Xarus Skrevet 27. april 2008 Skrevet 27. april 2008 SAS: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 04/27/2008 at 06:40 Application Version : 3.9.1008 Core Rules Database Version : 3302 Trace Rules Database Version: 1308 Scan type : Complete Scan Total Scan Time : 00:47:51 Memory items scanned : 569 Memory threats detected : 1 Registry items scanned : 5558 Registry threats detected : 3 File items scanned : 46840 File threats detected : 14 Trojan.Downloader-Gen/SCM C:\PROGRAMFILER\NETPROJECT\SCM.EXE C:\PROGRAMFILER\NETPROJECT\SCM.EXE C:\WINDOWS\Prefetch\SCM.EXE-164D2C6B.pf Adware.Tracking Cookie C:\Documents and Settings\Sindre\Cookies\sindre@mediaplex[1].txt C:\Documents and Settings\Sindre\Cookies\sindre@serving-sys[2].txt C:\Documents and Settings\Sindre\Cookies\[email protected][2].txt C:\Documents and Settings\Sindre\Cookies\sindre@atdmt[2].txt C:\Documents and Settings\Sindre\Cookies\[email protected][2].txt C:\Documents and Settings\Sindre\Cookies\sindre@advertising[2].txt C:\Documents and Settings\Sindre\Cookies\sindre@doubleclick[2].txt C:\Documents and Settings\Sindre\Cookies\sindre@tradedoubler[2].txt C:\Documents and Settings\Sindre\Cookies\sindre@2o7[2].txt C:\Documents and Settings\Sindre\Cookies\sindre@imrworldwide[1].txt Trojan.Security Toolbar C:\Documents and Settings\All Users\Start-meny\Online Security Guide.url C:\Documents and Settings\All Users\Start-meny\Security Troubleshooting.url Malware.SpyLocked HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString HIJACK: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:16:30, on 27.04.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5450.0004) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PRISMSVC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\PRISMSVR.EXE C:\WINDOWS\system32\MsPMSPSv.exe C:\Programfiler\Intel\Intel Application Accelerator\iaanotif.exe C:\Programfiler\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe C:\Programfiler\Dell\Media Experience\DMXLauncher.exe C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe C:\Programfiler\PowerISO\PWRISOVM.EXE C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe C:\Programfiler\Winamp\winampa.exe C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe C:\programfiler\valve\steam\steam.exe C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Logitech\SetPoint\SetPoint.exe C:\Programfiler\Skyr@cer Pro Utility\WLANPRO.exe C:\Programfiler\Fellesfiler\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\System32\svchost.exe C:\Programfiler\WinZip\WZQKPICK.EXE C:\Programfiler\Dell Wireless\PRISMCFG.exe C:\Programfiler\Xfire\Xfire.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\CCleaner\ccleaner.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\imapi.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\explorer.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Programfiler\Dealio\kb106\Dealio.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\no\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\no\msntb.dll O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Programfiler\Dealio\kb106\Dealio.dll O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Programfiler\NetProject\wamdl.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iAAnotif] C:\Programfiler\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Programfiler\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [au] C:\Programfiler\Dealio\DealioAU.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe O4 - HKLM\..\Run: [iSUSPM] C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe -scheduler O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [steam] "c:\programfiler\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [LDM] C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [VoipBuster] "C:\Programfiler\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized O4 - HKCU\..\Run: [bitTorrent] "C:\Programfiler\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Xfire.lnk = C:\Programfiler\Xfire\Xfire.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programfiler\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Skyr@cer Pro PCI 154 Configuration Utility.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ? O8 - Extra context menu item: Compare Prices with &Dealio - C:\Programfiler\Dealio\kb106\res\DealioSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Programfiler\Dealio\kb106\Dealio.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - C:\WINDOWS\system32\zfaiqwr.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Programfiler\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE -- End of file - 9760 bytes COMBOFIX ComboFix 08-04-26.5 - Sindre 2008-04-27 20:11:26.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.573 [GMT 2:00] Running from: C:\Documents and Settings\Sindre\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Sindre\err.log C:\Documents and Settings\Sindre\Favoritter\Online Security Test.url C:\Documents and Settings\Sindre\Programdata\DriveCleaner 2006 Free C:\Documents and Settings\Sindre\Programdata\DriveCleaner 2006 Free\Logs\update.log C:\Programfiler\NetProject C:\Programfiler\NetProject\ot.ico C:\Programfiler\NetProject\sbmdl.dll C:\Programfiler\NetProject\sbmntr.exe C:\Programfiler\NetProject\sbsm.exe C:\Programfiler\NetProject\sbun.exe C:\Programfiler\NetProject\scit.exe C:\Programfiler\NetProject\scm.exe C:\Programfiler\NetProject\scu.exe C:\Programfiler\NetProject\ts.ico C:\Programfiler\NetProject\wamdl.dll C:\Programfiler\NetProject\waun.exe C:\Programfiler\VirusHeat 4.3 C:\Programfiler\VirusHeat 4.3\ignored.lst C:\Programfiler\VirusHeat 4.3\msvcr71.dll C:\Programfiler\VirusHeat 4.3\vht.dat C:\Programfiler\VirusHeat 4.3\VirusHeat 4.3.exe C:\Programfiler\VirusHeat 4.3\vpp.ini C:\WINDOWS\SYSTEM32\717305\717305.dll G:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 ))))))))))))))))))))))))))))))) . 2008-04-27 20:09 . 2008-04-27 20:09 <DIR> dr-h----- C:\Documents and Settings\Sindre\Siste 2008-04-27 17:40 . 2008-04-27 20:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\717305 2008-04-25 23:36 . 2008-04-26 00:00 <DIR> d-------- C:\Documents and Settings\Sindre\Programdata\dvdcss 2008-04-25 18:46 . 2008-04-25 18:46 <DIR> d-------- C:\Programfiler\SystemRequirementsLab 2008-04-25 18:46 . 2008-04-25 18:46 <DIR> d-------- C:\Documents and Settings\Sindre\SystemRequirementsLab 2008-04-06 17:38 . 2008-04-23 23:16 <DIR> d-------- C:\Programfiler\mIRC 2008-04-06 17:38 . 2008-04-23 23:17 <DIR> d-------- C:\Documents and Settings\Sindre\Programdata\mIRC 2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\SYSTEM32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-27 16:44 --------- d-----w C:\Programfiler\SUPERAntiSpyware 2008-04-27 15:44 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-04-26 00:17 --------- d-----w C:\Documents and Settings\Sindre\Programdata\Azureus 2008-04-20 14:58 --------- d-----w C:\Documents and Settings\Sindre\Programdata\Winamp 2008-04-20 13:01 --------- d-----w C:\Programfiler\Azureus 2008-04-19 11:41 --------- d-s---w C:\Programfiler\Xfire 2008-04-18 14:42 13,312 --s-a-w C:\WINDOWS\SYSTEM32\zfaiqwr.dll 2008-04-14 18:59 --------- d-----w C:\Documents and Settings\Sindre\Programdata\Xfire 2008-03-22 22:26 --------- d-----w C:\Programfiler\Paint.NET 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys 2008-03-15 15:17 --------- d-----w C:\Programfiler\Electronic Arts 2008-03-14 20:18 --------- d-----w C:\Programfiler\Fellesfiler\Blizzard Entertainment 2008-03-05 21:55 --------- d-----w C:\Programfiler\Java 2008-02-27 22:49 --------- d-----w C:\Programfiler\Microsoft CAPICOM 2.1.0.2 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll 2008-02-20 06:52 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll 2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll 2008-02-20 05:39 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll 2008-02-20 05:39 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll 2006-11-24 14:12 0 ----a-w C:\Documents and Settings\Sindre\WoW-1.7.1.4695-to-1.8.0-enGB-patch.exe 2005-12-09 17:28 3,533,120 ----a-w C:\Programfiler\BSINSTALL.exe 2006-05-06 16:42 7,260,160 ----a-w C:\Programfiler\mozilla firefox\plugins\libvlc.dll 2006-09-25 19:21 88 --sh--r C:\WINDOWS\SYSTEM32\233505DF60.sys 2006-09-25 19:21 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Programfiler\NetProject\wamdl.dll" [ ] [HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{51D81DD5-55B7-497F-95DB-D356429BB54E}"= C:\Programfiler\NetProject\wamdl.dll [ ] [HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] "Steam"="c:\programfiler\valve\steam\steam.exe" [2008-03-28 19:52 1271032] "LDM"="C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-24 12:21 67128] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-27 18:44 1481968] "VoipBuster"="C:\Programfiler\VoipBuster.com\VoipBuster\VoipBuster.exe" [ ] "BitTorrent"="C:\Programfiler\BitTorrent\bittorrent.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480] "IAAnotif"="C:\Programfiler\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 12:23 135168] "CTSysVol"="C:\Programfiler\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344] "P17Helper"="P17.dll" [2004-06-10 12:51 60928 C:\WINDOWS\SYSTEM32\P17.dll] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112] "DVDLauncher"="C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248] "DMXLauncher"="C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016] "ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 18:34 213936] "ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2006-03-20 18:34 86960] "Creative WebCam Tray"="C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE" [2004-04-29 10:59 245760] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\SYSTEM32\BTHPROPS.CPL] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe] "QuickTime Task"="C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-07-11 14:50 282624] "nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe] "PWRISOVM.EXE"="C:\Programfiler\PowerISO\PWRISOVM.EXE" [2006-07-29 13:07 188416] "au"="C:\Programfiler\Dealio\DealioAU.exe" [2007-06-27 12:46 238936] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016] "WinampAgent"="C:\Programfiler\Winamp\winampa.exe" [2008-01-16 00:54 37376] "ISUSPM"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] "Picasa Media Detector"="C:\Programfiler\Picasa2\PicasaMediaDetector.exe" [ ] C:\Documents and Settings\Sindre\Start-meny\Programmer\Oppstart\ Adobe Gamma.lnk - C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664] Xfire.lnk - C:\Programfiler\Xfire\Xfire.exe [2008-04-03 01:25:58 2987856] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Logitech Desktop Messenger.lnk - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-24 12:21:09 67128] Logitech SetPoint.lnk - C:\Programfiler\Logitech\SetPoint\SetPoint.exe [2006-05-18 16:10:42 434176] Skyr@cer Pro PCI 154 Configuration Utility.lnk - C:\Programfiler\Skyr@cer Pro Utility\WLANPRO.exe [2005-06-16 12:39:14 2502656] WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2005-09-20 17:28:40 106560] Wireless USB 2.0 WLAN Card Utility.lnk - C:\Programfiler\Dell Wireless\PRISMCFG.exe [2007-06-27 18:59:24 921704] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{b0fdc513-46b9-46fc-8e70-d575ee546dae}"= C:\WINDOWS\system32\zfaiqwr.dll [2008-04-18 16:42 13312] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL] PRISMAPI.DLL 2005-12-22 20:08 450646 C:\WINDOWS\SYSTEM32\PRISMAPI.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.X264"= x264vfw.dll "VIDC.3iv2"= 3ivxVfWCodec.dll "VIDC.VP31"= vp31vfw.dll "msacm.l3fhg"= mp3fhg.acm "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\Valve\\Steam\\Steam.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\afselius\\counter-strike source\\hl2.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\arning130\\counter-strike\\hl.exe"= "C:\\Documents and Settings\\Sindre\\Mine dokumenter\\programmer\\utorrent.exe"= "C:\\Programfiler\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Programfiler\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Programfiler\\Xfire\\Xfire.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\oliverfrydenberg\\counter-strike\\hl.exe"= "C:\\Programfiler\\mIRC\\mirc.exe"= "C:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\oliverfrydenberg\\half-life\\hl.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\torbratberg\\counter-strike\\hl.exe"= "C:\\Programfiler\\Azureus\\Azureus.exe"= "C:\\Programfiler\\DC++\\DCPlusPlus.exe"= "C:\\Programfiler\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\jelelfan\\counter-strike\\hl.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\afselius\\half-life 2 deathmatch\\hl2.exe"= "C:\\Programfiler\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"= "C:\\Programfiler\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader R2 IAANTMon;IAA Event Monitor;C:\Programfiler\Intel\Intel Application Accelerator\iaantmon.exe [2004-06-29 12:22] R2 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2005-12-22 20:21] S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43] *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 20:13:40 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="C:\\Programfiler\\Intel\\Intel Application Accelerator\\iaanotif.exe" . Completion time: 2008-04-27 20:14:34 ComboFix-quarantined-files.txt 2008-04-27 18:14:08 Pre-Run: 76,956,258,304 byte ledig Post-Run: 76,938,928,128 byte ledig 196 --- E O F --- 2008-04-11 15:10:51
norbat Skrevet 27. april 2008 Skrevet 27. april 2008 Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. File:: C:\WINDOWS\SYSTEM32\zfaiqwr.dll Folder:: C:\WINDOWS\SYSTEM32\717305 C:\Programfiler\Dealio Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{51D81DD5-55B7-497F-95DB-D356429BB54E}"=- [-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{51D81DD5-55B7-497F-95DB-D356429BB54E}"=- [-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"=- "au"=- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{b0fdc513-46b9-46fc-8e70-d575ee546dae}"=- Post combofix-loggen + ny hjt-logg.
Xarus Skrevet 27. april 2008 Forfatter Skrevet 27. april 2008 Skulle reboote PCn, får den ikke på nå. Ikke i sikkerhetsmodus engang.. Den bare fryser etter at jeg er logget inn, ser bare bakgrunnsbildet mitt.. Så vet ikke helt hva jeg skal gjøre nå..
norbat Skrevet 27. april 2008 Skrevet 27. april 2008 Prøv å restare PC-en igjen. Hvis samme problem, tapp F8 under oppstart og velg 'Siste fungerende........"
Xarus Skrevet 27. april 2008 Forfatter Skrevet 27. april 2008 Samme skjer der, bare bakgrunnen som vises. men jeg får opp oppgave behandling da.. Kan gjøre det derfra sikkert
norbat Skrevet 27. april 2008 Skrevet 27. april 2008 Åpne oppgavebehandlingen og velg Ny oppgave... Lim inn følgende: %SystemRoot%\System32\restore\rstrui.exe Dette starter systemgjenopprettingen. Still PC-en litt tilbake i tid. Infeksjonene vil gjenskapes, men kjøre SAS på nytt og post ny Combofix-logg.
Xarus Skrevet 27. april 2008 Forfatter Skrevet 27. april 2008 ComboFix 08-04-26.5 - Sindre 2008-04-27 22:46:28.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.488 [GMT 2:00] Running from: C:\Documents and Settings\Sindre\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Sindre\Programdata\DriveCleaner 2006 Free G:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 ))))))))))))))))))))))))))))))) . 2008-04-27 22:08 . 2008-04-27 22:08 <DIR> dr-h----- C:\Documents and Settings\Sindre\Siste 2008-04-27 21:25 . 2008-04-27 22:08 <DIR> d-------- C:\RECYCLER(2) 2008-04-27 20:35 . 2005-06-08 16:40 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Creative 2008-04-27 20:35 . 2008-04-27 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata 2008-04-27 20:35 . 2008-04-27 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Maler 2008-04-27 20:35 . 2008-04-27 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Lokale innstillinger 2008-04-27 20:35 . 2008-04-27 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Favoritter 2008-04-27 20:35 . 2008-04-27 22:08 <DIR> d---s---- C:\Documents and Settings\Administrator 2008-04-27 20:35 . 2008-04-27 22:46 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG 2008-04-25 23:36 . 2008-04-26 00:00 <DIR> d-------- C:\Documents and Settings\Sindre\Programdata\dvdcss 2008-04-25 18:46 . 2008-04-25 18:46 <DIR> d-------- C:\Programfiler\SystemRequirementsLab 2008-04-25 18:46 . 2008-04-25 18:46 <DIR> d-------- C:\Documents and Settings\Sindre\SystemRequirementsLab 2008-04-06 17:38 . 2008-04-23 23:16 <DIR> d-------- C:\Programfiler\mIRC 2008-04-06 17:38 . 2008-04-23 23:17 <DIR> d-------- C:\Documents and Settings\Sindre\Programdata\mIRC 2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\SYSTEM32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-27 16:44 --------- d-----w C:\Programfiler\SUPERAntiSpyware 2008-04-27 15:44 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-04-26 00:17 --------- d-----w C:\Documents and Settings\Sindre\Programdata\Azureus 2008-04-20 14:58 --------- d-----w C:\Documents and Settings\Sindre\Programdata\Winamp 2008-04-20 13:01 --------- d-----w C:\Programfiler\Azureus 2008-04-19 11:41 --------- d-s---w C:\Programfiler\Xfire 2008-04-14 18:59 --------- d-----w C:\Documents and Settings\Sindre\Programdata\Xfire 2008-03-22 22:26 --------- d-----w C:\Programfiler\Paint.NET 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys 2008-03-15 15:17 --------- d-----w C:\Programfiler\Electronic Arts 2008-03-14 20:18 --------- d-----w C:\Programfiler\Fellesfiler\Blizzard Entertainment 2008-03-05 21:55 --------- d-----w C:\Programfiler\Java 2008-02-27 22:49 --------- d-----w C:\Programfiler\Microsoft CAPICOM 2.1.0.2 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll 2008-02-20 06:52 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll 2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll 2008-02-20 05:39 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll 2008-02-20 05:39 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll 2006-11-24 14:12 0 ----a-w C:\Documents and Settings\Sindre\WoW-1.7.1.4695-to-1.8.0-enGB-patch.exe 2005-12-09 17:28 3,533,120 ----a-w C:\Programfiler\BSINSTALL.exe 2006-05-06 16:42 7,260,160 ----a-w C:\Programfiler\mozilla firefox\plugins\libvlc.dll 2006-09-25 19:21 88 --sh--r C:\WINDOWS\SYSTEM32\233505DF60.sys 2006-09-25 19:21 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] "Steam"="c:\programfiler\valve\steam\steam.exe" [2008-03-28 19:52 1271032] "LDM"="C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-24 12:21 67128] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-27 18:44 1481968] "VoipBuster"="C:\Programfiler\VoipBuster.com\VoipBuster\VoipBuster.exe" [ ] "BitTorrent"="C:\Programfiler\BitTorrent\bittorrent.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480] "IAAnotif"="C:\Programfiler\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 12:23 135168] "CTSysVol"="C:\Programfiler\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344] "P17Helper"="P17.dll" [2004-06-10 12:51 60928 C:\WINDOWS\SYSTEM32\P17.dll] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112] "DVDLauncher"="C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248] "DMXLauncher"="C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016] "ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 18:34 213936] "ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2006-03-20 18:34 86960] "Creative WebCam Tray"="C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE" [2004-04-29 10:59 245760] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\SYSTEM32\BTHPROPS.CPL] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe] "QuickTime Task"="C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-07-11 14:50 282624] "nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe] "PWRISOVM.EXE"="C:\Programfiler\PowerISO\PWRISOVM.EXE" [2006-07-29 13:07 188416] "au"="C:\Programfiler\Dealio\DealioAU.exe" [2007-06-27 12:46 238936] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016] "WinampAgent"="C:\Programfiler\Winamp\winampa.exe" [2008-01-16 00:54 37376] "ISUSPM"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] "Picasa Media Detector"="C:\Programfiler\Picasa2\PicasaMediaDetector.exe" [ ] C:\Documents and Settings\Sindre\Start-meny\Programmer\Oppstart\ Adobe Gamma.lnk - C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664] Xfire.lnk - C:\Programfiler\Xfire\Xfire.exe [2008-04-03 01:25:58 2987856] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Logitech Desktop Messenger.lnk - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-24 12:21:09 67128] Logitech SetPoint.lnk - C:\Programfiler\Logitech\SetPoint\SetPoint.exe [2006-05-18 16:10:42 434176] Skyr@cer Pro PCI 154 Configuration Utility.lnk - C:\Programfiler\Skyr@cer Pro Utility\WLANPRO.exe [2005-06-16 12:39:14 2502656] WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2005-09-20 17:28:40 106560] Wireless USB 2.0 WLAN Card Utility.lnk - C:\Programfiler\Dell Wireless\PRISMCFG.exe [2007-06-27 18:59:24 921704] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL] PRISMAPI.DLL 2005-12-22 20:08 450646 C:\WINDOWS\SYSTEM32\PRISMAPI.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.X264"= x264vfw.dll "VIDC.3iv2"= 3ivxVfWCodec.dll "VIDC.VP31"= vp31vfw.dll "msacm.l3fhg"= mp3fhg.acm "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\Valve\\Steam\\Steam.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\afselius\\counter-strike source\\hl2.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\arning130\\counter-strike\\hl.exe"= "C:\\Documents and Settings\\Sindre\\Mine dokumenter\\programmer\\utorrent.exe"= "C:\\Programfiler\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Programfiler\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Programfiler\\Xfire\\Xfire.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\oliverfrydenberg\\counter-strike\\hl.exe"= "C:\\Programfiler\\mIRC\\mirc.exe"= "C:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\oliverfrydenberg\\half-life\\hl.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\torbratberg\\counter-strike\\hl.exe"= "C:\\Programfiler\\Azureus\\Azureus.exe"= "C:\\Programfiler\\DC++\\DCPlusPlus.exe"= "C:\\Programfiler\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\jelelfan\\counter-strike\\hl.exe"= "C:\\Programfiler\\Valve\\Steam\\SteamApps\\afselius\\half-life 2 deathmatch\\hl2.exe"= "C:\\Programfiler\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"= "C:\\Programfiler\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader R2 IAANTMon;IAA Event Monitor;C:\Programfiler\Intel\Intel Application Accelerator\iaantmon.exe [2004-06-29 12:22] R2 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2005-12-22 20:21] S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43] *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 22:48:50 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="C:\\Programfiler\\Intel\\Intel Application Accelerator\\iaanotif.exe" . Completion time: 2008-04-27 22:49:44 ComboFix-quarantined-files.txt 2008-04-27 20:49:19 ComboFix2.txt 2008-04-27 18:14:35 Pre-Run: 76,815,175,680 byte ledig Post-Run: 76,802,789,376 byte ledig 173 --- E O F --- 2008-04-11 15:10:51 SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 04/27/2008 at 10:33 PM Application Version : 4.0.1154 Core Rules Database Version : 3302 Trace Rules Database Version: 1308 Scan type : Complete Scan Total Scan Time : 00:20:35 Memory items scanned : 457 Memory threats detected : 0 Registry items scanned : 5079 Registry threats detected : 0 File items scanned : 19267 File threats detected : 1 Adware.Tracking Cookie C:\Documents and Settings\Sindre\Cookies\sindre@doubleclick[2].txt
norbat Skrevet 27. april 2008 Skrevet 27. april 2008 Dette ser da mye bedre ut Bruk utforsker til å fjerne C:\Programfiler\BSINSTALL.exe Vurder om Dealio (toolbar) er noe du trenger. Hvis ikke, avinstaller fra legg til/fjern programmer (evt. slett mappa, C:\Programfiler\Dealio) Post ny hjt-logg og fortell hvordan PC-en kjører
Xarus Skrevet 27. april 2008 Forfatter Skrevet 27. april 2008 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:14:55, on 27.04.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5450.0004) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PRISMSVC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\PRISMSVR.EXE C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Intel\Intel Application Accelerator\iaanotif.exe C:\Programfiler\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe C:\Programfiler\Dell\Media Experience\DMXLauncher.exe C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe C:\Programfiler\PowerISO\PWRISOVM.EXE C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe C:\Programfiler\Winamp\winampa.exe C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe C:\programfiler\valve\steam\steam.exe C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Logitech\SetPoint\SetPoint.exe C:\Programfiler\Skyr@cer Pro Utility\WLANPRO.exe C:\Programfiler\WinZip\WZQKPICK.EXE C:\Programfiler\Dell Wireless\PRISMCFG.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Fellesfiler\Logitech\KHAL\KHALMNPR.EXE C:\Programfiler\Xfire\Xfire.exe C:\WINDOWS\explorer.exe C:\Programfiler\Windows Live\Messenger\usnsvc.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Programfiler\Dealio\kb106\Dealio.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\no\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\no\msntb.dll O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Programfiler\Dealio\kb106\Dealio.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iAAnotif] C:\Programfiler\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Programfiler\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [au] C:\Programfiler\Dealio\DealioAU.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe O4 - HKLM\..\Run: [iSUSPM] C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe -scheduler O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [steam] "c:\programfiler\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [LDM] C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [VoipBuster] "C:\Programfiler\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized O4 - HKCU\..\Run: [bitTorrent] "C:\Programfiler\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Xfire.lnk = C:\Programfiler\Xfire\Xfire.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programfiler\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Skyr@cer Pro PCI 154 Configuration Utility.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ? O8 - Extra context menu item: Compare Prices with &Dealio - C:\Programfiler\Dealio\kb106\res\DealioSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Programfiler\Dealio\kb106\Dealio.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Programfiler\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE -- End of file - 9534 bytes PCn ser ut til å funke som før! Er vi ferdig da eller:)?
norbat Skrevet 27. april 2008 Skrevet 27. april 2008 Ja, loggen ser fint ut Du kan avinstallere combofix, om den fortsatt ligger på PC-en. Du fjerner den ved å skrive combofix /u fra kjør-feltet (start->kjør). Dette nullstiller også systemgjenopprettingen slik at du ikke blir infisert ved en senere gjenoppretting.
Xarus Skrevet 27. april 2008 Forfatter Skrevet 27. april 2008 Ja, loggen ser fint ut Du kan avinstallere combofix, om den fortsatt ligger på PC-en. Du fjerner den ved å skrive combofix /u fra kjør-feltet (start->kjør). Dette nullstiller også systemgjenopprettingen slik at du ikke blir infisert ved en senere gjenoppretting. Herlig:D Du er bare best! Takk for hjelpen!
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå