Sjekk av HJT logg

inigomontoya · 25. august 2008

Fullstendig oppdatert F-Secure scanner rent når maskinen ikke er koblet til nettet, men kobles maskinen til så finner den etter kort tid a0044399.exe a0044337.dll a0044336.exe osv. Får fjernet disse, men de kommer tilbake.

HJT-logg

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:11:07, on 25.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\fsgk32st.exe

C:\Programfiler\NextGenTel Internet Security\Common\FSMA32.EXE

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\FSGK32.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\NextGenTel Internet Security\Common\FSMB32.EXE

C:\Programfiler\NextGenTel Internet Security\Common\FCH32.EXE

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\fssm32.exe

C:\Programfiler\NextGenTel Internet Security\Common\FAMEH32.EXE

C:\Programfiler\NextGenTel Internet Security\FSAUA\program\fsaua.exe

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\fsqh.exe

C:\Programfiler\NextGenTel Internet Security\FSPC\fspc.exe

C:\Programfiler\NextGenTel Internet Security\FWES\Program\fsdfwd.exe

C:\Programfiler\NextGenTel Internet Security\FSAUA\program\fsus.exe

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\fsav32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\drivers\Icon.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\NextGenTel Internet Security\Common\FSM32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programfiler\Belkin\F5D8051v2\Belkinwcui.exe

C:\Programfiler\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Programfiler\NextGenTel Internet Security\FSGUI\fsguidll.exe

C:\Programfiler\Belkin\F5D8051v2\chkdev.exe

C:\Programfiler\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Programfiler\Opera\opera.exe

C:\DOCUME~1\LENAH~1.OLS\LOKALE~1\Temp\RarSFX2\TechinlineLauncherClient\App\firefox\firefox.exe

C:\DOCUME~1\LENAH~1.OLS\LOKALE~1\Temp\RarSFX2\TechinlineLauncherClient\Data\plugins\TiClientCore.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programfiler\Outlook Express\msimn.exe"

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {300CF5C9-F02D-4CB8-ABED-9C229DA56825} - C:\Programfiler\Applications\iebt.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll

O3 - Toolbar: Internet Service - {254B87BB-510D-41FA-A887-52C5FA9BE585} - C:\Programfiler\Applications\iebr.dll (file missing)

O4 - HKLM\..\Run: [icon] C:\WINDOWS\system32\drivers\Icon.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\NextGenTel Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programfiler\NextGenTel Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Programfiler\Applications\wcs.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?

O4 - Global Startup: Picture Package Menu.lnk = C:\Programfiler\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Programfiler\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: Sperre... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\NextGenTel Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programfiler\NextGenTel Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Sperre... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programfiler\NextGenTel Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104860187441

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programfiler\NextGenTel Internet Security\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Programfiler\NextGenTel Internet Security\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programfiler\NextGenTel Internet Security\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\NextGenTel Internet Security\Common\FSMA32.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--

End of file - 9109 bytes

r2d290 · 25. august 2008

Først: Last ned Malwarebytes' Anti-Malware Her eller Her.''' Lagre den på Skrivebordet.

Kjør fila og installer programmet. Velg Norsk språkdrakt.

[*]Sett en hake ved siden av Oppdater Malwarebytes' Anti-Malware og Kjør Malwarebytes' Anti-Malware, og trykk Ferdig.

La programmet oppdatere seg og velg Utfør hurtig systemskann.

Du får en meldingsboks når programmet er ferdigkjørt

Klikk deretter på Vis resultat-knappen. Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgt -knappen for å fjerne malwaren som evt. ble funnet.

Notis:

Hvis MBAM finner en fil som er vanskelig å fjerne, vil du bli spurt om to spørsmål.

Trykk OK på begge, og la MBAM gjøre seg ferdig med desinfeksjonen.

Hvis du blir spurt om å restarte maskinen, gjør du det med en gang.

Når MBAM er ferdig med å fjerne det den har funnet, vil det bli åpnet en logg i notisblokk. Den poster du senere om den fant noe annet enn cookies

Last ned Combofix (av sUBs), og legg det på Skrivebordet.

Kjør combofix.exe, og følg veiledningen. Du får et spørsmål om at "Roughly 1/100 machines failed to make it through the disinfection process!! Are you sure you want to do this??" - Svar Yes

Du må ikke klikke på vinduet mens programmet kjører. Dette kan føre til at programmet fryser.

Post loggfilen fra Combofix (c:\combofix.txt) sammen med en ny HijackThis-logg, og MBAM-loggen.

Endret 25. august 2008 av r2d290

inigomontoya · 25. august 2008

MAM:

Malwarebytes' Anti-Malware 1.25

Database versjon: 1087

Windows 5.1.2600 Service Pack 2

16:22:29 25.08.2008

mbam-log-08-25-2008 (16-22-29).txt

Skanntype: Full Skann (C:\|)

Objekter skannet: 80398

Tid tilbakelagt: 23 minute(s), 42 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 4

Registerverdier infisert: 1

Registerfiler infisert: 0

Mapper infisert: 1

Filer infisert: 2

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_CLASSES_ROOT\CLSID\{300cf5c9-f02d-4cb8-abed-9c229da56825} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{254b87bb-510d-41fa-a887-52c5fa9be585} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{300cf5c9-f02d-4cb8-abed-9c229da56825} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> Quarantined and deleted successfully.

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

C:\WINDOWS\system32\377186 (Trojan.BHO) -> Quarantined and deleted successfully.

Filer infisert:

C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

Combofix

ComboFix 08-08-24.03 - xxx 2008-08-25 16:28:48.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.153 [GMT 2:00]

Running from: C:\Documents and Settings\xxx\Skrivebord\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Gjest\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\Documents and Settings\xxx\Mine dokumenter\My Documents.url

C:\WINDOWS\smdat32m.sys

.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))

.

2008-08-25 15:45 . 2008-08-25 15:45 <DIR> d-------- C:\Documents and Settings\xxx\Programdata\Malwarebytes

2008-08-25 15:45 . 2008-08-25 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-08-25 15:45 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-25 15:45 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-25 15:44 . 2008-08-25 15:45 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-08-25 15:09 . 2008-08-25 15:09 <DIR> d-------- C:\Programfiler\Trend Micro

2008-08-22 00:01 . 2008-08-22 01:34 894 --a------ C:\WINDOWS\wininit.ini

2008-08-21 23:12 . 2008-08-22 03:16 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy

2008-08-21 23:12 . 2008-08-22 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-08-21 22:46 . 2008-08-21 23:09 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-08-21 22:46 . 2008-08-21 23:09 <DIR> d-------- C:\Documents and Settings\xxx\Programdata\SUPERAntiSpyware.com

2008-08-21 22:46 . 2008-08-21 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-08-21 22:27 . 2008-08-21 22:28 <DIR> d-------- C:\Programfiler\Opera

2008-08-20 18:22 . 2008-08-22 00:05 <DIR> d-------- C:\Programfiler\Applications

2008-08-12 22:11 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-21 21:09 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-08-20 16:27 --------- d-----w C:\Documents and Settings\xxx\Programdata\F-Secure

2008-08-13 06:35 --------- d-----w C:\Documents and Settings\xxx\Programdata\AdobeUM

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll

2008-07-01 23:06 --------- d-----w C:\Programfiler\IKEA HomePlanner

2008-07-01 19:59 --------- d-----w C:\Programfiler\IKEA Home Planner Kitchen

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-24 08:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-06-23 09:23 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-06-23 09:22 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:43 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2007-02-17 21:20 284 ----a-w C:\Documents and Settings\xxx\Programdata\ViewerApp.dat

2005-01-16 18:02 284 ----a-w C:\Documents and Settings\xxx\Programdata\ViewerApp.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-10 21:29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Icon"="C:\WINDOWS\system32\drivers\Icon.exe" [2004-03-08 14:23 217088]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2003-09-26 12:01 98304]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2003-09-26 12:01 503808]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-07-01 13:02 155648]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-07-01 12:58 118784]

"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2004-11-12 00:51 151597]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2004-11-12 00:50 77824]

"Easy-PrintToolBox"="C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 03:10 409600]

"F-Secure Manager"="C:\Programfiler\NextGenTel Internet Security\Common\FSM32.EXE" [2007-04-26 19:12 183208]

"F-Secure TNB"="C:\Programfiler\NextGenTel Internet Security\FSGUI\TNBUtil.exe" [2007-04-26 19:10 740208]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 17:53 65024 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Belkin Wireless Networking Utility.lnk - C:\Programfiler\Belkin\F5D8051v2\Belkinwcui.exe [2008-03-11 19:45:04 1576960]

Picture Package Menu.lnk - C:\Programfiler\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-01-15 23:18:32 151552]

Picture Package VCD Maker.lnk - C:\Programfiler\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-01-15 23:18:29 106496]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-18 15:42]

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-08-06 09:48]

R1 F-Secure HIPS;F-Secure HIPS;C:\Programfiler\NextGenTel Internet Security\HIPS\fshs.sys [2008-02-13 13:25]

R2 MTC0005_MTCDIO;Wireless HotKey Driver;C:\WINDOWS\system32\drivers\MTCDIO.sys [2003-09-22 12:04]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\NextGenTel Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-04-26 19:07]

R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS [2004-03-18 14:26]

S2 MTCDIO;MTCDIO;C:\WINDOWS\system32\DRIVERS\MTCDIO.sys [2003-09-22 12:04]

S4 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\NextGenTel Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 19:08]

S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\NextGenTel Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-04-26 19:08]

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = about:blank

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

R1 -: HKCU-Internet Connection Wizard,ShellNext = "C:\Programfiler\Outlook Express\msimn.exe"

R1 -: HKCU-SearchURL,(Default) = hxxp://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 -: Easy-WebPrint Add To Print List - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 -: Easy-WebPrint High Speed Print - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 -: Easy-WebPrint Preview - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 -: Easy-WebPrint Print - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab

C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} - hxxp://www.euchannels.net/update/KooPlayer.ocx

C:\WINDOWS\Downloaded Program Files\KooPlayer.ocx

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-25 16:32:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-25 16:33:54

ComboFix-quarantined-files.txt 2008-08-25 14:33:42

Pre-Run: 39,536,316,416 byte ledig

Post-Run: 39,904,989,184 byte ledig

136 --- E O F --- 2008-08-23 01:02:46

HJT etter MAM og Combofix:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:00:53, on 25.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\fsgk32st.exe

C:\Programfiler\NextGenTel Internet Security\Common\FSMA32.EXE

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\FSGK32.EXE

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\NextGenTel Internet Security\Anti-Virus\fssm32.exe

C:\Programfiler\NextGenTel Internet Security\FSPC\fspc.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programfiler\Belkin\F5D8051v2\Belkinwcui.exe

C:\Programfiler\Belkin\F5D8051v2\chkdev.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Programfiler\NextGenTel Internet Security\Common\FSLAUNCH.EXE

C:\WINDOWS\explorer.exe

C:\DOCUME~1\LENAH~1.OLS\LOKALE~1\Temp\RarSFX0\TechinlineLauncherClient\App\firefox\firefox.exe

C:\DOCUME~1\LENAH~1.OLS\LOKALE~1\Temp\RarSFX0\TechinlineLauncherClient\Data\plugins\TiClientCore.exe