Sliter med popups/trojaner. Hjt, combofix og sas-logger.

Erlendig · 17. august 2008

Her er mine logger:

SAS:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 08/17/2008 at 04:56 PM

Application Version : 4.15.1000

Core Rules Database Version : 3538

Trace Rules Database Version: 1527

Scan type : Quick Scan

Total Scan Time : 00:07:16

Memory items scanned : 674

Memory threats detected : 6

Registry items scanned : 481

Registry threats detected : 10

File items scanned : 8245

File threats detected : 21

Trojan.Unclassified/C00-WL

C:\WINDOWS\SYSTEM32\__C0039326.DAT

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c0039326

C:\WINDOWS\SYSTEM32\__C00392AE.DAT

C:\WINDOWS\SYSTEM32\__C00F206E.DAT

Trojan.Vundo-Variant/Small-GEN

C:\WINDOWS\SYSTEM32\MLJYQIYQ.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E1BC7B00-0978-4DD4-8F0F-753E2D7FDFC6}

HKCR\CLSID\{E1BC7B00-0978-4DD4-8F0F-753E2D7FDFC6}

HKCR\CLSID\{E1BC7B00-0978-4DD4-8F0F-753E2D7FDFC6}\InprocServer32

HKCR\CLSID\{E1BC7B00-0978-4DD4-8F0F-753E2D7FDFC6}\InprocServer32#ThreadingModel

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mlJYQIYQ

NotHarmful.Sysinternals Bluescreen Screen Saver

C:\WINDOWS\SYSTEM32\BLPHCJTKJ0EC2A.SCR

C:\WINDOWS\Prefetch\BLPHCJTKJ0EC2A.SCR-00C115BB.pf

Rogue.AntiSpyware 2008 XP

C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\SECURE SOLUTIONS\ANTISPYWARE 2008 XP\AS2008XP.EXE

[s9201] C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\SECURE SOLUTIONS\ANTISPYWARE 2008 XP\AS2008XP.EXE

Rogue.AntiVirus XP 2008

C:\PROGRAMFILER\RHCNTKJ0EC2A\RHCNTKJ0EC2A.EXE

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008

C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Skrivebord\Antivirus XP 2008.lnk

Rogue.MalwareProtector/Variant

C:\WINDOWS\SYSTEM32\PPHCJTKJ0EC2A.EXE

Trojan.Dropper/WinCtrl32

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winpsa32

C:\WINDOWS\SYSTEM32\WINPSA32.DLL

Adware.Vundo Variant/Rel

HKLM\SOFTWARE\Microsoft\FCOVM

HKLM\SOFTWARE\Microsoft\RemoveRP

Adware.Tracking Cookie

.statcounter.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.tribalfusion.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.adtech.de [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.adrenaline.cz [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.click-fr.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.countomat.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.empornium.us [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.imrworldwide.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.kanoodle.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.toplist.cz [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.webcount.finn.no [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.www.sextorrents.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

.xiti.com [ C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\cookies.txt ]

Trojan.Downloader-Gen/MROFIN

C:\WINDOWS\MROFINU1535.EXE

Trojan.Vundo-Variant/Small

C:\WINDOWS\SYSTEM32\XXYWXOMF.DLL

Trojan.Unclassified/C00-Installer

C:\WINDOWS\SYSTEM32\~.EXE

HJT:

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe

C:\Programfiler\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe

C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\NetCom pcSMS Selvstendig\eSMS Executive Windows.exe

C:\Programfiler\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe

C:\Programfiler\Dell Network Assistant\hnm_svc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Programfiler\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

c:\programfiler\fellesfiler\mcafee\mna\mcnasvc.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Programfiler\McAfee\MSK\MskSrver.exe

C:\Programfiler\Dell Network Assistant\ezi_hnm2.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Firebird\Firebird_1_5\bin\fbserver.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Java\jre1.5.0_11\bin\jucheck.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = fotballmagasinet.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.no/ig/dell?hl=no&client=dell-row&channel=no&ibd=5061220

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [DMXLauncher] C:\Programfiler\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [NetCom pcSMS Selvstendig] "C:\Programfiler\NetCom pcSMS Selvstendig\eSMS Executive Windows.exe" NoDefault

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent

O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Dell Network Assistant.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Download all links using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?a7307bff617d405d94242f3969307e7b

O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?a7307bff617d405d94242f3969307e7b

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\programfiler\mcafee\spamkiller\mcapfbho.dll (file missing)

O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\programfiler\mcafee\spamkiller\mcapfbho.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...359/mcfscan.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: vtvyoo.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\FELLES~1\McAfee\EmProxy\emproxy.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programfiler\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programfiler\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Programfiler\Dell Network Assistant\hnm_svc.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Programfiler\Fellesfiler\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programfiler\fellesfiler\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FELLES~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\FELLES~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Programfiler\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - Unknown owner - C:\PROGRA~1\McAfee\MPS\mps.exe (file missing)

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Programfiler\McAfee\MSK\MskSrver.exe

Combofix:

C:\Documents and Settings\All Users\Programdata\Secure Solutions

C:\Documents and Settings\All Users\Programdata\Secure Solutions\Antispyware 2008 XP\LOG\20080817152657984.log

