005-10-18 17:11] R3 BCMTPM;BCMTPM;C:\WINDOWS\system32\DRIVERS\btpmw32.sys [2005-10-14 06:54] R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 14:01] R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-01-16 09:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d876242e-be8b-11dc-82b0-0015c5082970}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb157db2-bec7-11dc-82b6-0016414d2007}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-06-05 14:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-10 13:46:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\pbadrvdll.dll -> C:\WINDOWS\system32\BioAPI100.dll -> C:\WINDOWS\system32\BIOAPI_MDS300.dll PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\Tsp.dll -> C:\WINDOWS\system32\TspPopup_ENU.dll -> C:\WINDOWS\system32\BioAPI100.dll -> C:\WINDOWS\system32\BIOAPI_MDS300.dll PROCESS: C:\WINDOWS\Explorer.exe -> C:\WINDOWS\system32\nview.dll . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\BRSS01A.EXE C:\WINDOWS\system32\scardsvr.exe C:\Programfiler\Wave Systems Corp\Common\DataServer.exe C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Dell\OpenManage\Client\Iap.exe C:\Programfiler\Dell\QuickSet\NicConfigSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe C:\Programfiler\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\Programfiler\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\system32\searchindexer.exe C:\Programfiler\Trend Micro\BM\TMBMSRV.exe C:\Programfiler\Canon\CAL\CALMAIN.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\searchprotocolhost.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\Apoint\hidfind.exe C:\Programfiler\Apoint\ApntEx.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Programfiler\Intel\Wireless\Bin\Dot1XCfg.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe C:\Programfiler\Skype\Plugin Manager\skypePM.exe C:\Programfiler\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2008-06-10 13:54:02 - machine was rebooted [Geir Fossum] ComboFix-quarantined-files.txt 2008-06-10 11:53:51 ComboFix2.txt 2008-06-09 12:29:23 Pre-Run: 29,281,914,880 byte ledig Post-Run: 29,265,678,336 byte ledig 221 --- E O F --- 2008-05-16 22:10:56 Lenke til kommentar
norbat Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 Da ser ikke jeg noe mer til infiserte filer i den loggen. Kjører MSN ok? Lenke til kommentar
gtfossum Skrevet 10. juni 2008 Forfatter Del Skrevet 10. juni 2008 Da ser ikke jeg noe mer til infiserte filer i den loggen.Kjører MSN ok? Jeg har egentlig ikke hatt noe problemer med msn i det hele tatt, men jeg har fått rapporter fra andre om at de har mottatt meldinger, med suspekt innhold, fra meg. Jeg har en youtube.com fil som ligner og en =nwl9NYvte3M-youtube.com fil liggende på harddisken. Kan denne bare slettes uten videre opprydning i registeret? Det samme gjelder filen: y0shi3.exe Eller hjertelig takk for hjelpen! Dette var leit å bli kvitt. Trend Micro Intrenet security tror jeg ble lurt trill rundt, selv om jeg ser den på ett eller anne tidspunkt har stoppet noe av aktiviteten. Lenke til kommentar
norbat Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 Ja, disse filene sletter du inkl. y0shi3.exe Kunne du si nøyaktig hvor disse filene ligger? Lenke til kommentar
gtfossum Skrevet 10. juni 2008 Forfatter Del Skrevet 10. juni 2008 Ja, disse filene sletter du inkl. y0shi3.exeKunne du si nøyaktig hvor disse filene ligger? Youtube filen ligger i: C:\Documents and Settings\Geir Fossum\Programdata\Opera\Opera\profile\cache4\temporary_download y0shi3.exe ligger i: C:\Documents and Settings\Geir Fossum\Lokale innstillinger\Temporary Internet Files Lenke til kommentar
snippsat Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" Restart Ny runde me CCleaner da er det greit tenker jeg. Si litt om det er greit etter dette,så avinstallere vi combofix. Lenke til kommentar
gtfossum Skrevet 10. juni 2008 Forfatter Del Skrevet 10. juni 2008 Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" Restart Ny runde me CCleaner da er det greit tenker jeg. Si litt om det er greit etter dette,så avinstallere vi combofix. Det er sikkert greit og jeg tar gjerne råd fra andre, men jeg blir likevel litt usikker. Nå har jeg hatt utelukkende kontakt med norbat, så da lurer jeg på: Er dette et naturlig steg viderer i prosessen her, eller er det bare et godt råd. Jeg trodde nå jeg var ferdig med å bruke softwareredskaper og bare kunne slette de to siste filene. Rydde i registeret virker, jo, fornuftig. Men hva er CCleaner? Hva gjør programmet egentlig? Sletter det bare overføldige registerføringer eller reparerer det faktisk registeret? Hvorfor er akkurat dette programmet å anbefale i motsetning til en haug andre registeropprydningsprogrammer. Mange av disse gjør ingen reparasjon av registeret så vidt jeg kan skjønne, sletter bare overflødige registeroppføringer (nyttig, men ikke alltid det vi ønsker). Lenke til kommentar
norbat Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 Hovedformålet med å kjøre CCleaner slik Snippsat nevner, er at filene du nevner, ligger i cachen til Opera. CCleaner er et gratisprogram som fjerner slikt (gjør en bedre jobb en windows sin egen diskopprydding). Men om man velger å tømme dette på annen måte, er selvfølgelig opp til hver enkelt. Vi bruker imidlertid å anbefale dette programmet til slikt. Og, Snippsat kan sine saker, så du trenger ikke å bli usikker Lenke til kommentar
gtfossum Skrevet 10. juni 2008 Forfatter Del Skrevet 10. juni 2008 Hovedformålet med å kjøre CCleaner slik Snippsat nevner, er at filene du nevner, ligger i cachen til Opera. CCleaner er et gratisprogram som fjerner slikt (gjør en bedre jobb en windows sin egen diskopprydding). Men om man velger å tømme dette på annen måte, er selvfølgelig opp til hver enkelt. Vi bruker imidlertid å anbefale dette programmet til slikt. Og, Snippsat kan sine saker, så du trenger ikke å bli usikker Takk! Mente ikke å trekke snippsat sin kompetanse i tvil, men kjenner ikke personene her inne og hadde inntrykk av at dette var litt ditt prosjekt. Jeg ville bare ha hans eller andres bekreftelse på at det var fornuftige grunner til å bruke CCleaner. Takk for hjelp. Forsøker å kjøre CCleaner så snart jeg har sjansen. Lenke til kommentar
norbat Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 Når den ene ikke er tilstede (ikke pålogget) og/eller når det har gått en stund siden trådstarter la inn nytt innlegg uten å få respons, så tillater vi oss å supportere i hverandres tråder. Lenke til kommentar
gtfossum Skrevet 11. juni 2008 Forfatter Del Skrevet 11. juni 2008 Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" Restart Ny runde me CCleaner da er det greit tenker jeg. Si litt om det er greit etter dette,så avinstallere vi combofix. Da har jeg kjørt CCleaner. Måtte kjøre registerrens en tre - fire ganger, men maksinen ser ut til å virke fint nå. Har vel ikke testet ut alt. CCleaner er noe av det bedre gratis registerrens jeg har vært borti. Ikke alt for fancy, men med nok informasjon til å ta intelligente avgjørelser. Må inrømme at jeg ikke gadd å gå gjennom godt over 300 feil manuelt. Tok sjansen og reparerte alt. Lettere å installere et program som evt. ikke virker i ettertid. Fjernet også alt av midlertidige filer inklusive de suspekte. Også er det mulighet for å styre oppstartsrutinen. Positivt imponert foreløpig. Er det å anbefale også å bruke CCleaners avinstallering fremfor Windows egen avinstallering? Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå