Trenger hjelp til å fjerne Virtumonde / Vundu

[Petterla]

Ja da ser det bra ut

 

Bruk pcen litt kjører den greit må du gjøre dette.

 

Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc.

 

Surf Trygt.

 

 

Nok en gang mange mange takk.

[Kajo2k]

Nå sliter visst jeg også med dette. Prøvd å fjerne det selv, men jeg har fortsatt .dll feilmeldinger.

 

hijackthis:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:30:20, on 08.05.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe

C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE

C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe

C:\Programfiler\F-Secure\Common\FSMA32.EXE

C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\F-Secure\Common\FSMB32.EXE

C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Programfiler\F-Secure\Common\FCH32.EXE

C:\Programfiler\F-Secure\Common\FNRB32.EXE

C:\Programfiler\F-Secure\Anti-Virus\fsqh.exe

C:\Programfiler\F-Secure\Common\FAMEH32.EXE

C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe

C:\Programfiler\F-Secure\Anti-Virus\fsrw.exe

C:\Programfiler\F-Secure\Common\FIH32.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe

C:\WINDOWS\TBPanel.exe

C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

C:\Programfiler\Logitech\iTouch\iTouch.exe

C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE

C:\Programfiler\Logitech\ImageStudio\LogiTray.exe

C:\Programfiler\F-Secure\Common\FSM32.EXE

C:\Programfiler\D-Tools\daemon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programfiler\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe

C:\Programfiler\Logitech\SetPoint\SetPoint.exe

C:\Programfiler\F-Secure\FSGUI\fsguidll.exe

C:\Programfiler\Fellesfiler\Logitech\khalshared\KHALMNPR.EXE

C:\Programfiler\Logitech\ImageStudio\LowLight.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\Windows Live\Messenger\msnmsgr.exe

C:\Programfiler\mIRC\mirc.exe

C:\Documents and Settings\All Users\Skrivebord\HJThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Programfiler\Common Files\Paltalk\PaltalkWebLogin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {E25E5828-47DF-4BC7-81C2-1C828A9D181A} - C:\WINDOWS\system32\iifcATjI.dll (file missing)

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programfiler\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programfiler\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programfiler\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programfiler\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [bM674fb046] Rundll32.exe "C:\WINDOWS\system32\ddnuboci.dll",s

O4 - HKLM\..\Run: [647c83da] rundll32.exe "C:\WINDOWS\system32\hveeiwgr.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsgCenterExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\RealOneMessageCenter.exe" -osboot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: IMVU.lnk = D:\Games\Imvu\IMVUClient.exe

O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: &Block this popup - C:\Programfiler\F-Secure\Anti-Spyware\blockpopups.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kajo\Start-meny\Programmer\>IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195234784968

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208892528390

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B508E252-95FD-47DF-BB90-70236CE55AB5}: NameServer = 192.168.1.1

O20 - Winlogon Notify: hgGwUoPI - hgGwUoPI.dll (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: app_filter - Unknown owner - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: fsbwsys - F-Secure Corp. - C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 11075 bytes

combofix:

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-05-01.3 - Kajo 2008-05-08 21:33:30.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.972 [GMT 2:00]

Running from: C:\Documents and Settings\Kajo\Skrivebord\ComboFix.exe

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))

.

 

2008-05-08 00:37 . 2008-05-08 00:42 269 --a------ C:\WINDOWS\wininit.ini

2008-05-08 00:22 . 2008-05-08 00:22 2,112 --a------ C:\WINDOWS\system32\ohuikdaw.exe

2008-05-07 22:26 . 2008-05-08 00:20 109,807 --a------ C:\WINDOWS\BM674fb046.xml

2008-05-06 22:58 . 2008-05-08 21:02 <DIR> d-------- C:\Programfiler\mIRC

2008-05-06 22:58 . 2008-05-08 21:32 <DIR> d-------- C:\Documents and Settings\Kajo\Programdata\mIRC

2008-04-22 21:34 . 2008-04-22 21:34 <DIR> d-------- C:\Programfiler\Microsoft Silverlight

2008-04-11 20:46 . 2008-04-11 20:46 399,616 --a------ C:\WINDOWS\system32\drivers\EagleNt.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-21 21:57 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2008-04-21 18:26 --------- d-----w C:\Documents and Settings\Kajo\Programdata\Apple Computer

2008-04-19 13:18 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-04-17 20:53 --------- d-----w C:\Programfiler\SystemRequirementsLab

2008-04-04 18:23 --------- d-----w C:\Programfiler\Fellesfiler\Real

2008-04-04 18:10 --------- d-----w C:\Programfiler\Real

2008-04-04 17:59 --------- d-----w C:\Documents and Settings\Kajo\Programdata\Media Player Classic

2008-03-31 21:55 --------- d-----w C:\Documents and Settings\Kajo\Programdata\Command & Conquer 3 Kane's Wrath

2008-03-31 21:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-12 11:10 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll

2008-03-03 23:54 691,545 ----a-w C:\WINDOWS\unins000.exe

2008-03-01 13:05 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2007-08-13 15:45 87,608 ----a-w C:\Documents and Settings\Kajo\Programdata\inst.exe

2007-08-13 15:45 47,360 -c--a-w C:\Documents and Settings\Kajo\Programdata\pcouffin.sys

2007-03-27 18:49 1 -c--a-w C:\Documents and Settings\Kajo\SI.bin

.

 

((((((((((((((((((((((((((((( snapshot@2008-05-08_ 1.08.14.75 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-07 23:04:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-08 18:42:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat

- 2008-05-07 23:06:05 1,500 ----a-w C:\WINDOWS\UI\BIOSCTL.DAT

+ 2008-05-08 18:43:46 1,500 ----a-w C:\WINDOWS\UI\BIOSCTL.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E25E5828-47DF-4BC7-81C2-1C828A9D181A}]

C:\WINDOWS\system32\iifcATjI.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WebCamRT.exe"="" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:03 15360]

"MsgCenterExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\RealOneMessageCenter.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gainward"="C:\WINDOWS\TBPanel.exe" [2005-07-25 10:39 2043904]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]

"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]

"RemoteControl"="C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]

"zBrowser Launcher"="C:\Programfiler\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]

"LVCOMS"="C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 18:54 127022]

"LogitechGalleryRepair"="C:\Programfiler\Logitech\ImageStudio\ISStart.exe" [2002-12-10 19:32 155648]

"LogitechImageStudioTray"="C:\Programfiler\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 19:31 61440]

"F-Secure Manager"="C:\Programfiler\F-Secure\Common\FSM32.exe" [2005-10-26 03:51 122929]

"F-Secure TNB"="C:\Programfiler\F-Secure\TNB\TNBUtil.exe" [2004-05-27 10:57 684032]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2004-08-22 17:05 81920]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]

"QuickTime Task"="C:\Programfiler\K-Lite Codec Pack\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]

"BM674fb046"="C:\WINDOWS\system32\ddnuboci.dll" [ ]

"647c83da"="C:\WINDOWS\system32\hveeiwgr.dll" [ ]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:03 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

F-Secure Automatic Update.lnk - C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2006-08-20 23:27:43 32807]

Logitech SetPoint.lnk - C:\Programfiler\Logitech\SetPoint\SetPoint.exe [2007-07-23 20:44:08 688128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwUoPI]

hgGwUoPI.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

[norbat]

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O2 - BHO: (no name) - {E25E5828-47DF-4BC7-81C2-1C828A9D181A} - C:\WINDOWS\system32\iifcATjI.dll (file missing)

O4 - HKLM\..\Run: [bM674fb046] Rundll32.exe "C:\WINDOWS\system32\ddnuboci.dll",s

O4 - HKLM\..\Run: [647c83da] rundll32.exe "C:\WINDOWS\system32\hveeiwgr.dll",b

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kajo\Start-meny\Programmer\>IMVU\Run IMVU.lnk (file missing)

O20 - Winlogon Notify: hgGwUoPI - hgGwUoPI.dll (file missing)

 

 

Åpne Notisblokk og lim inn det som står i fet tekst under. Lagre fila på skrivebordet som CFScript

Dra fila over combofix-iconet. Combofix vil starte igjen:

File::

C:\WINDOWS\system32\ohuikdaw.exe

C:\WINDOWS\BM674fb046.xml

C:\WINDOWS\system32\gpprefcl.dll

 

Post den nye combofix-loggen

[Kajo2k]

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-05-01.3 - Kajo 2008-05-08 23:14:41.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.946 [GMT 2:00]

Running from: C:\Documents and Settings\Kajo\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Kajo\Skrivebord\CFScript.txt

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINDOWS\BM674fb046.xml

C:\WINDOWS\system32\gpprefcl.dll

C:\WINDOWS\system32\ohuikdaw.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Kajo\Programdata\inst.exe

C:\WINDOWS\BM674fb046.xml

C:\WINDOWS\system32\gpprefcl.dll

C:\WINDOWS\system32\ohuikdaw.exe

 

.

((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))

.

 

2008-05-08 00:37 . 2008-05-08 00:42 269 --a------ C:\WINDOWS\wininit.ini

2008-05-06 22:58 . 2008-05-08 21:02 <DIR> d-------- C:\Programfiler\mIRC

2008-05-06 22:58 . 2008-05-08 21:32 <DIR> d-------- C:\Documents and Settings\Kajo\Programdata\mIRC

2008-04-22 21:34 . 2008-04-22 21:34 <DIR> d-------- C:\Programfiler\Microsoft Silverlight

2008-04-11 20:46 . 2008-04-11 20:46 399,616 --a------ C:\WINDOWS\system32\drivers\EagleNt.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-21 21:57 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2008-04-21 18:26 --------- d-----w C:\Documents and Settings\Kajo\Programdata\Apple Computer

2008-04-19 13:18 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-04-17 20:53 --------- d-----w C:\Programfiler\SystemRequirementsLab

2008-04-04 18:23 --------- d-----w C:\Programfiler\Fellesfiler\Real

2008-04-04 18:10 --------- d-----w C:\Programfiler\Real

2008-04-04 17:59 --------- d-----w C:\Documents and Settings\Kajo\Programdata\Media Player Classic

2008-03-31 21:55 --------- d-----w C:\Documents and Settings\Kajo\Programdata\Command & Conquer 3 Kane's Wrath

2008-03-31 21:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-03 23:54 691,545 ----a-w C:\WINDOWS\unins000.exe

2008-03-01 13:05 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2007-08-13 15:45 47,360 -c--a-w C:\Documents and Settings\Kajo\Programdata\pcouffin.sys

2007-03-27 18:49 1 -c--a-w C:\Documents and Settings\Kajo\SI.bin

.

 

((((((((((((((((((((((((((((( snapshot@2008-05-08_ 1.08.14.75 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-07 23:04:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-08 18:42:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat

- 2008-05-07 23:06:05 1,500 ----a-w C:\WINDOWS\UI\BIOSCTL.DAT

+ 2008-05-08 18:43:46 1,500 ----a-w C:\WINDOWS\UI\BIOSCTL.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WebCamRT.exe"="" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:03 15360]

"MsgCenterExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\RealOneMessageCenter.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gainward"="C:\WINDOWS\TBPanel.exe" [2005-07-25 10:39 2043904]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]

"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]

"RemoteControl"="C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]

"zBrowser Launcher"="C:\Programfiler\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]

"LVCOMS"="C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 18:54 127022]

"LogitechGalleryRepair"="C:\Programfiler\Logitech\ImageStudio\ISStart.exe" [2002-12-10 19:32 155648]

"LogitechImageStudioTray"="C:\Programfiler\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 19:31 61440]

"F-Secure Manager"="C:\Programfiler\F-Secure\Common\FSM32.exe" [2005-10-26 03:51 122929]

"F-Secure TNB"="C:\Programfiler\F-Secure\TNB\TNBUtil.exe" [2004-05-27 10:57 684032]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2004-08-22 17:05 81920]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]

"QuickTime Task"="C:\Programfiler\K-Lite Codec Pack\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:03 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

F-Secure Automatic Update.lnk - C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2006-08-20 23:27:43 32807]

Logitech SetPoint.lnk - C:\Programfiler\Logitech\SetPoint\SetPoint.exe [2007-07-23 20:44:08 688128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3fhg"= mp3fhg.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.YV12"= yv12vfw.dll

"msacm.divxa32"= divxa32.acm

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\WINDOWS\\system32\\rundll32.exe"=

"F:\\DC\\DCPlusPlus.exe"=

"C:\\Programfiler\\ABC\\abc.exe"=

"D:\\Games\\Warcraft III\\Warcraft III.exe"=

"D:\\Games\\Nes\\NESTCL95.EXE"=

"D:\\Games\\Warcraft III\\war3.exe"=

"C:\\Programfiler\\Opera\\Opera.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=

"D:\\Games\\Battlefield 2142\\BF2142.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\Games\\Command & Conquer 3 Tiberium Wars Kane Edition\\RetailExe\\1.6\\cnc3game.dat"=

"D:\\Games\\Call Of Duty 4\\iw3mp.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"33316:TCP"= 33316:TCP:Bittorrent

 

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 12:01]

R2 app_filter;app_filter;C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2004-11-20 07:01]

R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2006-08-20 23:27]

R2 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 15:37]

R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 16:30]

R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 15:37]

R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys [2004-03-03 10:50]

S2 FSpm;F-Secure Policy Manager;C:\Programfiler\F-Secure\Common\FSPM.SYS []

S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 15:58]

S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 15:58]

S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 15:58]

S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 15:58]

S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 15:58]

S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 15:58]

S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 15:58]

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2007-09-06 13:28]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{912975ea-5266-11da-8a88-806d6172696f}]

\Shell\AutoRun\command - G:\cdsetup.exe

 

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-08 23:15:30

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 5

 

**************************************************************************

.

Completion time: 2008-05-08 23:16:14

ComboFix-quarantined-files.txt 2008-05-08 21:16:04

ComboFix2.txt 2008-05-08 21:12:14

ComboFix3.txt 2008-05-08 19:36:11

ComboFix4.txt 2008-05-07 23:09:02

ComboFix5.txt 2008-01-11 19:01:58

 

Pre-Run: 1,779,490,816 byte ledig

Post-Run: 1,772,453,888 byte ledig

 

155

[norbat]

Og hvordan går det med feilmeldingene og PC-en forøvrig?

[Kajo2k]

Startet PC-en på nytt, ingen feilmeldinger.

[norbat]

Loggen sin ser fin ut

 

Vil allikevel anbefale deg å kjøre en scan med SAS (gratisversjonen).

Den vil evt. fjerne leftovers.

 

Etterpå kan du godt fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Dette vil også nullstille systemgjenopprettingen.

 

Surf trygt.

[Kajo2k]

Da kjører jeg en SAS-scan.

 

Tusen takk for hjelpen!

[Clutch]

Hmm......virker som jeg har noenlunde samme problem.SSAD finner noe som kalles virtumone eller noe i den duren. SAS tar det ikke og Spybot Search & Destroy tar det heller ikke.Prøvde vel Vundofix uten hell også.Kjørte Combofix og fikk denne log`en:

 

 

Kan noen mate det inn med teskje hvordan jeg setter slike tekstfiler i en "skjult spoiler"?På forhånd takk!

 

 

 

 

 

ComboFix 08-05-24.1 - Paddington 2008-05-25 17:33:14.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1613 [GMT 2:00]

Running from: C:\Documents and Settings\Paddington\Desktop\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\BMe70d3b61.xml

C:\WINDOWS\cookies.ini

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\aJillUvw.ini

C:\WINDOWS\system32\aJillUvw.ini2

C:\WINDOWS\system32\bgljkoxf.ini

C:\WINDOWS\system32\bolssicx.exe

C:\WINDOWS\system32\dmnaffnj.exe

C:\WINDOWS\system32\Feeeefii.ini

C:\WINDOWS\system32\Feeeefii.ini2

C:\WINDOWS\system32\haqwxepv.dll

C:\WINDOWS\system32\hcfjajcp.dll

C:\WINDOWS\system32\jeihtgvv.exe

C:\WINDOWS\system32\jfgugxsr.dll

C:\WINDOWS\system32\jxxftutj.exe

C:\WINDOWS\system32\KmoYxyxx.ini

C:\WINDOWS\system32\KmoYxyxx.ini2

C:\WINDOWS\system32\knjarqiq.exe

C:\WINDOWS\system32\kxsxeedn.dll

C:\WINDOWS\system32\mxgsfbly.ini

C:\WINDOWS\system32\ndeexsxk.ini

C:\WINDOWS\system32\nmqhqqnt.dll

C:\WINDOWS\system32\nVCLknmp.ini

C:\WINDOWS\system32\nVCLknmp.ini2

C:\WINDOWS\system32\pcjajfch.ini

C:\WINDOWS\system32\pwdihses.exe

C:\WINDOWS\system32\qoMghigh.dll

C:\WINDOWS\system32\rpuicuuh.ini

C:\WINDOWS\system32\rsxgugfj.ini

C:\WINDOWS\system32\scoadpmj.ini

C:\WINDOWS\system32\spfsrqxp.dll

C:\WINDOWS\system32\tbmanyhe.exe

C:\WINDOWS\system32\tnqqhqmn.ini

C:\WINDOWS\system32\uxxIOXbc.ini

C:\WINDOWS\system32\uxxIOXbc.ini2

C:\WINDOWS\system32\vnycoptt.dll

C:\WINDOWS\system32\vtUnlIaa.dll

C:\WINDOWS\system32\xskagqka.dll

C:\WINDOWS\system32\aaIlnUtv.ini

C:\WINDOWS\system32\aaIlnUtv.ini2

 

.

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))

.

 

2008-05-25 17:21 . 2008-05-25 17:21 115,712 --a------ C:\WINDOWS\system32\fxokjlgb.dll

2008-05-25 17:18 . 2008-05-25 17:18 136,704 --a------ C:\WINDOWS\system32\jymnsgpo.dll

2008-05-25 17:13 . 2008-05-25 17:13 125,440 --a------ C:\WINDOWS\system32\jwqarfdu.dll

2008-05-25 16:38 . 2008-05-25 16:38 <DIR> d-------- C:\VundoFix Backups

2008-05-24 20:17 . 2008-05-24 20:17 1,169 --a------ C:\WINDOWS\mozver.dat

2008-05-24 19:49 . 2008-05-24 19:49 0 --a------ C:\WINDOWS\nsreg.dat

2008-05-24 17:54 . 2008-05-24 17:54 136,192 --a------ C:\WINDOWS\system32\jdnkpwjb.dll

2008-05-24 17:49 . 2008-05-24 17:49 126,464 --a------ C:\WINDOWS\system32\lfiikswh.dll

2008-05-24 17:49 . 2008-05-24 17:49 115,200 --a------ C:\WINDOWS\system32\huuciupr.dll

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\en

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\bits

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\l2schemas

2008-05-24 16:33 . 2008-05-24 16:33 126,464 --a------ C:\WINDOWS\system32\ndfmhvxx.dll

2008-05-23 22:22 . 2008-05-23 22:22 133,632 --a------ C:\WINDOWS\system32\volrnadh.dll

2008-05-23 22:19 . 2008-05-23 22:19 115,200 --a------ C:\WINDOWS\system32\ylbfsgxm.dll

2008-05-23 22:13 . 2008-05-23 22:13 126,464 --a------ C:\WINDOWS\system32\bbtixkdy.dll

2008-05-23 17:56 . 2006-10-03 21:51 2,051,506 --a------ C:\Documents and Settings\Paddington\Juli@_v21.zip

2008-05-22 22:21 . 2008-05-22 22:21 134,144 --a------ C:\WINDOWS\system32\ebjundle.dll

2008-05-22 22:15 . 2008-05-22 22:15 115,200 --a------ C:\WINDOWS\system32\jmpdaocs.dll

2008-05-22 22:12 . 2008-05-22 22:12 126,464 --a------ C:\WINDOWS\system32\xplkoqki.dll

2008-05-22 18:44 . 2008-05-22 18:44 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-05-21 22:29 . 2008-05-22 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-17 19:53 . 2008-05-17 19:53 <DIR> d-------- C:\Program Files\JLC's Software

2008-05-17 19:53 . 2008-05-17 19:53 <DIR> d-------- C:\Documents and Settings\Paddington\Application Data\JLC's Software

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-01 16:55 . 2008-05-01 16:55 9,640 --a------ C:\cover.jpg

2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-25 13:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-25 13:56 --------- d-----w C:\Program Files\SpywareBlaster

2008-05-25 13:26 --------- d-----w C:\Documents and Settings\Paddington\Application Data\uTorrent

2008-05-24 13:17 --------- d-----w C:\Program Files\SUPERAntiSpyware

2008-05-22 18:42 --------- d-----w C:\Documents and Settings\Paddington\Application Data\SUPERAntiSpyware.com

2008-05-21 20:30 --------- d-----w C:\Program Files\Lavasoft

2008-05-20 18:03 --------- d-----w C:\Program Files\Winamp

2008-05-20 18:02 --------- d-----w C:\Documents and Settings\Paddington\Application Data\Winamp

2008-05-16 17:12 --------- d-----w C:\Program Files\VideoLAN

2008-04-23 18:47 --------- d-----w C:\Program Files\RoomEQWizard

2008-04-17 18:56 --------- d-----w C:\Program Files\Microsoft Works

2008-04-17 18:55 --------- d-----w C:\Documents and Settings\Paddington\Application Data\OfficeUpdate12

2008-04-17 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

2008-04-17 18:45 --------- d-----w C:\Program Files\Microsoft ActiveSync

2008-04-17 18:45 --------- d-----w C:\Program Files\Common Files\L&H

2008-04-17 18:44 --------- d-----w C:\Program Files\Microsoft.NET

2008-04-17 16:36 --------- d-----w C:\Program Files\ieSpell

2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys

2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys

2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys

2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys

2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe

2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll

2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe

2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll

2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe

2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe

2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll

2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe

2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe

2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys

2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys

2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys

2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys

2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys

2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys

2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys

2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys

2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys

2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys

2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys

2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys

2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys

2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys

2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys

2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys

2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys

2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys

2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys

2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys

2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys

2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys

2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys

2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys

2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys

2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys

2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys

2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys

2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys

2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys

2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys

2008-04-13 18:39 5,504 ----a-w C:\WINDOWS\system32\drivers\mstee.sys

2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys

2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys

2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys

2008-04-13 18:39 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys

2008-04-13 18:39 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys

2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1c08da38-208c-4dea-a3fd-8e66ad629002}]

2008-05-25 17:18 136704 --a------ C:\WINDOWS\system32\jymnsgpo.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1CBE297-32A3-44DC-A98F-BD465AA42670}]

C:\WINDOWS\system32\iifeeeeF.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]

"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [2008-02-19 12:13 61440]

"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Ptipbmf"="ptipbmf.dll" [2003-06-20 09:06 118784 C:\WINDOWS\system32\ptipbmf.dll]

"PtiuPbmd"="ptipbm.dll" [2003-01-15 13:41 24576 C:\WINDOWS\system32\ptipbm.dll]

"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

"JulaPan"="JulaPan.Exe" [2006-09-05 11:08 417792 C:\WINDOWS\system32\JulaPan.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 02:12 110592 C:\WINDOWS\system32\bthprops.cpl]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 02:12 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hurtigstart for Adobe Reader.lnk]

backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Phone Connection Monitor.lnk]

backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--a------ 2008-04-14 02:12 110592 C:\WINDOWS\system32\bthprops.cpl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe70d3b61]

--a------ 2008-05-24 16:33 126464 C:\WINDOWS\system32\ndfmhvxx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a--c--- 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e43e08fd]

C:\WINDOWS\system32\jfgugxsr.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnvyHFCPL]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a--c--- 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

--a------ 2004-09-15 10:12 37888 C:\WINDOWS\KHALMNPR.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

--a--c--- 2003-03-11 16:24 86016 C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]

-rahs---- 2008-01-28 12:43 5146448 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2006-10-12 04:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2007-02-27 11:39 1310720 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"AVG Anti-Spyware Guard"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\Zattoo\\Zattoo.exe"=

"C:\\Program Files\\Zattoo\\zattood.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\utorrent\\utorrent.exe"=

"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

 

R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2007-11-05 09:55]

R3 JULA_01;Service for Juli@ 1;C:\WINDOWS\system32\drivers\JulaWdm.sys [2006-09-05 11:08]

R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);C:\WINDOWS\system32\drivers\Jula.sys [2006-09-05 11:08]

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-25 17:37:08

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2008-05-25 17:38:47 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-25 15:38:44

ComboFix2.txt 2008-01-20 17:19:35

 

Pre-Run: 5,375,897,600 bytes free

Post-Run: 5,267,058,688 bytes free

 

303

 

 

Clutch

[norbat]

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\system32\fxokjlgb.dll

C:\WINDOWS\system32\jymnsgpo.dll

C:\WINDOWS\system32\jwqarfdu.dll

C:\WINDOWS\system32\jdnkpwjb.dll

C:\WINDOWS\system32\lfiikswh.dll

C:\WINDOWS\system32\huuciupr.dll

C:\WINDOWS\system32\ndfmhvxx.dll

C:\WINDOWS\system32\volrnadh.dll

C:\WINDOWS\system32\ylbfsgxm.dll

C:\WINDOWS\system32\bbtixkdy.dll

C:\WINDOWS\system32\ebjundle.dll

C:\WINDOWS\system32\jmpdaocs.dll

C:\WINDOWS\system32\xplkoqki.dll

 

Folder::

C:\VundoFix Backups

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1c08da38-208c-4dea-a3fd-8e66ad629002}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1CBE297-32A3-44DC-A98F-BD465AA42670}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe70d3b61]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e43e08fd]

 

Post ny combofix-logg

Ønsker også å se SAS-loggen (preferences->statistics/logs)

 

Du setter spoiler ved å merke den teksten du vil skule, åpne Sidepanelet - velg 'Sett inn: SPOILER', klikk OK.

[Clutch]

Takker for tilbakemelding og tips!

 

Ny Combofix-Log:

 

 

ComboFix 08-05-24.1 - Paddington 2008-05-25 18:34:52.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1613 [GMT 2:00]

Running from: C:\Documents and Settings\Paddington\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Paddington\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\VundoFix Backups

 

.

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))

.

 

2008-05-25 17:21 . 2008-05-25 17:21 115,712 --a------ C:\WINDOWS\system32\fxokjlgb.dll

2008-05-25 17:18 . 2008-05-25 17:18 136,704 --a------ C:\WINDOWS\system32\jymnsgpo.dll

2008-05-25 17:13 . 2008-05-25 17:13 125,440 --a------ C:\WINDOWS\system32\jwqarfdu.dll

2008-05-24 20:17 . 2008-05-24 20:17 1,169 --a------ C:\WINDOWS\mozver.dat

2008-05-24 19:49 . 2008-05-24 19:49 0 --a------ C:\WINDOWS\nsreg.dat

2008-05-24 17:54 . 2008-05-24 17:54 136,192 --a------ C:\WINDOWS\system32\jdnkpwjb.dll

2008-05-24 17:49 . 2008-05-24 17:49 126,464 --a------ C:\WINDOWS\system32\lfiikswh.dll

2008-05-24 17:49 . 2008-05-24 17:49 115,200 --a------ C:\WINDOWS\system32\huuciupr.dll

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\en

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\bits

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\l2schemas

2008-05-24 16:33 . 2008-05-24 16:33 126,464 --a------ C:\WINDOWS\system32\ndfmhvxx.dll

2008-05-23 22:22 . 2008-05-23 22:22 133,632 --a------ C:\WINDOWS\system32\volrnadh.dll

2008-05-23 22:19 . 2008-05-23 22:19 115,200 --a------ C:\WINDOWS\system32\ylbfsgxm.dll

2008-05-23 22:13 . 2008-05-23 22:13 126,464 --a------ C:\WINDOWS\system32\bbtixkdy.dll

2008-05-23 17:56 . 2006-10-03 21:51 2,051,506 --a------ C:\Documents and Settings\Paddington\Juli@_v21.zip

2008-05-22 22:21 . 2008-05-22 22:21 134,144 --a------ C:\WINDOWS\system32\ebjundle.dll

2008-05-22 22:15 . 2008-05-22 22:15 115,200 --a------ C:\WINDOWS\system32\jmpdaocs.dll

2008-05-22 22:12 . 2008-05-22 22:12 126,464 --a------ C:\WINDOWS\system32\xplkoqki.dll

2008-05-22 18:44 . 2008-05-22 18:44 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-05-21 22:29 . 2008-05-22 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-17 19:53 . 2008-05-17 19:53 <DIR> d-------- C:\Program Files\JLC's Software

2008-05-17 19:53 . 2008-05-17 19:53 <DIR> d-------- C:\Documents and Settings\Paddington\Application Data\JLC's Software

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-01 16:55 . 2008-05-01 16:55 9,640 --a------ C:\cover.jpg

2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-25 13:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-25 13:56 --------- d-----w C:\Program Files\SpywareBlaster

2008-05-25 13:26 --------- d-----w C:\Documents and Settings\Paddington\Application Data\uTorrent

2008-05-24 13:17 --------- d-----w C:\Program Files\SUPERAntiSpyware

2008-05-22 18:42 --------- d-----w C:\Documents and Settings\Paddington\Application Data\SUPERAntiSpyware.com

2008-05-21 20:30 --------- d-----w C:\Program Files\Lavasoft

2008-05-20 18:03 --------- d-----w C:\Program Files\Winamp

2008-05-20 18:02 --------- d-----w C:\Documents and Settings\Paddington\Application Data\Winamp

2008-05-16 17:12 --------- d-----w C:\Program Files\VideoLAN

2008-04-23 18:47 --------- d-----w C:\Program Files\RoomEQWizard

2008-04-17 18:56 --------- d-----w C:\Program Files\Microsoft Works

2008-04-17 18:55 --------- d-----w C:\Documents and Settings\Paddington\Application Data\OfficeUpdate12

2008-04-17 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

2008-04-17 18:45 --------- d-----w C:\Program Files\Microsoft ActiveSync

2008-04-17 18:45 --------- d-----w C:\Program Files\Common Files\L&H

2008-04-17 18:44 --------- d-----w C:\Program Files\Microsoft.NET

2008-04-17 16:36 --------- d-----w C:\Program Files\ieSpell

2008-04-14 03:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll

2008-04-14 03:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe

2008-04-14 03:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll

2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll

2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll

2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys

2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys

2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys

2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll

2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys

2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll

2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll

2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll

2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll

2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll

2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys

2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys

2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys

2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys

2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys

2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys

2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys

2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys

2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys

2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys

2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys

2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys

2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys

2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys

2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys

2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys

2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys

2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys

2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys

2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys

2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys

2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys

2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys

2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys

2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys

2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys

2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys

2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe

2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys

2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe

2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys

2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]

"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [2008-02-19 12:13 61440]

"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Ptipbmf"="ptipbmf.dll" [2003-06-20 09:06 118784 C:\WINDOWS\system32\ptipbmf.dll]

"PtiuPbmd"="ptipbm.dll" [2003-01-15 13:41 24576 C:\WINDOWS\system32\ptipbm.dll]

"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

"JulaPan"="JulaPan.Exe" [2006-09-05 11:08 417792 C:\WINDOWS\system32\JulaPan.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 02:12 110592 C:\WINDOWS\system32\bthprops.cpl]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 02:12 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hurtigstart for Adobe Reader.lnk]

backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Phone Connection Monitor.lnk]

backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--a------ 2008-04-14 02:12 110592 C:\WINDOWS\system32\bthprops.cpl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a--c--- 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnvyHFCPL]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a--c--- 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

--a------ 2004-09-15 10:12 37888 C:\WINDOWS\KHALMNPR.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

--a--c--- 2003-03-11 16:24 86016 C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]

-rahs---- 2008-01-28 12:43 5146448 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2006-10-12 04:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2007-02-27 11:39 1310720 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"AVG Anti-Spyware Guard"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\Zattoo\\Zattoo.exe"=

"C:\\Program Files\\Zattoo\\zattood.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\utorrent\\utorrent.exe"=

"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

 

R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2007-11-05 09:55]

R3 JULA_01;Service for Juli@ 1;C:\WINDOWS\system32\drivers\JulaWdm.sys [2006-09-05 11:08]

R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);C:\WINDOWS\system32\drivers\Jula.sys [2006-09-05 11:08]

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-25 18:35:55

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-25 18:36:37

ComboFix-quarantined-files.txt 2008-05-25 16:36:27

ComboFix2.txt 2008-05-25 15:38:48

ComboFix3.txt 2008-01-20 17:19:35

 

Pre-Run: 5,240,287,232 bytes free

Post-Run: 5,221,797,888 bytes free

 

248

 

 

SAS-logg kommer snart.

 

Clutch

[Clutch]

SAS-Log:

 

 

SUPERAntiSpyware Scan Log

Generated 05/25/2008 at 06:59 PM

 

Application Version : 3.6.1000

 

Core Rules Database Version : 3468

Trace Rules Database Version: 1459

 

Scan type : Quick Scan

Total Scan Time : 00:17:18

 

Memory items scanned : 285

Memory threats detected : 0

Registry items scanned : 894

Registry threats detected : 0

File items scanned : 13514

File threats detected : 7

 

Adware.Tracking Cookie

C:\Documents and Settings\Paddington\Cookies\[email protected][1].txt

 

Trojan.Unknown Origin

C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HAQWXEPV.DLL.VIR

C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KXSXEEDN.DLL.VIR

 

Adware.Vundo Variant

C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JFGUGXSR.DLL.VIR

C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SPFSRQXP.DLL.VIR

C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VNYCOPTT.DLL.VIR

C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\XSKAGQKA.DLL.VIR

 

 

 

Clutch

[norbat]

Hent Avenger og pakk det ut.

 

Start programmet, sett prikk i "Input Script Manually" og klikk på lupen.

I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under:

Files to delete:

C:\WINDOWS\system32\fxokjlgb.dll

C:\WINDOWS\system32\jymnsgpo.dll

C:\WINDOWS\system32\jwqarfdu.dll

C:\WINDOWS\system32\jdnkpwjb.dll

C:\WINDOWS\system32\lfiikswh.dll

C:\WINDOWS\system32\huuciupr.dll

C:\WINDOWS\system32\ndfmhvxx.dll

C:\WINDOWS\system32\volrnadh.dll

C:\WINDOWS\system32\ylbfsgxm.dll

C:\WINDOWS\system32\bbtixkdy.dll

C:\WINDOWS\system32\ebjundle.dll

C:\WINDOWS\system32\jmpdaocs.dll

C:\WINDOWS\system32\xplkoqki.dll

 

Klikk på Trafikklyset. Restart PC-en.

Etter restart vil det komme en loggfil som forteller hva som har skjedd.

Post den.

[Clutch]

Takker så mye for hjelp.

Her er Avenger-Log:

 

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

File "C:\WINDOWS\system32\fxokjlgb.dll" deleted successfully.

File "C:\WINDOWS\system32\jymnsgpo.dll" deleted successfully.

File "C:\WINDOWS\system32\jwqarfdu.dll" deleted successfully.

File "C:\WINDOWS\system32\jdnkpwjb.dll" deleted successfully.

File "C:\WINDOWS\system32\lfiikswh.dll" deleted successfully.

File "C:\WINDOWS\system32\huuciupr.dll" deleted successfully.

File "C:\WINDOWS\system32\ndfmhvxx.dll" deleted successfully.

File "C:\WINDOWS\system32\volrnadh.dll" deleted successfully.

File "C:\WINDOWS\system32\ylbfsgxm.dll" deleted successfully.

File "C:\WINDOWS\system32\bbtixkdy.dll" deleted successfully.

File "C:\WINDOWS\system32\ebjundle.dll" deleted successfully.

File "C:\WINDOWS\system32\jmpdaocs.dll" deleted successfully.

File "C:\WINDOWS\system32\xplkoqki.dll" deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

Clutch

[norbat]

Så en ny combofix-logg til slutt, for å se om det evt. kan ligge noe rusk igjen.

[Clutch]

Ny Combofix-Log:

 

 

ComboFix 08-05-24.1 - Paddington 2008-05-25 20:09:24.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1669 [GMT 2:00]

Running from: C:\Documents and Settings\Paddington\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))

.

 

2008-05-25 20:08 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-05-24 20:17 . 2008-05-24 20:17 1,169 --a------ C:\WINDOWS\mozver.dat

2008-05-24 19:49 . 2008-05-24 19:49 0 --a------ C:\WINDOWS\nsreg.dat

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\en

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\system32\bits

2008-05-24 17:38 . 2008-05-24 17:38 <DIR> d-------- C:\WINDOWS\l2schemas

2008-05-23 17:56 . 2006-10-03 21:51 2,051,506 --a------ C:\Documents and Settings\Paddington\Juli@_v21.zip

2008-05-22 18:44 . 2008-05-22 18:44 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-05-21 22:29 . 2008-05-22 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-17 19:53 . 2008-05-17 19:53 <DIR> d-------- C:\Program Files\JLC's Software

2008-05-17 19:53 . 2008-05-17 19:53 <DIR> d-------- C:\Documents and Settings\Paddington\Application Data\JLC's Software

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-01 16:55 . 2008-05-01 16:55 9,640 --a------ C:\cover.jpg

2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-25 18:08 --------- d-----w C:\Program Files\Java

2008-05-25 16:40 --------- d-----w C:\Program Files\SUPERAntiSpyware

2008-05-25 13:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-25 13:56 --------- d-----w C:\Program Files\SpywareBlaster

2008-05-25 13:26 --------- d-----w C:\Documents and Settings\Paddington\Application Data\uTorrent

2008-05-22 18:42 --------- d-----w C:\Documents and Settings\Paddington\Application Data\SUPERAntiSpyware.com

2008-05-21 20:30 --------- d-----w C:\Program Files\Lavasoft

2008-05-20 18:03 --------- d-----w C:\Program Files\Winamp

2008-05-20 18:02 --------- d-----w C:\Documents and Settings\Paddington\Application Data\Winamp

2008-05-16 17:12 --------- d-----w C:\Program Files\VideoLAN

2008-04-23 18:47 --------- d-----w C:\Program Files\RoomEQWizard

2008-04-17 18:56 --------- d-----w C:\Program Files\Microsoft Works

2008-04-17 18:55 --------- d-----w C:\Documents and Settings\Paddington\Application Data\OfficeUpdate12

2008-04-17 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

2008-04-17 18:45 --------- d-----w C:\Program Files\Microsoft ActiveSync

2008-04-17 18:45 --------- d-----w C:\Program Files\Common Files\L&H

2008-04-17 18:44 --------- d-----w C:\Program Files\Microsoft.NET

2008-04-17 16:36 --------- d-----w C:\Program Files\ieSpell

2008-04-14 03:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll

2008-04-14 03:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe

2008-04-14 03:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll

2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll

2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll

2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys

2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys

2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys

2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll

2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys

2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll

2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll

2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll

2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll

2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll

2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys

2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys

2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys

2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys

2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys

2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys

2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys

2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys

2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys

2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys

2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys

2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys

2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys

2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys

2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys

2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys

2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys

2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys

2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys

2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys

2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys

2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys

2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys

2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys

2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys

2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys

2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys

2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe

2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys

2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe

2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys

.

 

((((((((((((((((((((((((((((( snapshot@2008-05-25_17.38.31.81 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-25 15:36:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-25 17:44:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat

- 2006-10-12 00:35:14 49,248 ----a-w C:\WINDOWS\system32\java.exe

+ 2008-03-24 23:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe

- 2006-10-12 00:35:24 53,346 ----a-w C:\WINDOWS\system32\javaw.exe

+ 2008-03-24 23:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe

- 2006-10-12 02:10:56 127,078 ----a-w C:\WINDOWS\system32\javaws.exe

+ 2008-03-25 00:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]

"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [2008-02-19 12:13 61440]

"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Ptipbmf"="ptipbmf.dll" [2003-06-20 09:06 118784 C:\WINDOWS\system32\ptipbmf.dll]

"PtiuPbmd"="ptipbm.dll" [2003-01-15 13:41 24576 C:\WINDOWS\system32\ptipbm.dll]

"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

"JulaPan"="JulaPan.Exe" [2006-09-05 11:08 417792 C:\WINDOWS\system32\JulaPan.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 02:12 110592 C:\WINDOWS\system32\bthprops.cpl]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 02:12 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hurtigstart for Adobe Reader.lnk]

backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Phone Connection Monitor.lnk]

backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--a------ 2008-04-14 02:12 110592 C:\WINDOWS\system32\bthprops.cpl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a--c--- 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnvyHFCPL]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a--c--- 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

--a------ 2004-09-15 10:12 37888 C:\WINDOWS\KHALMNPR.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

--a--c--- 2003-03-11 16:24 86016 C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]

-rahs---- 2008-01-28 12:43 5146448 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2006-10-12 04:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2007-02-27 11:39 1310720 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"AVG Anti-Spyware Guard"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\Zattoo\\Zattoo.exe"=

"C:\\Program Files\\Zattoo\\zattood.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\utorrent\\utorrent.exe"=

"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

 

R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2007-11-05 09:55]

R3 JULA_01;Service for Juli@ 1;C:\WINDOWS\system32\drivers\JulaWdm.sys [2006-09-05 11:08]

R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);C:\WINDOWS\system32\drivers\Jula.sys [2006-09-05 11:08]

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-25 20:10:27

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-25 20:11:17

ComboFix-quarantined-files.txt 2008-05-25 18:11:08

ComboFix2.txt 2008-05-25 16:36:38

ComboFix3.txt 2008-05-25 15:38:48

ComboFix4.txt 2008-01-20 17:19:35

 

Pre-Run: 5,087,350,784 bytes free

Post-Run: 5,072,244,736 bytes free

 

244

 

 

 

Clutch

[norbat]

Fint

 

Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

 

Surf trygt.

[Clutch]

Fint

 

Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

 

Surf trygt.

 

Aiaiai.......da sier jeg Tusen Takk for hjelpen norbat!

Dette satt jeg pris på.

 

mvh

Clutch

[r2d290]

Da kan du endre emnetittelen din, ved å ta full redigering på førsteposten din, og skrive:

[LØST]

foran emnetittelen din. Dette vil hjelpe til med å holde forumet ryddig

 

 

edit: glem det. det kan jo ikke du gjøre :/

Endret 25. mai 2008 av r2d290

[sjabby]

Jeg har samme problemet den maser etter en dll fil etter oppstart..

her er min combofix log:

 

ComboFix 08-06-19.4 - kølle 2008-06-21 0:01:44.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.401 [GMT 2:00]

Running from: C:\Documents and Settings\kølle\Skrivebord\ComboFix.exe

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))

.

 

2008-06-20 23:57 . 2008-06-20 23:57 <DIR> dr-h----- C:\Documents and Settings\kølle\Siste

2008-06-20 23:57 . 2008-06-20 23:57 <DIR> dr-h----- C:\Documents and Settings\kølle\Siste

2008-06-20 23:56 . 2008-06-20 23:56 <DIR> d-------- C:\Documents and Settings\k°lle

2008-06-20 23:52 . 2008-06-20 23:52 <DIR> d-------- C:\WINDOWS\LastGood

2008-06-20 20:51 . 2008-06-20 20:51 79,872 --a------ C:\WINDOWS\system32\ojxuubrk.dll

2008-06-20 20:48 . 2008-06-20 20:48 99,328 --a------ C:\WINDOWS\system32\dkuhxbeh.dll

2008-06-20 20:45 . 2008-06-20 20:45 90,624 --a------ C:\WINDOWS\system32\jgvbjlcv.dll

2008-06-20 20:13 . 2008-06-20 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-06-20 20:12 . 2008-06-20 20:12 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-06-20 20:12 . 2008-06-20 20:12 <DIR> d-------- C:\Documents and Settings\kølle\Programdata\SUPERAntiSpyware.com

2008-06-20 20:12 . 2008-06-20 20:12 <DIR> d-------- C:\Documents and Settings\kølle\Programdata\SUPERAntiSpyware.com

2008-06-20 20:12 . 2008-06-20 20:12 <DIR> d-------- C:\Documents and Settings\kølle\Programdata\SUPERAntiSpyware.com

2008-06-20 20:10 . 2008-06-20 20:10 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-06-20 19:58 . 2008-06-20 19:58 0 --a------ C:\WINDOWS\nsreg.dat

2008-06-20 19:52 . 2008-06-20 19:57 <DIR> d-------- C:\Programfiler\Enigma Software Group

2008-06-20 15:49 . 2008-06-20 15:51 <DIR> d-------- C:\Programfiler\Yahoo!

2008-06-20 15:38 . 2008-06-20 15:52 <DIR> d-------- C:\Programfiler\CCleaner

2008-06-15 14:05 . 2008-06-15 14:05 8 --a------ C:\WINDOWS\system32\169b0f35

2008-06-13 14:46 . 2008-06-13 14:49 <DIR> d-------- C:\Programfiler\RegistrySmart

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-20 17:41 --------- d-----w C:\Programfiler\Google

2008-06-20 14:57 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-06-19 15:54 31,926 ----a-w C:\Documents and Settings\kølle\Programdata\wklnhst.dat

2008-06-19 15:54 31,926 ----a-w C:\Documents and Settings\kølle\Programdata\wklnhst.dat

2008-06-19 15:54 31,926 ----a-w C:\Documents and Settings\kølle\Programdata\wklnhst.dat

2008-06-09 18:44 --------- d-----w C:\Documents and Settings\kølle\Programdata\Azureus

2008-06-09 18:44 --------- d-----w C:\Documents and Settings\kølle\Programdata\Azureus

2008-06-09 18:44 --------- d-----w C:\Documents and Settings\kølle\Programdata\Azureus

2008-05-17 16:50 --------- d-----w C:\Documents and Settings\All Users\Programdata\Installations

2008-05-16 09:28 212,024 ----a-w C:\WINDOWS\system32\nscrnsav.scr

2008-05-14 18:11 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-05-14 18:10 --------- d-----w C:\Documents and Settings\kølle\Programdata\AdobeUM

2008-05-14 18:10 --------- d-----w C:\Documents and Settings\kølle\Programdata\AdobeUM

2008-05-14 18:10 --------- d-----w C:\Documents and Settings\kølle\Programdata\AdobeUM

2008-04-20 10:48 --------- d-----w C:\Programfiler\Azureus

2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll

2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-25 04:51 166,688 ------w C:\WINDOWS\system32\dllcache\msjint40.dll

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2006-01-14 09:43 320 -c--a-w C:\Documents and Settings\Else Marie\Programdata\wklnhst.dat

.

 

((((((((((((((((((((((((((((( snapshot@2008-06-20_23.55.33.57 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4150a87-9868-40d4-8ea5-2735b3783fb0}]

C:\WINDOWS\system32\qtlwlxwh.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C769E703-2929-44B2-89E8-C39913D046EA}]

C:\WINDOWS\system32\cbXpOIxV.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 02:04 1415824]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 12:12 139264]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 10:00 339968]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]

"hpWirelessAssistant"="C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 15:11 794624]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 14:12 102492]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 14:11 692316]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]

"eabconfg.cpl"="C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24 290816]

"Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01 233534]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 13:54 253952]

"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.EXE" [2008-06-02 09:47 277616]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

"169b1dbb"="C:\WINDOWS\system32\cdvcbdyy.dll" [ ]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

BTTray.lnk - C:\Programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe [2004-12-23 12:07:30 569405]

HP Digital Imaging Monitor.lnk - C:\Programfiler\Hp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.X264"= x264vfw.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Azureus\\Azureus.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

 

R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]

R2 NVOY;Norman's Very Own supplY of resources;"C:\Norman\npm\bin\nvoy.exe" [2008-02-07 11:07]

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 17:18]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56]

R3 nvcoas;Norman Virus Control on-access component;"C:\Norman\Nvc\bin\nvcoas.exe" [2008-04-30 13:28]

R3 NVCScheduler;Norman Virus Control Scheduler;"C:\Norman\Npm\bin\NVCSCHED.EXE" [2007-09-18 12:41]

S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2006-07-11 10:03]

S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 14:25]

S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25]

S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25]

S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6354a86-ec66-11dc-9293-0010c6e8684f}]

\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2008-06-19 14:57:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-21 00:03:29

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe?????????6?8?4?1??@???? ???B?????????????hLC????????

 

scanning hidden files ...

 

 

**************************************************************************

.

Completion time: 2008-06-21 0:05:24

ComboFix-quarantined-files.txt 2008-06-20 22:04:21

ComboFix2.txt 2008-06-20 21:55:59

 

Pre-Run: 11,669,790,720 byte ledig

Post-Run: 11,662,077,952 byte ledig

 

133 --- E O F --- 2008-06-01 19:54:46

 

 

 

Noen forslag?