C:\Documents and Settings\Erlendig\Programdata\rhcntkj0ec2a

C:\Documents and Settings\LocalService\Programdata\Microsoft\SystemCertificates\My

C:\Documents and Settings\NetworkService\Programdata\Microsoft\SystemCertificates\My

C:\Programfiler\rhcntkj0ec2a

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\system32\__c001E161.dat

C:\WINDOWS\system32\blphcjtkj0ec2a.scr

C:\WINDOWS\system32\eawqpiar.ini

C:\WINDOWS\system32\lphcjtkj0ec2a.exe

C:\WINDOWS\system32\phcjtkj0ec2a.bmp

C:\WINDOWS\system32\raipqwae.dll

C:\WINDOWS\system32\ssqQkJcy.dll

C:\WINDOWS\system32\vtvyoo.dll

C:\WINDOWS\system32\xmehtndn.dll

C:\WINDOWS\system32\ycJkQqss.ini

C:\WINDOWS\system32\ycJkQqss.ini2

C:\xcrashdump.dat

.

((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))

.

2008-08-17 16:59 . 2008-08-17 16:59 <DIR> dr-h----- C:\Documents and Settings\Erlendig\Siste

2008-08-17 16:42 . 2008-08-17 16:42 <DIR> d-------- C:\Programfiler\Enigma Software Group

2008-08-17 16:40 . 2008-08-17 16:40 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-08-17 16:40 . 2008-08-17 16:40 <DIR> d-------- C:\Documents and Settings\Erlendig\Programdata\SUPERAntiSpyware.com

2008-08-17 16:40 . 2008-08-17 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-08-17 16:34 . 2008-08-17 16:34 <DIR> d-------- C:\Programfiler\CCleaner

2008-08-17 16:22 . 2008-08-17 16:22 <DIR> d-------- C:\WINDOWS\system32\Adobe

2008-08-17 15:41 . 2008-08-17 15:41 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy

2008-08-17 15:41 . 2008-08-17 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-08-17 15:26 . 2008-08-17 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\services

2008-08-17 15:09 . 2008-08-17 15:09 <DIR> d-------- C:\Documents and Settings\Erlendig\Programdata\Uniblue

2008-08-17 14:56 . 2008-08-17 15:04 <DIR> d-------- C:\Programfiler\Security Task Manager

2008-08-17 14:56 . 2008-08-17 15:09 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SecTaskMan

2008-08-15 22:08 . 2008-08-16 09:20 <DIR> d-------- C:\Documents and Settings\Erlendig\.housecall6.6

2008-08-14 22:16 . 2008-08-14 22:16 <DIR> d-------- C:\Programfiler\Lavasoft

2008-08-14 22:16 . 2008-08-14 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-08-13 20:28 . 2008-08-13 20:28 <DIR> d-------- C:\WINDOWS\McAfee.com

2008-08-13 01:43 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-04 23:39 . 2008-08-04 23:39 268 --ah----- C:\sqmdata07.sqm

2008-08-04 23:39 . 2008-08-04 23:39 244 --ah----- C:\sqmnoopt07.sqm

2008-08-01 00:31 . 2008-08-01 00:31 268 --ah----- C:\sqmdata06.sqm

2008-08-01 00:31 . 2008-08-01 00:31 244 --ah----- C:\sqmnoopt06.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-17 16:16 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-08-17 16:15 --------- d-----w C:\Programfiler\Steam

2008-08-17 14:59 --------- d-----w C:\Programfiler\Google

2008-08-17 14:40 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-08-17 14:25 --------- d-----w C:\Documents and Settings\Erlendig\Programdata\ShredderChess

2008-08-17 14:23 --------- d-----w C:\Programfiler\Skype

2008-08-17 14:22 --------- d-----w C:\Documents and Settings\Erlendig\Programdata\Skype

2008-08-17 14:16 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-08-15 21:21 --------- d-----w C:\Programfiler\DAEMON Tools

2008-08-13 01:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-08-07 16:14 --------- d-----w C:\Documents and Settings\Erlendig\Programdata\Corel

2008-08-01 17:57 --------- d-----w C:\Documents and Settings\Erlendig\Programdata\dvdcss

2008-07-11 18:51 --------- d-----w C:\Documents and Settings\Erlendig\Programdata\AdobeUM

2008-07-05 07:24 --------- d-----w C:\Programfiler\PokerStars

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-02-24 18:50 22,328 ----a-w C:\Documents and Settings\Erlendig\Programdata\PnkBstrK.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]

"DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

"Steam"="c:\programfiler\steam\steam.exe" [2008-04-03 17:53 1271032]

"updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]

"ATICCC"="C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 19:41 45056]

"DMXLauncher"="C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12 94208]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 07:20 122940]

"ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]

"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]

"Corel Photo Downloader"="C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 16:20 462336]

"NetCom pcSMS Selvstendig"="C:\Programfiler\NetCom pcSMS Selvstendig\eSMS Executive Windows.exe" [2005-03-10 11:27 892928]

"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 12:00 282624 C:\WINDOWS\stsystra.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=vtvyoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\Dell Network Assistant\\ezi_hnm2.exe"=

"C:\\Programfiler\\Fellesfiler\\McAfee\\MNA\\McNASvc.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Sports Interactive\\Football Manager 2008\\fm.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"17573:TCP"= 17573:TCP:BitComet 17573 TCP

"17573:UDP"= 17573:UDP:BitComet 17573 UDP

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

R3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2007-10-31 15:09]

S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Programfiler\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 02:05]

S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Programfiler\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 02:05]

.

Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-14 C:\WINDOWS\Tasks\McDefragTask.job

- c:\programfiler\mcafee\mqc\QcConsol.exe []

2008-07-31 C:\WINDOWS\Tasks\McQcTask.job

- c:\programfiler\mcafee\mqc\QcConsol.exe []

2008-08-17 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job

- C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

.

- - - - ORPHANS REMOVED - - - -

BHO-{6901632D-2FB1-4476-AA71-6C99DA68B2B6} - (no file)

BHO-{9C1DC8A0-656F-491E-AAA3-6688143D65F1} - C:\WINDOWS\system32\ssqQkJcy.dll

BHO-{c1049b76-9103-4626-bd4b-b8b5b296ef38} - (no file)

HKCU-Run-Uniblue RegistryBooster 2 - C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe

HKLM-Run-VSOCheckTask - C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

HKLM-Run-OASClnt - C:\Programfiler\McAfee.com\VSO\oasclnt.exe

HKLM-Run-MSKDetectorExe - C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

HKLM-Run-MSKAGENTEXE - C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

HKLM-Run-VirusScan Online - C:\Programfiler\McAfee.com\VSO\mcvsshld.exe

HKLM-Run-MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

HKLM-Run-lphcjtkj0ec2a - C:\WINDOWS\system32\lphcjtkj0ec2a.exe

HKLM-Run-1416a767 - C:\WINDOWS\system32\raipqwae.dll

HKLM-Run-SMrhcntkj0ec2a - C:\Programfiler\rhcntkj0ec2a\rhcntkj0ec2a.exe

Notify-1416a7c8382 - C:\WINDOWS\system32\__c001E161.dat

Notify-mlJYQIYQ - (no file)

Notify-winpsa32 - (no file)

Notify-__c0039326 - (no file)

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Erlendig\Programdata\Mozilla\Firefox\Profiles\k37qav18.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://fotballmagasinet.no/

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-17 18:15:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Dell Network Assistant\hnm_svc.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Programfiler\Fellesfiler\McAfee\MNA\McNASvc.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Programfiler\McAfee\MSK\msksrver.exe

C:\Programfiler\Dell Network Assistant\ezi_hnm2.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wscntfy.exe

Kan også legge til at jeg avsluttet MpfSrv.exe for å i det heletatt kunne ordne loggene. Ønsker ikke å ha McAfee lengre.

norbat · 17. august 2008

V

Hvis du ikke ønsker å ha mcafee, avinstaller det via legg til / fjern programmer

Før vi gjør noe manuelt, fortsetter du med følgende:

Last ned Malwarebytes Anti-Malware til skrivebordet.

Kjør og installer programmet. Velg Norsk-språk

La programmet oppdatere seg og velg å kjør en 'hurtig systemscan', klikk Skann.

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

Klikk på 'Vis resultat'-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

Det vil deretter åpnes en logg i notisblokk. Den kopiere du og poster sammen med ny hjt-logg.

Endret 19. august 2008 av norbat

Erlendig · 17. august 2008

McAfee ligger ikke under legg til/fjern programmer, men alle programmene kjører jo likevel... Har ikke prøvd å slette det tidligere. Jeg har i tillegg deaktivert MpfSrv.exe etter at jeg startet pcen, da jeg ikke får gjort noen ting med den aktiv.

Mbam logg:

Klikk for å se/fjerne spoilerteksten nedenfor

Malwarebytes' Anti-Malware 1.24

Database versjon: 1061

Windows 5.1.2600 Service Pack 2

19:59:46 17.08.2008

mbam-log-8-17-2008 (19-59-46).txt

Skanntype: Rask Skann

Objekter skannet: 40012

Tid tilbakelagt: 3 minute(s), 0 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 2

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcntkj0ec2a (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhcntkj0ec2a (Rogue.Multiple) -> Quarantined and deleted successfully.

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\Documents and Settings\Erlendig\Programdata\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Ny HJT:

Klikk for å se/fjerne spoilerteksten nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:00:19, on 17.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe

C:\Programfiler\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe

C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\NetCom pcSMS Selvstendig\eSMS Executive Windows.exe

C:\Programfiler\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe

C:\Programfiler\Dell Network Assistant\hnm_svc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Programfiler\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

c:\programfiler\fellesfiler\mcafee\mna\mcnasvc.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Programfiler\McAfee\MSK\MskSrver.exe

C:\Programfiler\Dell Network Assistant\ezi_hnm2.exe

C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Firebird\Firebird_1_5\bin\fbserver.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Java\jre1.5.0_11\bin\jucheck.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE