perpetrus382 Skrevet 3. august 2008 Del Skrevet 3. august 2008 (endret) Da har jeg fulgt veiledningen til norbat, og kommet frem til følgende logger: HJT Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:22:06, on 03.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Programfiler\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe C:\Programfiler\F-Secure\Common\FSMA32.EXE C:\Programfiler\F-Secure\Common\FSMB32.EXE c:\apache\APACHE.EXE C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\Programfiler\F-Secure\Common\FCH32.EXE C:\WINDOWS\system32\svchost.exe C:\Programfiler\Toshiba\TOSHIBA Applet\TAPPSRV.exe c:\apache\APACHE.EXE C:\Programfiler\F-Secure\Common\FAMEH32.EXE C:\Programfiler\F-Secure\Anti-Virus\fsqh.exe C:\Programfiler\F-Secure\Anti-Virus\fsrw.exe C:\Programfiler\F-Secure\Common\FNRB32.EXE C:\Programfiler\F-Secure\Common\FIH32.EXE C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TPSMain.exe C:\Programfiler\TOSHIBA\ConfigFree\NDSTray.exe C:\Programfiler\TOSHIBA\Tvs\TvsTray.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\TPSBattM.exe C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe C:\Programfiler\F-Secure\Common\FSM32.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Rainlendar2\Rainlendar2.exe C:\Programfiler\F-Secure\FSGUI\fsguidll.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\Programfiler\Opera\opera.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Winamp\winamp.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Kim André Sagberg\Skrivebord\Ny mappe\test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvonpc.dk/startside343454.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5meen_us/107?Plcid=0414&a...amp;Version=8.0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080;socks=lo alhost:1080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fronter.com;;*.local;<local> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [Tvs] C:\Programfiler\TOSHIBA\Tvs\TvsTray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [intelZeroConfig] "C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programfiler\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Rainlendar2] C:\Programfiler\Rainlendar2\Rainlendar2.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe O8 - Extra context menu item: &Block this popup - C:\Programfiler\F-Secure\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} (EWA Control) - http://download.pplive.com/webinstall/install.cab O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - http://www.coolstreaming.us/consolle/plug-in/tvants.cab O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam1.ttu.ee/activex/AMC.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.64/MZPlayer.CAB O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.208.134/activex/AMC.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5D798997-E487-48BE-B99D-FC90D8FB6178}: NameServer = 10.0.0.138 O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4DA6AB-00C6-4BB1-ACDF-3A8E3C36C6B6}: NameServer = 10.0.0.4 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programfiler\Toshiba\TOSHIBA Applet\TAPPSRV.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe O24 - Desktop Component 0: (no name) - http://www.sexymalecelebs.co.uk/Galeries/d...a/23/sg21_2.jpg O24 - Desktop Component 1: (no name) - http://www.blakemason.com/imgs/table2/topLeft.gif -- End of file - 12345 bytes SAS Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 08/03/2008 at 11:04 AM Application Version : 4.15.1000 Core Rules Database Version : 3524 Trace Rules Database Version: 1514 Scan type : Quick Scan Total Scan Time : 00:20:03 Memory items scanned : 559 Memory threats detected : 0 Registry items scanned : 458 Registry threats detected : 10 File items scanned : 9991 File threats detected : 4 Adware.ContextHelper HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34} HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34} HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34} HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34}#AppID HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34}\InprocServer32 HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34}\InprocServer32#ThreadingModel HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34}\ProgID HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34}\Programmable HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34}\TypeLib HKCR\CLSID\{0D39A900-0F3A-4C29-A254-3E65244FDC34}\VersionIndependentProgID C:\PROGRAMFILER\CONTEXTTOOL\CONTEXTTOOL-2.DLL Adware.Tracking Cookie C:\Documents and Settings\Gjest\Cookies\[email protected][1].txt C:\Documents and Settings\Gjest\Cookies\[email protected][2].txt Trojan.NewDotNet C:\WINDOWS\NDNUNINSTALL6_38.EXE ComboFix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-08-01.05 - Kim André Sagberg 2008-08-03 11:09:58.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.329 [GMT 2:00] Running from: C:\Documents and Settings\Kim André Sagberg\Skrivebord\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator.SAGBERG.000\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Administrator.SAGBERG.001\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Administrator.SAGBERG.002\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Administrator.SAGBERG.003\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Administrator.SAGBERG\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Administrator\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Default User\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Gjest\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Programfiler\ContextTool C:\Programfiler\ContextTool\ContextHelper.dat C:\Programfiler\ContextTool\pcre3.dll C:\Programfiler\ContextTool\uninstall.exe C:\Programfiler\uusee C:\Programfiler\uusee\rmsp011.ax C:\Programfiler\uusee\UFDeMux.ax C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\system32\server.exe . ((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 ))))))))))))))))))))))))))))))) . 2008-08-03 10:36 . 2008-08-03 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-03 10:35 . 2008-08-03 10:35 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-03 10:35 . 2008-08-03 10:35 <DIR> d-------- C:\Documents and Settings\Kim André Sagberg\Programdata\SUPERAntiSpyware.com 2008-08-03 10:31 . 2008-08-03 10:31 <DIR> d-------- C:\Programfiler\CCleaner 2008-07-11 19:13 . 2008-07-11 19:13 <DIR> d-------- C:\Programfiler\Vstplugins 2008-07-10 00:00 . 2000-05-21 23:00 140,488 --a------ C:\WINDOWS\system32\comdlg32.ocx 2008-07-09 20:02 . 2008-07-09 20:02 <DIR> d-------- C:\Programfiler\MSXML 6.0 2008-07-08 23:30 . 2008-07-08 23:30 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2008-07-08 23:29 . 2008-07-08 23:29 <DIR> d-------- C:\Programfiler\Reference Assemblies 2008-07-08 23:28 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-07-08 17:46 . 2008-07-10 00:00 <DIR> d-------- C:\Programfiler\Alarm 2008-07-08 17:46 . 2007-04-29 23:24 61,440 --a------ C:\WINDOWS\system32\digitbox.ocx 2008-07-08 17:37 . 2008-07-08 17:37 <DIR> d-------- C:\Programfiler\Rainlendar2 2008-07-08 17:37 . 2008-08-03 06:51 <DIR> d-------- C:\Documents and Settings\Kim André Sagberg\.rainlendar2 2008-07-08 17:37 . 2008-08-03 06:51 <DIR> d-------- C:\Documents and Settings\Kim André Sagberg\.rainlendar2 2008-07-08 17:27 . 2008-07-08 17:27 <DIR> d-------- C:\Programfiler\Stardock 2008-07-08 17:27 . 2008-07-08 17:27 <DIR> d-------- C:\Programfiler\Fellesfiler\Stardock 2008-07-08 17:27 . 2008-07-08 17:31 163,712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-03 08:35 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-08-03 08:29 --------- d-----w C:\Programfiler\Project64 1.6 2008-08-03 08:28 --------- d-----w C:\Documents and Settings\Kim André Sagberg\Programdata\Dev-Cpp 2008-08-03 08:27 --------- d-----w C:\Documents and Settings\Kim André Sagberg\Programdata\Lavasoft 2008-08-03 08:26 --------- d-----w C:\Documents and Settings\Kim André Sagberg\Programdata\FrostWire 2008-08-01 22:12 --------- d-----w C:\Documents and Settings\Kim André Sagberg\Programdata\uTorrent 2008-07-25 18:09 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-07-23 20:07 --------- d-----w C:\Programfiler\FrostWire 2008-07-20 12:15 --------- d-----w C:\Programfiler\PartyGaming 2008-07-11 17:28 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-07-11 17:18 --------- d-----w C:\Documents and Settings\Kim André Sagberg\Programdata\Sony 2008-07-11 17:12 --------- d-----w C:\Documents and Settings\All Users\Programdata\Sony 2008-07-11 17:11 --------- d-----w C:\Programfiler\Sony 2008-07-08 21:32 --------- d-----w C:\Programfiler\MSBuild 2008-07-08 21:03 --------- d-----w C:\Documents and Settings\Kim André Sagberg\Programdata\Sony Setup 2008-07-08 21:02 --------- d-----w C:\Programfiler\Sony Setup 2008-07-08 16:51 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-06-21 17:30 935,816 ----a-w C:\WINDOWS\system32\Steven Gerrard.scr 2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-18 21:57 --------- d-----w C:\Programfiler\Opera 2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-09 16:57 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-06-09 16:57 --------- d--h--r C:\Documents and Settings\Kim André Sagberg\Programdata\SecuROM 2008-06-06 09:53 --------- d-----w C:\Documents and Settings\Kim André Sagberg\Programdata\Audacity 2008-06-03 07:05 --------- d-----w C:\Programfiler\Synaptics 2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll 2007-03-27 18:05 88 --sh--r C:\WINDOWS\system32\8B2EF21846.sys 2007-03-27 18:05 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "Rainlendar2"="C:\Programfiler\Rainlendar2\Rainlendar2.exe" [2007-12-30 12:23 1365504] "msnmsgr"="C:\Programfiler\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Tvs"="C:\Programfiler\TOSHIBA\Tvs\TvsTray.exe" [2005-11-30 13:25 73728] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 06:20 122940] "IntelZeroConfig"="C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718] "IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182] "F-Secure Manager"="C:\Programfiler\F-Secure\Common\FSM32.EXE" [2005-06-03 00:37 122929] "F-Secure TNB"="C:\Programfiler\F-Secure\TNB\TNBUtil.exe" [2004-05-27 10:57 684032] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184] "BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336] "TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2007-02-08 18:21 185896] "GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648] "RTHDCPL"="RTHDCPL.EXE" [2005-12-10 00:49 15691264 C:\WINDOWS\RTHDCPL.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 15:29 88203 C:\WINDOWS\agrsmmsg.exe] "TPSMain"="TPSMain.exe" [2005-08-04 11:45 266240 C:\WINDOWS\system32\TPSMain.exe] "NDSTray.exe"="NDSTray.exe" [bU] "CFSServ.exe"="CFSServ.exe" [bU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ F-Secure Automatic Update.lnk - C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2007-01-12 11:28:33 32807] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Hurtigstart for Adobe Reader.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Hurtigstart for Adobe Reader.lnk backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] --a------ 2005-06-08 14:44 196608 C:\Programfiler\Logitech\Video\ManifestEngine.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a------ 2005-06-08 15:24 458752 C:\Programfiler\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] --a------ 2005-06-08 15:14 217088 C:\Programfiler\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] --a------ 2007-01-19 13:54 5674352 C:\Programfiler\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-02-08 18:16 155648 C:\Programfiler\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] --a------ 2005-05-12 14:39 118784 C:\Programfiler\Toshiba\TOSHIBA zoom\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 05:25 144784 C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] --a------ 2004-10-15 00:26 688218 C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] --a------ 2004-10-15 00:28 98394 C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey] --a------ 2006-01-05 15:02 352256 C:\Programfiler\Toshiba\TOSHIBA Applet\THotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-02-08 18:21 185896 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol] --a------ 2005-09-16 15:16 73728 C:\WINDOWS\system32\TDispVol.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\uTorrent\\utorrent.exe"= "C:\\Programfiler\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"= "C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\FrostWire\\FrostWire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2705:TCP"= 2705:TCP:IntelliAdmin_Net R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-06-21 17:32] R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-01-12 11:28] R2 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 17:14] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-02-16 17:49] R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSrec.sys [2004-12-17 11:34] R2 PHPGeekUtil;PHPGeekUtil;c:\apache\APACHE.EXE [2002-01-25 06:30] S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-17 23:04] S3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 06:01] S3 wampapache;wampapache;c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe [2007-09-05 09:59] S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{514569c6-a3c8-11dc-af78-00a0d155dfc8}] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58a8ad66-8554-11dc-af73-00a0d155dfc8}] \Shell\AutoRun\command - H:\LaunchU3.exe -a *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 *Newly Created Service* - SASDIFSV *Newly Created Service* - SASENUM *Newly Created Service* - SASKUTIL . - - - - ORPHANS REMOVED - - - - HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe MSConfigStartUp-BitTorrent DNA - C:\Programfiler\DNA\btdna.exe MSConfigStartUp-StatBar - C:\Programfiler\Globe Software\StatBar\StatBar.exe MSConfigStartUp-Steam - c:\programfiler\steam\steam.exe MSConfigStartUp-WhenUSave - C:\Programfiler\Save\Save.exe MSConfigStartUp-TFncKy - TFncKy.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Kim André Sagberg\Programdata\Mozilla\Firefox\Profiles\qfi0hzzb.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.vg.no/ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-03 11:15:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . Completion time: 2008-08-03 11:17:56 ComboFix-quarantined-files.txt 2008-08-03 09:16:51 Pre-Run: 16,061,075,456 byte ledig Post-Run: 16,104,321,024 byte ledig 204 --- E O F --- 2008-07-25 18:09:59 Noen snille der ute som vil hjelpe? Endret 3. august 2008 av sagberg Lenke til kommentar
norbat Skrevet 3. august 2008 Del Skrevet 3. august 2008 Loggene viser ingen spesielle ting. Hva gjør at du mistenker malware? Lenke til kommentar
perpetrus382 Skrevet 3. august 2008 Forfatter Del Skrevet 3. august 2008 Var mer det at jeg ville være sikker på at jeg ikke hadde noe. Takk for en god veileder og at du så gjennom denne! Lenke til kommentar
norbat Skrevet 3. august 2008 Del Skrevet 3. august 2008 Det lille som var, ble fjernet av SAS. Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjørt). Surf trygt. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå