[LØST] HJT scan, noen tegn til virus?

15 innlegg i emnet

Skrevet (endret)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:00:34, on 22.05.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Outlook Express\svchost.exe

C:\Programfiler\CyberLink\Shared Files\RichVideo.exe

C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Programfiler\Microsoft IntelliType Pro\type32.exe

C:\Programfiler\Microsoft IntelliPoint\point32.exe

C:\Programfiler\Unlocker\UnlockerAssistant.exe

C:\Programfiler\Java\jre1.5.0_12\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Programfiler\Windows Live\Messenger\usnsvc.exe

C:\Programfiler\SwiftSwitch\SwiftSwitch.exe

C:\Programfiler\Windows Media Player\wmplayer.exe

C:\WINDOWS\system32\svchost.exe

C:\mIRC\mirc.exe

C:\Programfiler\Windows Live\Messenger\msnmsgr.exe

C:\Programfiler\Steam\Steam.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe

C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Programfiler\Trend Micro\BM\TMBMSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Windows Live Toolbar\msn_sl.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [type32] "C:\Programfiler\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Programfiler\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [startCCC] C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [OE] "C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OneNote 2007 Screen Clipper og Launcher.lnk = C:\Programfiler\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programfiler\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programfiler\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172406254171

O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AutoExNT - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Outlook Express\svchost.exe

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Trend Micro-sentralkontrollkomponent (SfCtlCom) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programfiler\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

--

End of file - 11572 bytes

Endret av Cosworth
0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Du har noe rammel så gjør følgende:

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix (c:\combofix.txt)

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Du har noe rammel så gjør følgende:

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix (c:\combofix.txt)

Blokkert av Trend Micro

Trend Micro Internet Security har identifisert denne nettsiden som uønsket.

--------------------------------------------------------------------------------

Addresse: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Troverdighet: Farlig

Hvis du fremdeles vil se den blokkerte siden:

Klikk på Start-knappen i Windows og start Trend Micro Internet Security fra listen under Alle programmer.

Klikk på Internett og e-postkontroller.

Klikk på knappen Innstillinger... under Foresattekontroll eller Beskyttelser mot nettrusler.

Klikk på koblingen Liste over godkjente nettsteder i det neste vinduet som åpnes.

Klipp og lim adressen til det blokkerte nettstedet inn i listen.

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Tillat slik at du får lastet ned og kjørt programmet eller skru av av-programmet ditt midlertidig.

(Trojaneren din ligger her: C:\Program Files\Outlook Express\svchost.exe, men det kan være andre filer som også ligger og lurer. Det vil en combofix-logg evt. vise)

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Tillat slik at du får lastet ned og kjørt programmet eller skru av av-programmet ditt midlertidig.

(Trojaneren din ligger her: C:\Program Files\Outlook Express\svchost.exe, men det kan være andre filer som også ligger og lurer. Det vil en combofix-logg evt. vise)

ComboFix 08-05-21.3 - Pål Morken 2008-05-22 23:20:24.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1075 [GMT 2:00]

Running from: C:\Documents and Settings\Pål Morken\Mine dokumenter\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MYDNS

-------\Service_MyDNS

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))

.

2008-05-13 17:29 . 2008-05-13 17:29 <DIR> d-------- C:\Programfiler\Fellesfiler\Hewlett-Packard

2008-05-13 17:27 . 2008-05-13 17:30 19,574 --a------ C:\WINDOWS\hpoins01.dat

2008-05-13 17:27 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat

2008-05-05 22:46 . 2008-05-05 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\TrackMania

2008-05-03 17:03 . 2008-05-22 23:25 <DIR> d-------- C:\Programfiler\Steam

2008-05-01 18:19 . 2008-05-01 19:48 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-04-30 15:55 . 2008-03-07 13:53 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys

2008-04-30 15:55 . 2008-03-07 13:53 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys

2008-04-30 15:54 . 2008-05-22 22:47 <DIR> d-------- C:\Programfiler\Trend Micro

2008-04-30 15:54 . 2008-04-30 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Trend Micro

2008-04-30 15:18 . 2008-03-07 13:53 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-04-30 14:50 . 2008-04-30 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avg8

2008-04-26 22:51 . 2008-05-05 15:27 <DIR> d-------- C:\Programfiler\SpeedFan

2008-04-26 22:51 . 2008-04-26 22:51 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2008-04-25 18:32 . 2008-04-25 18:32 393 --a------ C:\Documents and Settings\Snarvei til Documents and Settings.lnk

2008-04-24 16:45 . 2004-08-03 23:00 149,376 --a------ C:\WINDOWS\system32\drivers\tffsport.sys

2008-04-24 16:45 . 2004-08-03 23:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys

2008-04-24 16:38 . 2008-04-24 16:38 <DIR> d-------- C:\WINDOWS\system32\NtmsData

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-18 06:17 --------- d-----w C:\Programfiler\SwiftSwitch

2008-05-15 01:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-05-04 14:51 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-05-04 14:08 --------- d-----w C:\Programfiler\LimeWire

2008-05-02 20:11 --------- d-----w C:\Programfiler\Sony

2008-05-02 20:11 --------- d-----w C:\Documents and Settings\All Users\Programdata\Sony

2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys

2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys

2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys

2008-04-30 13:48 --------- d-----w C:\Programfiler\Lavasoft

2008-04-30 13:48 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-04-30 13:11 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-04-29 19:43 --------- d-----w C:\Programfiler\SUPERAntiSpyware

2008-04-27 12:12 --------- d-----w C:\Documents and Settings\All Users\Programdata\Grisoft

2008-04-18 18:02 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-04-15 21:47 --------- d-----w C:\Programfiler\SwiftKit

2008-04-04 15:03 --------- d-----w C:\Programfiler\Java

2008-04-04 15:02 --------- d-----w C:\Programfiler\Fellesfiler\Java

2008-03-28 14:26 --------- d-----w C:\Programfiler\HyCam2

2007-02-26 14:42 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012007021920070226\index.dat

2007-02-26 14:42 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012007022620070227\index.dat

2007-02-28 12:17 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012007022820070301\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]

"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]

"OE"="C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-03-07 13:53 492808]

"Steam"="c:\programfiler\steam\steam.exe" [2008-05-03 17:06 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 18:21 16270848 C:\WINDOWS\RTHDCPL.exe]

"type32"="C:\Programfiler\Microsoft IntelliType Pro\type32.exe" [2004-06-03 10:51 172032]

"IntelliPoint"="C:\Programfiler\Microsoft IntelliPoint\point32.exe" [2004-06-03 10:50 204800]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]

"UnlockerAssistant"="C:\Programfiler\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19 15872]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]

"UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-03-07 13:53 1398024]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-04-29 13:34 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:03 15360]

"msnmsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Adobe Gamma Loader.lnk - C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe [2008-02-02 02:55:09 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2007-02-25 22:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL 2007-03-28 21:07 282624 C:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"D:\\Hentet fra gammel disk\\DC++\\DCPlusPlus.exe"=

"C:\\Programfiler\\SwiftSwitch\\SwiftSwitch.exe"=

"C:\\mIRC\\mirc.exe"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"C:\\Programfiler\\Internet Explorer\\iexplore.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 23:00]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programfiler\CyberLink\PowerDVD\000.fcl [2006-11-02 17:51]

R2 AutoExNT;AutoExNT;C:\WINDOWS\system32\AutoExNT.Exe [1999-02-13 22:01]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {399150FC-EB45-1CE0-0792-1F3A23397BD4} /qb

.

Contents of the 'Scheduled Tasks' folder

"2008-05-22 20:32:00 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"

- C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-22 23:25:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Programfiler\CyberLink\PowerDVD\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

-> C:\Programfiler\Unlocker\UnlockerHook.dll

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Programfiler\CyberLink\Shared Files\RichVideo.exe

C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe

C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\Programfiler\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2008-05-22 23:28:40 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-22 21:28:35

Pre-Run: 39,551,107,072 byte ledig

Post-Run: 39,726,530,560 byte ledig

166 --- E O F --- 2008-05-16 18:58:49

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet (endret)

Klikk Start->Kjør

Skriv: cmd

Fra ledetekst skriv dette, klikk Enter etter hver linje:

sc stop MyDNS

sc delete MyDNS

Lukk cmd

Åpne notisblokk, kopier og lim inn det som i fet skrift under, lagre fila på skrivebordet som CFScript, dra deretter fila og slipp den over combofix-iconet. Combofix vil kjøre igjen

File::

C:\Program Files\Outlook Express\svchost.exe

Driver::

MyDNS

Post ny hjt-logg

Endret av norbat
0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Klikk Start->Kjør

Skriv: cmd

Fra ledetekst skriv dette, klikk Enter etter hver linje:

sc stop MyDNS

sc delete MyDNS

Lukk cmd

Åpne notisblokk, kopier og lim inn det som i fet skrift under, lagre fila på skrivebordet som CFScript, dra deretter fila og slipp den over combofix-iconet. Combofix vil kjøre igjen

File::

C:\Program Files\Outlook Express\svchost.exe

Driver::

MyDNS

Post ny hjt-logg

Hei, jeg gjorde dette:

Klikk Start->Kjør

Skriv: cmd

Fra ledetekst skriv dette, klikk Enter etter hver linje:

sc stop MyDNS

sc delete MyDNS

lukka cmd.

itproopi9.png

itproopi9.73432488a3.jpg

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Hei, jeg gjorde dette:

Klikk Start->Kjør

Skriv: cmd

Fra ledetekst skriv dette, klikk Enter etter hver linje:

sc stop MyDNS

sc delete MyDNS

lukka cmd.

Så dro jeg notis tingen over den combofix tingen. da kom dette opp

itproopi9.png

itproopi9.73432488a3.jpg

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Last bare ned en ny combofix, legg det på skrivebordet

Opprett CFScript-fila og dra den over combofix-iconet.

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Last bare ned en ny combofix, legg det på skrivebordet

Opprett CFScript-fila og dra den over combofix-iconet.

ComboFix 08-05-21.3 - Pål Morken 2008-05-23 0:01:44.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1419 [GMT 2:00]

Running from: C:\Documents and Settings\Pål Morken\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Pål Morken\Skrivebord\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\Program Files\Outlook Express\svchost.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\Outlook Express\svchost.exe

.

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))

.

2008-05-22 23:28 . 2008-05-22 23:28 <DIR> d-------- C:\Documents and Settings\PÕl Morken

2008-05-22 22:39 . 2008-05-22 23:53 <DIR> dr-h----- C:\Documents and Settings\Pål Morken\Siste

2008-05-22 22:39 . 2008-05-22 23:53 <DIR> dr-h----- C:\Documents and Settings\Pål Morken\Siste

2008-05-13 17:30 . 2008-05-13 17:30 <DIR> d-------- C:\Documents and Settings\Pål Morken\Programdata\Hewlett-Packard

2008-05-13 17:29 . 2008-05-13 17:29 <DIR> d-------- C:\Programfiler\Fellesfiler\Hewlett-Packard

2008-05-13 17:27 . 2008-05-13 17:30 19,574 --a------ C:\WINDOWS\hpoins01.dat

2008-05-13 17:27 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat

2008-05-05 22:46 . 2008-05-05 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\TrackMania

2008-05-03 17:03 . 2008-05-22 23:25 <DIR> d-------- C:\Programfiler\Steam

2008-05-01 18:19 . 2008-05-01 19:48 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-04-30 15:55 . 2008-03-07 13:53 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys

2008-04-30 15:55 . 2008-03-07 13:53 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys

2008-04-30 15:54 . 2008-05-22 22:47 <DIR> d-------- C:\Programfiler\Trend Micro

2008-04-30 15:54 . 2008-04-30 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Trend Micro

2008-04-30 15:18 . 2008-03-07 13:53 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-04-30 15:15 . 2008-04-30 15:49 <DIR> d-------- C:\Documents and Settings\Pål Morken\Programdata\HouseCall 6.6

2008-04-30 14:50 . 2008-04-30 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avg8

2008-04-29 18:27 . 2008-05-01 22:25 <DIR> d-------- C:\Documents and Settings\Pål Morken\.housecall6.6

2008-04-29 18:27 . 2008-05-01 22:25 <DIR> d-------- C:\Documents and Settings\Pål Morken\.housecall6.6

2008-04-26 22:51 . 2008-05-05 15:27 <DIR> d-------- C:\Programfiler\SpeedFan

2008-04-26 22:51 . 2008-04-26 22:51 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2008-04-25 18:32 . 2008-04-25 18:32 393 --a------ C:\Documents and Settings\Snarvei til Documents and Settings.lnk

2008-04-24 16:45 . 2004-08-03 23:00 149,376 --a------ C:\WINDOWS\system32\drivers\tffsport.sys

2008-04-24 16:45 . 2004-08-03 23:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys

2008-04-24 16:38 . 2008-04-24 16:38 <DIR> d-------- C:\WINDOWS\system32\NtmsData

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-18 06:17 --------- d-----w C:\Programfiler\SwiftSwitch

2008-05-15 01:02 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-05-14 17:46 --------- d-----w C:\Documents and Settings\Pål Morken\Programdata\teamspeak2

2008-05-12 08:38 --------- d-----w C:\Documents and Settings\Pål Morken\Programdata\uTorrent

2008-05-04 14:51 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-05-04 14:08 --------- d-----w C:\Programfiler\LimeWire

2008-05-02 20:11 --------- d-----w C:\Programfiler\Sony

2008-05-02 20:11 --------- d-----w C:\Documents and Settings\All Users\Programdata\Sony

2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys

2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys

2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys

2008-04-30 13:48 --------- d-----w C:\Programfiler\Lavasoft

2008-04-30 13:48 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-04-30 13:47 --------- d-----w C:\Documents and Settings\Pål Morken\Programdata\Lavasoft

2008-04-30 13:11 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-04-29 19:43 --------- d-----w C:\Programfiler\SUPERAntiSpyware

2008-04-27 12:12 --------- d-----w C:\Documents and Settings\All Users\Programdata\Grisoft

2008-04-24 18:36 --------- d-----w C:\Documents and Settings\Pål Morken\Programdata\Skype

2008-04-18 18:02 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-04-15 21:47 --------- d-----w C:\Programfiler\SwiftKit

2008-04-10 14:50 --------- d-----w C:\Documents and Settings\Pål Morken\Programdata\LimeWire

2008-04-04 15:03 --------- d-----w C:\Programfiler\Java

2008-04-04 15:02 --------- d-----w C:\Programfiler\Fellesfiler\Java

2008-04-03 20:35 --------- d-----w C:\Documents and Settings\Pål Morken\Programdata\mIRC

2008-03-28 14:26 --------- d-----w C:\Programfiler\HyCam2

2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-23 23:09 --------- d-----w C:\Documents and Settings\Pål Morken\Programdata\Grisoft

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:05 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2002-09-09 16:47 70,656 ----a-w C:\Documents and Settings\Pål Morken\msvcirt.dll

2002-09-09 16:47 70,656 ----a-w C:\Documents and Settings\Pål Morken\msvcirt.dll

2002-09-09 16:47 254,005 ----a-w C:\Documents and Settings\Pål Morken\msvcrt.dll

2002-09-09 16:47 254,005 ----a-w C:\Documents and Settings\Pål Morken\msvcrt.dll

2002-09-06 08:54 995,383 ----a-w C:\Documents and Settings\Pål Morken\MFC42.DLL

2002-09-06 08:54 995,383 ----a-w C:\Documents and Settings\Pål Morken\MFC42.DLL

2007-02-26 14:42 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012007021920070226\index.dat

2007-02-26 14:42 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012007022620070227\index.dat

2007-02-28 12:17 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012007022820070301\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]

"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]

"OE"="C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-03-07 13:53 492808]

"Steam"="c:\programfiler\steam\steam.exe" [2008-05-03 17:06 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 18:21 16270848 C:\WINDOWS\RTHDCPL.exe]

"type32"="C:\Programfiler\Microsoft IntelliType Pro\type32.exe" [2004-06-03 10:51 172032]

"IntelliPoint"="C:\Programfiler\Microsoft IntelliPoint\point32.exe" [2004-06-03 10:50 204800]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]

"UnlockerAssistant"="C:\Programfiler\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19 15872]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]

"UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-03-07 13:53 1398024]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-04-29 13:34 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:03 15360]

"msnmsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

C:\Documents and Settings\P†l Morken\Start-meny\Programmer\Oppstart\

OneNote 2007 Screen Clipper og Launcher.lnk - C:\Programfiler\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Adobe Gamma Loader.lnk - C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe [2008-02-02 02:55:09 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2007-02-25 22:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL 2007-03-28 21:07 282624 C:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"D:\\Hentet fra gammel disk\\DC++\\DCPlusPlus.exe"=

"C:\\Programfiler\\SwiftSwitch\\SwiftSwitch.exe"=

"C:\\mIRC\\mirc.exe"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"C:\\Programfiler\\Internet Explorer\\iexplore.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 23:00]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programfiler\CyberLink\PowerDVD\000.fcl [2006-11-02 17:51]

S2 AutoExNT;AutoExNT;C:\WINDOWS\system32\AutoExNT.Exe [1999-02-13 22:01]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {399150FC-EB45-1CE0-0792-1F3A23397BD4} /qb

.

Contents of the 'Scheduled Tasks' folder

"2008-05-22 21:32:02 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"

- C:\Programfiler\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-23 00:02:26

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Programfiler\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2008-05-23 0:03:10

ComboFix-quarantined-files.txt 2008-05-22 22:02:47

ComboFix2.txt 2008-05-22 21:28:41

Pre-Run: 39,689,023,488 byte ledig

Post-Run: 39,684,112,384 byte ledig

170 --- E O F --- 2008-05-16 18:58:49

Skal jeg nå ta en HJT scan?

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet (endret)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:05:45, on 23.05.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Programfiler\CyberLink\Shared Files\RichVideo.exe

C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Programfiler\Microsoft IntelliType Pro\type32.exe

C:\Programfiler\Microsoft IntelliPoint\point32.exe

C:\Programfiler\Unlocker\UnlockerAssistant.exe

C:\Programfiler\Java\jre1.5.0_12\bin\jusched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\programfiler\steam\steam.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\internet explorer\iexplore.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [type32] "C:\Programfiler\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Programfiler\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [startCCC] C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [OE] "C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OneNote 2007 Screen Clipper og Launcher.lnk = C:\Programfiler\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programfiler\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programfiler\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172406254171

O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AutoExNT - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Trend Micro-sentralkontrollkomponent (SfCtlCom) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programfiler\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

--

End of file - 10792 bytes

Edit: Viss det ble feil nå, så prøver jeg på nytt i morgen, må få litt søvn før jeg skal på skolen.

Endret av Cosworth
0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Du har gjort alt riktig :)

Litt opprydding:

Start HJT, velg "Do a system scan only", sett merke framfor følgende linje og klikk Fix checked:

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Oppdater java'en din til siste versjon: http://java.com/en/download/index.jsp

Avinstaller combofix ved å skrive combofix /u fra kjør-feltet (start->kjør)

Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. systemgjenoppretting senere.

Surf trygt :thumbup:

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Du har gjort alt riktig :)

Litt opprydding:

Start HJT, velg "Do a system scan only", sett merke framfor følgende linje og klikk Fix checked:

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Oppdater java'en din til siste versjon: http://java.com/en/download/index.jsp

Avinstaller combofix ved å skrive combofix /u fra kjør-feltet (start->kjør)

Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. systemgjenoppretting senere.

Surf trygt :thumbup:

Hei, takker og bukker for hjelpen jeg fikk! veldig kjapt! takk!!

Hehe, jeg spiller et slags online spill, trenger gamle versionen av java for at det skal funke perfekt, hadde den nyeste en stund, men etter et par ganger sluttet det og fungere..

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Ok,

men 'eldre' java kan ha sårbarheter som gjør det til en sikkerhetsrisiko å bruke, men må man spille så må man :)

Du kunne ha forsøkt å installere på nytt og sett om det hadde gått bedre denne gang.

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Skrevet

Ok,

men 'eldre' java kan ha sårbarheter som gjør det til en sikkerhetsrisiko å bruke, men må man spille så må man :)

Du kunne ha forsøkt å installere på nytt og sett om det hadde gått bedre denne gang.

hehe får se hva jeg gjør! har gjort det minst 3 ganger, det har også skjedd sånn til andre..

Takker igjen!

God natt.

0

Del dette innlegget


Lenke til innlegg
Del på andre sider

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!


Start en konto

Logg inn

Har du allerede en konto? Logg inn her.


Logg inn nå

  • Hvem er aktive   0 medlemmer

    Ingen innloggede medlemmer aktive