hernil Skrevet 16. oktober 2008 Skrevet 16. oktober 2008 (endret) Sitter på en pc som nesten garantert er infisert. Har fulgt stickien og poster loggene i rask rekkefølge. Er ikke min pc så det hadde vært fint om noen kunne se på det ganske kjapt da jeg ikke kan ta den med hjem. Takker for hjelp. MBAM Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.28 Database versjon: 1274 Windows 5.1.2600 Service Pack 2 16.10.2008 11:54:52 mbam-log-2008-10-16 (11-54-52).txt Skanntype: Rask Skann Objekter skannet: 42430 Tid tilbakelagt: 48 minute(s), 50 second(s) Minneprosesser infisert: 1 Minnemoduler infisert: 1 Registernøkler infisert: 37 Registerverdier infisert: 14 Registerfiler infisert: 1 Mapper infisert: 5 Filer infisert: 75 Minneprosesser infisert: C:\WINDOWS\vlc.exe (Trojan.Downloader) -> Unloaded process successfully. Minnemoduler infisert: C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot. Registernøkler infisert: HKEY_CLASSES_ROOT\CLSID\{19B901E1-2031-8F41-5A5F-02BA65A39607} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\shactproc (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatewin (Trojan.FakeAlert.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatewin (Trojan.FakeAlert.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Delete on reboot. HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registerfiler infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: C:\Programfiler\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programfiler\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Programfiler\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. Filer infisert: C:\Programfiler\mmzutqb\shactproc.dll (Trojan.FakeAlert.H) -> Delete on reboot. C:\WINDOWS\system32\winsd.exe (Trojan.FakeAlert.H) -> Delete on reboot. C:\WINDOWS\vlc.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot. C:\Programfiler\Microsoft Security Adviser\mssadv_sp.log (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Programfiler\Microsoft Security Adviser\mssadv.log (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Programfiler\Microsoft Security Adviser\msctrl.log (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programfiler\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Programfiler\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Programfiler\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Programfiler\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Programfiler\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Programfiler\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Programfiler\SAV\sav1.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully. C:\Programfiler\SAV\sav0.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully. C:\Programfiler\SAV\sav.ooo (Rogue.SystemAntivirus) -> Quarantined and deleted successfully. C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully. ComboFix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-10-15.06 - PC 2008-10-16 12:16:00.2 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.138 [GMT 2:00] Running from: F:\Ny mappe\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Programfiler\SAV F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 ))))))))))))))))))))))))))))))) . 2008-10-16 10:40 . 2008-10-16 10:40 <DIR> d-------- C:\Documents and Settings\PC\Programdata\Malwarebytes 2008-10-16 10:38 . 2008-10-16 10:38 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-10-16 10:38 . 2008-10-16 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-16 10:38 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-16 10:38 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-16 10:14 . 2008-10-16 10:14 <DIR> dr-h----- C:\Documents and Settings\PC\Siste 2008-10-15 08:51 . 2008-10-15 08:48 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys 2008-10-15 08:50 . 2008-10-15 08:50 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-10-15 08:50 . 2008-10-15 08:50 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-10-15 08:50 . 2008-10-15 08:50 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-10-15 08:50 . 2008-10-15 08:50 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-10-15 08:47 . 2008-10-15 08:47 <DIR> d-------- C:\WINDOWS\system32\drivers\NIS 2008-10-15 08:47 . 2008-10-15 08:47 <DIR> d-------- C:\Programfiler\Windows Sidebar 2008-10-15 08:47 . 2008-10-15 08:47 <DIR> d-------- C:\Programfiler\Norton Internet Security 2008-10-15 08:35 . 2008-10-15 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\PCSettings 2008-10-15 08:35 . 2008-10-15 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Norton 2008-10-15 08:33 . 2008-10-15 08:33 <DIR> d-------- C:\Programfiler\NortonInstaller 2008-10-15 08:33 . 2008-10-15 08:33 <DIR> d-------- aC:\Documents and Settings\All Users\Programdata\NortonInstaller 2008-10-10 10:21 . 2008-10-10 10:21 <DIR> d--hs---- C:\FOUND.000 2008-10-08 17:47 . 2008-10-08 17:47 <DIR> d-------- C:\VideoSec 2008-10-07 15:56 . 2008-10-07 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\bcrobqbg 2008-10-06 23:05 . 2008-10-08 22:00 163 --ahs---- C:\WINDOWS\system32\3564437317.dat 2008-10-04 17:54 . 2008-10-04 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Emotum 2008-10-03 22:30 . 2008-10-03 22:30 <DIR> d-------- C:\Programfiler\mmzutqb 2008-10-03 22:30 . 2008-10-03 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\gpylozmr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-22 19:55 2,692 ----a-w C:\Documents and Settings\PC\Programdata\wklnhst.dat 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll . ------- Sigcheck ------- 2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys 2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SoftwareDistribution\Download\640458d0c11651636af7e639bed7ddde\tcpip.sys 2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys 2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys 2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys 2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys 2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2006-07-29 5354792] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448] "SetMsgCom"="C:\WINDOWS\system32\olwralwj.exe" [bU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-05-12 102400] "ASUS Live Update"="C:\Programfiler\ASUS\ASUS Live Update\ALU.exe" [2003-09-19 172032] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218] "Control Center"="C:\Progra~1\ASUS\WLAN Card Utilities\Center.exe" [2005-06-15 1623040] "Zshutdown"="c:\sysprep\patch\sysprep.cmd" [bU] "Power_Gear"="C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 81920] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "Telenor Online Start"="C:\Programfiler\Telenor\Online Start\Telenor.exe" [bU] "Telenorhjelpen"="C:\Programfiler\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120] "SoundMan"="SOUNDMAN.EXE" [2005-04-14 C:\WINDOWS\SOUNDMAN.EXE] "NB Probe"="" [bU] "SiSPower"="SiSPower.dll" [2005-02-16 C:\WINDOWS\system32\SiSPower.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] ASUS ChkMail.lnk - C:\Programfiler\ASUS\Asus ChkMail\ChkMail.exe [2005-09-07 32768] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-09-07 331776] HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] HP Image Zone Hurtigstart.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\MSMSGS.EXE"= "C:\\Programfiler\\EA GAMES\\Battlefield 2\\BF2.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\msncall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Telenor\\Telenorhjelpen\\Telenor.exe"= R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMEFA.SYS [2008-10-15 309296] R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2008-10-15 254512] R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2008-10-15 362544] R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081015.001\IDSxpx86.sys [2008-10-15 274808] R2 Norton Internet Security;Norton Internet Security;C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\diMaster.dll [ ] R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 16269] R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys [2004-06-17 193280] S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2000-03-29 5824] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34e8953e-e212-11dc-9278-0013d4a244b9}] \Shell\AutoRun\command - F:\LaunchU3.exe -a *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2005-09-30 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Programfiler\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24] . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.fflillehammer.no/ R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-16 12:17:27 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security] "ImagePath"="\"C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1" . Completion time: 2008-10-16 12:18:27 ComboFix-quarantined-files.txt 2008-10-16 10:18:26 Pre-Run: 29,785,980,928 byte ledig Post-Run: 29,772,054,528 byte ledig 161 --- E O F --- 2008-09-20 17:12:05 HJT Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:21:00, on 16.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATK0100\HControl.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Progra~1\ASUS\WLAN Card Utilities\Center.exe C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe C:\Programfiler\Telenor\Telenorhjelpen\Telenor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Programfiler\ASUS\Asus ChkMail\ChkMail.exe C:\WINDOWS\system32\sistray.exe C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\ASWLSVC.exe C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe C:\Programfiler\ASUS\NB Probe\SPM\spmgr.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\HP\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Programfiler\HP\Digital Imaging\bin\hpqSTE08.exe C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programfiler\Internet Explorer\iexplore.exe F:\Ny mappe\test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fflillehammer.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll O2 - BHO: Telenor Telenorhjelpen Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Programfiler\Telenor\Telenorhjelpen\IEFixItNowPlugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ASUS Live Update] C:\Programfiler\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Control Center] C:\Progra~1\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd O4 - HKLM\..\Run: [Power_Gear] C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Telenor Online Start] "C:\Programfiler\Telenor\Online Start\Telenor.exe" O4 - HKLM\..\Run: [Telenorhjelpen] "C:\Programfiler\Telenor\Telenorhjelpen\Telenor.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [setMsgCom] C:\WINDOWS\system32\olwralwj.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: ASUS ChkMail.lnk = C:\Programfiler\ASUS\Asus ChkMail\ChkMail.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Norton Internet Security - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: spmgr - Unknown owner - C:\Programfiler\ASUS\NB Probe\SPM\spmgr.exe -- End of file - 6452 bytes Endret 16. oktober 2008 av hernil
snippsat Skrevet 16. oktober 2008 Skrevet 16. oktober 2008 (endret) MBAM tok en god del. Kopiere fet tekst under bildet->åpne notisblokk og lim inn. Lagre på skrivebordet som CFScript.txt Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt DirLook:: C:\Documents and Settings\All Users\Programdata\bcrobqbg C:\Programfiler\mmzutqb C:\Documents and Settings\All Users\Programdata\gpylozmr Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetMsgCom"=- Scann denne filen her Virustotal C:\WINDOWS\system32\3564437317.dat Endret 16. oktober 2008 av SNIPPSAT
hernil Skrevet 16. oktober 2008 Forfatter Skrevet 16. oktober 2008 (endret) CF er kjørt. Ny HJT logg. Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:27:08, on 16.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASWLSVC.exe C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe C:\Programfiler\ASUS\NB Probe\SPM\spmgr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programfiler\ASUS\ASUS Live Update\ALU.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\Rundll32.exe C:\Progra~1\ASUS\WLAN Card Utilities\Center.exe C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe C:\Programfiler\Telenor\Telenorhjelpen\Telenor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Programfiler\ASUS\Asus ChkMail\ChkMail.exe C:\WINDOWS\system32\sistray.exe C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe C:\Programfiler\HP\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Programfiler\HP\Digital Imaging\bin\hpqSTE08.exe C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Internet Explorer\iexplore.exe F:\Ny mappe\test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fflillehammer.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll O2 - BHO: Telenor Telenorhjelpen Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Programfiler\Telenor\Telenorhjelpen\IEFixItNowPlugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ASUS Live Update] C:\Programfiler\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Control Center] C:\Progra~1\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [Power_Gear] C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Telenorhjelpen] "C:\Programfiler\Telenor\Telenorhjelpen\Telenor.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: ASUS ChkMail.lnk = C:\Programfiler\ASUS\Asus ChkMail\ChkMail.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Norton Internet Security - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: spmgr - Unknown owner - C:\Programfiler\ASUS\NB Probe\SPM\spmgr.exe -- End of file - 6351 bytes Endret 16. oktober 2008 av hernil
hernil Skrevet 16. oktober 2008 Forfatter Skrevet 16. oktober 2008 Scaningen av fila finner du her. Takker for hjelp.
norbat Skrevet 16. oktober 2008 Skrevet 16. oktober 2008 -og den nye combofix-loggen som ble laget etter at du brukte cfscript.txt
norbat Skrevet 16. oktober 2008 Skrevet 16. oktober 2008 Normalt så skal den gjøre det. Hvis du ikke finner den, kan du søke etter den.
hernil Skrevet 16. oktober 2008 Forfatter Skrevet 16. oktober 2008 Klikk for å se/fjerne innholdet nedenfor ComboFix 08-10-15.08 - PC 2008-10-16 15:05:04.4 - FAT32x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.94 [GMT 2:00] Running from: C:\Documents and Settings\PC\Skrivebord\ComboFix.exe Command switches used :: C:\Documents and Settings\PC\Skrivebord\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 ))))))))))))))))))))))))))))))) . 2008-10-16 14:46 . 2008-10-16 14:46 <DIR> dr-h----- C:\Documents and Settings\PC\Siste 2008-10-16 10:40 . 2008-10-16 10:40 <DIR> d-------- C:\Documents and Settings\PC\Programdata\Malwarebytes 2008-10-16 10:38 . 2008-10-16 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-15 08:51 . 2008-10-15 08:48 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys 2008-10-15 08:50 . 2008-10-15 08:50 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-10-15 08:50 . 2008-10-15 08:50 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-10-15 08:50 . 2008-10-15 08:50 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-10-15 08:50 . 2008-10-15 08:50 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-10-15 08:47 . 2008-10-15 08:47 <DIR> d-------- C:\WINDOWS\system32\drivers\NIS 2008-10-15 08:47 . 2008-10-15 08:47 <DIR> d-------- C:\Programfiler\Windows Sidebar 2008-10-15 08:47 . 2008-10-15 08:47 <DIR> d-------- C:\Programfiler\Norton Internet Security 2008-10-15 08:35 . 2008-10-15 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\PCSettings 2008-10-15 08:35 . 2008-10-15 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Norton 2008-10-15 08:33 . 2008-10-15 08:33 <DIR> d-------- C:\Programfiler\NortonInstaller 2008-10-15 08:33 . 2008-10-15 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\NortonInstaller 2008-10-10 10:21 . 2008-10-10 10:21 <DIR> d--hs---- C:\FOUND.000 2008-10-08 17:47 . 2008-10-08 17:47 <DIR> d-------- C:\VideoSec 2008-10-07 15:56 . 2008-10-07 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\bcrobqbg 2008-10-06 23:05 . 2008-10-08 22:00 163 --ahs---- C:\WINDOWS\system32\3564437317.dat 2008-10-04 17:54 . 2008-10-04 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Emotum 2008-10-03 22:30 . 2008-10-03 22:30 <DIR> d-------- C:\Programfiler\mmzutqb 2008-10-03 22:30 . 2008-10-03 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\gpylozmr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-22 19:55 2,692 ----a-w C:\Documents and Settings\PC\Programdata\wklnhst.dat 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\Documents and Settings\All Users\Programdata\bcrobqbg ---- ---- Directory of C:\Documents and Settings\All Users\Programdata\gpylozmr ---- ---- Directory of C:\Programfiler\mmzutqb ---- ------- Sigcheck ------- 2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys 2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SoftwareDistribution\Download\640458d0c11651636af7e639bed7ddde\tcpip.sys 2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys 2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys 2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys 2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys 2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2006-07-29 5354792] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-05-12 102400] "ASUS Live Update"="C:\Programfiler\ASUS\ASUS Live Update\ALU.exe" [2003-09-19 172032] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218] "Control Center"="C:\Progra~1\ASUS\WLAN Card Utilities\Center.exe" [2005-06-15 1623040] "Power_Gear"="C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 81920] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "Telenorhjelpen"="C:\Programfiler\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120] "SoundMan"="SOUNDMAN.EXE" [2005-04-14 C:\WINDOWS\SOUNDMAN.EXE] "SiSPower"="SiSPower.dll" [2005-02-16 C:\WINDOWS\system32\SiSPower.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ ASUS ChkMail.lnk - C:\Programfiler\ASUS\Asus ChkMail\ChkMail.exe [2005-09-07 32768] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-09-07 331776] HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] HP Image Zone Hurtigstart.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728] Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\MSMSGS.EXE"= "C:\\Programfiler\\EA GAMES\\Battlefield 2\\BF2.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\msncall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Telenor\\Telenorhjelpen\\Telenor.exe"= R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMEFA.SYS [2008-10-15 309296] R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2008-10-15 254512] R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2008-10-15 362544] R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081015.001\IDSxpx86.sys [2008-10-15 274808] R2 Norton Internet Security;Norton Internet Security;C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\diMaster.dll [ ] R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 16269] R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys [2004-06-17 193280] S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2000-03-29 5824] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34e8953e-e212-11dc-9278-0013d4a244b9}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2005-09-30 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Programfiler\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-16 15:07:36 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security] "ImagePath"="\"C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"C:\Programfiler\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1" . Completion time: 2008-10-16 15:09:02 ComboFix3.txt 2008-10-16 10:18:30 ComboFix-quarantined-files.txt 2008-10-16 13:08:54 ComboFix2.txt 2008-10-16 12:58:46 Pre-Run: 30 845 632 512 byte ledig Post-Run: 30,840,029,184 byte ledig 148 --- E O F --- 2008-09-20 17:12:05
snippsat Skrevet 16. oktober 2008 Skrevet 16. oktober 2008 Ja ser bra ut. Mappene jeg sjekket var tomme,så dem kan du slette. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Surf trygt.
hernil Skrevet 16. oktober 2008 Forfatter Skrevet 16. oktober 2008 Takker for hjelp. Maskinen var merkbart raskere enn når jeg først fikk den. Syns det er ganske imponerende hva folk klarer å få på pc-ene sine, men det er vel sånn at når det først er noe der så blir det bare mer og mer. Saken er løst.
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå