Forumet: Får ikke fjernet Virus! - Forumet

Gå til innhold

Logg inn Logg inn via Facebook Logg inn via Twitter Logg inn via OpenID
Ny bruker? Registrer Hjelp

Facebook Twitter RSS

Logganalyse på 1-2-3
Side 1 av 1
  • Du kan ikke starte et nytt emne
  • Du kan ikke svare på dette emnet

Får ikke fjernet Virus!

#1 Bruker avlogget   Neonlightning Ikon

  • Senior
  • PipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 535
  • Registrert 08-mai 06

Skrevet 27 januar 2008 - 11:54

Hei!
(All scanning jeg har foretatt har vært i sikkermodus, men loggene er i vanlig modus)
Jeg driver å skal rense opp i pc'en som resten av min familie bruker (blant annet mine to småbrødre), og de har seff klart å få no dritt inn på maskina... Jeg prøvde å scanne med Bitdefenders online scan, og den fant 3 virus som den slettet. Så scannet jeg igjen, og den fant ingenting... Det samme gjorde jeg med ewido online scan. Den fant bare tracking coockies.
Men når jeg starter datamaskinen, så slå avast! antivirusen min inn og oppdager VBS:Malware-gen, som ligger i en batch-fil på C:-disken. Fila er bare kalt "a"...

Jeg har nå prøvd å slette denne filen ved å overskrive den 35 ganger, men når jeg starter datamaskinen igjen, så starter fila opp... Jeg har også kjørt combofix og hijackthis. I loggen til combofix som jeg kjørte i sikkermodus, stod det at den hadde slettet en fil som het image.zip som lå i system32-mappa samt noen temp-filer. Jeg kjører også ccleaner jevnlig så det er sagt.
Men fortsatt så starter denne batch-fila opp, som avast oppdager. Under er loggene fra hijackthis og combofix kjørt i normal modus (ikke sikkrmodus):

Hijackthis

Sitat

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:25, on 27.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programfiler\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Eraser\eraser.exe
C:\WINDOWS\system32\sysregi.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Opera\Opera.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Nod32 Runtime] sysregi.exe
O4 - HKLM\..\RunServices: [Nod32 Runtime] sysregi.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Programfiler\Eraser\eraser.exe -hide
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programfiler\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programfiler\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Programfiler\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Programfiler\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe

--
End of file - 8149 bytes


Combofix

Sitat

ComboFix 08-01-23.1C - Kjersti Estenstad 2008-01-27 11:51:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.665 [GMT 1:00]
Running from: C:\Documents and Settings\Kjersti Estenstad\Skrivebord\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 11:40 . 2008-01-27 11:40 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000004-20051102}.BAK
2008-01-27 11:15 . 2008-01-27 11:42 40,960 --a------ C:\WINDOWS\system32\winupdats.exe
2008-01-27 10:20 . 2008-01-27 10:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-27 10:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 01:00 . 2008-01-27 01:00 <DIR> d-------- C:\Programfiler\Trend Micro
2008-01-27 00:55 . 2008-01-27 11:20 <DIR> d-------- C:\Programfiler\Eraser
2008-01-27 00:55 . 2008-01-27 00:55 155,648 --a------ C:\WINDOWS\system32\stuninstall.exe
2008-01-26 18:08 . 2008-01-26 18:08 354,816 --a------ C:\WINDOWS\RBossing05.exe
2008-01-21 18:26 . 2008-01-21 18:26 <DIR> d-------- C:\Programfiler\Skype
2008-01-21 18:26 . 2008-01-21 18:26 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype
2008-01-19 18:05 . 2008-01-19 18:05 <DIR> d-------- C:\Programfiler\Audacity
2008-01-18 18:01 . 2008-01-19 22:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Symantec Shared
2008-01-17 20:43 . 2008-01-17 20:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 20:43 . 2008-01-17 20:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 20:15 . 2008-01-17 20:15 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-17 20:15 . 2008-01-17 20:15 <DIR> d-------- C:\Programfiler\Sony Ericsson
2008-01-17 20:15 . 2008-01-17 20:16 <DIR> d-------- C:\Programfiler\Fellesfiler\Teleca Shared
2008-01-17 20:13 . 2008-01-17 20:13 <DIR> d-------- C:\Programfiler\Disc2Phone
2008-01-16 03:01 . 2008-01-16 03:01 <DIR> d-------- C:\Programfiler\MSXML 4.0
2008-01-14 21:04 . 2007-12-14 17:19 82,432 --------- C:\WINDOWS\system32\msxml4r.dll
2008-01-14 21:04 . 2007-12-14 17:19 44,544 --------- C:\WINDOWS\system32\msxml4a.dll
2008-01-14 21:03 . 2007-08-23 21:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL
2008-01-14 21:02 . 1998-11-13 12:09 306,688 --a------ C:\WINDOWS\IsUn0414.exe
2008-01-14 20:59 . 2008-01-14 20:59 <DIR> d-------- C:\My Video
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Programfiler\XviD
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Programfiler\Lame MP3 Codec
2008-01-14 20:58 . 2002-12-03 22:13 1,048,576 --a------ C:\WINDOWS\system32\lameACM.acm
2008-01-14 20:58 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2008-01-14 20:58 . 2008-01-14 20:58 65,024 --a------ C:\WINDOWS\IFinst26.exe
2008-01-14 20:58 . 2004-12-10 21:29 401 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-01-14 20:57 . 2008-01-14 20:57 <DIR> d-------- C:\Programfiler\Samsung
2008-01-14 20:57 . 2008-01-14 20:57 <DIR> d-------- C:\Programfiler\MarkAny
2008-01-12 21:16 . 2008-01-12 21:16 268 --ah----- C:\sqmdata00.sqm
2008-01-12 21:16 . 2008-01-12 21:16 244 --ah----- C:\sqmnoopt00.sqm
2008-01-12 16:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-12 16:31 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-12 16:31 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-12 13:47 . 2008-01-27 11:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-12 13:31 . 2008-01-12 13:35 <DIR> d-------- C:\Programfiler\Windows Live
2008-01-12 13:31 . 2008-01-12 13:34 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller
2008-01-12 00:56 . 2008-01-12 00:56 <DIR> d-------- C:\Programfiler\Lavalys
2008-01-12 00:28 . 2008-01-12 00:28 <DIR> d-------- C:\Programfiler\SiSoftware
2008-01-12 00:24 . 2008-01-12 00:24 <DIR> d-------- C:\Programfiler\Bonjour
2008-01-12 00:17 . 2008-01-12 00:17 <DIR> d-------- C:\Programfiler\CDBurnerXP
2008-01-12 00:15 . 2008-01-12 00:15 <DIR> d-------- C:\Programfiler\Fellesfiler\Macrovision Shared
2008-01-12 00:12 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-12 00:12 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-12 00:11 . 2008-01-12 00:11 <DIR> d-------- C:\Programfiler\Fellesfiler\Creative
2008-01-12 00:11 . 2008-01-12 00:13 <DIR> d--h----- C:\Programfiler\Creative Installation Information
2008-01-11 23:46 . 2008-01-11 23:47 <DIR> d-------- C:\WINDOWS\nview
2008-01-11 23:46 . 2006-06-01 17:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-11 23:46 . 2008-01-27 11:42 63,804 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-11 23:46 . 2006-06-01 17:22 16,960 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-11 23:45 . 2008-01-11 23:45 <DIR> d-------- C:\NVIDIA
2008-01-11 23:45 . 2006-06-01 19:09 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-01-11 23:35 . 2008-01-11 23:35 <DIR> d-------- C:\Programfiler\MSXML 6.0
2008-01-11 23:34 . 2008-01-11 23:34 <DIR> d-------- C:\Programfiler\iTunes
2008-01-11 23:34 . 2008-01-11 23:34 <DIR> d-------- C:\Programfiler\iPod
2008-01-11 23:33 . 2008-01-17 20:16 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-11 23:33 . 2008-01-11 23:34 <DIR> d-------- C:\Programfiler\QuickTime
2008-01-11 23:33 . 2008-01-11 23:33 <DIR> d-------- C:\Programfiler\Apple Software Update
2008-01-11 23:32 . 2008-01-11 23:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Apple
2008-01-11 23:30 . 2008-01-18 20:23 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe
2008-01-11 23:28 . 2008-01-11 23:28 <DIR> d-------- C:\Programfiler\Opera
2008-01-11 23:24 . 2008-01-27 11:41 30,888 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-0000000B-00001102-00000004-20051102}. rfx
2008-01-11 23:24 . 2008-01-27 11:41 30,888 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-0000000B-00001102-00000004-20051102}.rfx
2008-01-11 23:24 . 2008-01-27 11:41 29,952 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-0000000B-00001102-00000004-20051102}. rfx
2008-01-11 23:24 . 2008-01-27 11:41 29,952 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-0000000B-00001102-00000004-20051102}. rfx
2008-01-11 23:24 . 2008-01-27 11:41 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000004-20051102}.rfx
2008-01-11 23:24 . 2008-01-27 11:41 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-11 23:24 . 2008-01-27 11:41 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-11 23:06 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-11 23:03 . 2008-01-11 23:03 <DIR> d-------- C:\Programfiler\Microsoft Works
2008-01-11 23:02 . 2008-01-11 23:02 <DIR> d-------- C:\Programfiler\Microsoft.NET
2008-01-11 23:00 . 2008-01-11 23:00 <DIR> d-------- C:\Programfiler\Microsoft Visual Studio 8
2008-01-11 22:59 . 2008-01-11 23:03 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-11 22:59 . 2008-01-11 22:59 <DIR> dr-h----- C:\MSOCache
2008-01-11 22:47 . 2008-01-11 22:54 <DIR> d-------- C:\WINDOWS\system32\nb-NO
2008-01-11 22:46 . 2008-01-11 23:03 <DIR> d-------- C:\Programfiler\MSBuild
2008-01-11 22:45 . 2008-01-11 22:45 <DIR> d-------- C:\WINDOWS\system32\Data
2008-01-11 22:45 . 2008-01-12 00:11 <DIR> d-------- C:\Programfiler\Creative
2008-01-11 22:44 . 2008-01-17 20:13 <DIR> d-------- C:\Programfiler\Fellesfiler\InstallShield
2008-01-11 22:42 . 2008-01-11 22:47 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-11 22:41 . 2008-01-11 22:41 <DIR> d-------- C:\Programfiler\Reference Assemblies
2008-01-11 22:41 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-11 22:40 . 2008-01-11 22:40 <DIR> d-------- C:\Programfiler\Windows Media Connect 2
2008-01-11 22:39 . 2008-01-12 00:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-11 22:39 . 2008-01-14 21:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-11 22:37 . 2006-08-21 10:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\SET217.tmp
2008-01-11 22:37 . 2006-08-21 10:14 23,040 --a------ C:\WINDOWS\system32\SET215.tmp
2008-01-11 22:37 . 2006-08-21 10:14 23,040 --a--c--- C:\WINDOWS\system32\dllcache\SET218.tmp
2008-01-11 22:37 . 2006-08-21 13:28 16,896 --a------ C:\WINDOWS\system32\SET216.tmp
2008-01-11 22:37 . 2006-08-21 13:28 16,896 --a--c--- C:\WINDOWS\system32\dllcache\SET219.tmp
2008-01-11 22:32 . 2008-01-11 22:32 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-01-11 22:13 . 2005-10-20 23:31 1,082,368 --a------ C:\WINDOWS\system32\SET1B4.tmp
2008-01-11 22:00 . 2008-01-16 21:47 <DIR> d-------- C:\Downloads
2008-01-11 22:00 . 2008-01-11 22:00 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 10:15 40,960 ----a-w C:\WINDOWS\system32\NTSpool.exe
2008-01-14 20:04 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-01-11 21:45 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-01-11 21:45 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-01-11 21:00 --------- d-----w C:\Programfiler\BitComet
2008-01-11 20:53 --------- d-----w C:\Programfiler\PC Drivers HeadQuarters
2008-01-11 20:51 --------- d-----w C:\Programfiler\CCleaner
2008-01-11 20:47 --------- d-----w C:\Programfiler\Alwil Software
2008-01-11 20:44 --------- d--h--w C:\Programfiler\Uninstall Information
2008-01-11 20:39 --------- d-----w C:\Programfiler\microsoft frontpage
2008-01-11 20:37 --------- d-----w C:\Programfiler\Elektroniske tjenester
2008-01-11 20:36 --------- d-----w C:\Programfiler\Fellesfiler\Tjenester
2008-01-11 20:36 --------- d-----w C:\Programfiler\Fellesfiler\MSSoap
2008-01-11 19:59 --------- d-----w C:\Programfiler\Fellesfiler\SpeechEngines
2008-01-11 19:59 --------- d-----w C:\Programfiler\Fellesfiler\ODBC
2007-12-14 16:19 40,960 ------w C:\WINDOWS\system32\MAMACExtract.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-20 14:36 118,784 ----a-w C:\WINDOWS\system32\MaDRM.dll
2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll
2007-06-13 13:24 354,816 --sh--r C:\WINDOWS\system32\sysregi.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_10.19.24,70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-27 10:41:51 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_49c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Eraser"="C:\Programfiler\Eraser\eraser.exe" [2008-01-27 00:55 487424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Nod32 Runtime"="sysregi.exe" [2007-06-13 14:24 354816 C:\WINDOWS\system32\sysregi.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Nod32 Runtime"="sysregi.exe" [2007-06-13 14:24 354816 C:\WINDOWS\system32\sysregi.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\ run]
"NTSpool"= NTSpool.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Programfiler\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcqu]
--------- 2006-03-08 08:56 278528 C:\Programfiler\Creative\MediaSource5\MtdAcqu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Programfiler\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 15:08 21686568 C:\Programfiler\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Programfiler\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

R2 NMSAccessU;NMSAccessU;C:\Programfiler\CDBurnerXP\NMSAccessU.exe [2007-10-12 08:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 14:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 11:53:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 11:53:39
ComboFix-quarantined-files.txt 2008-01-27 10:53:37
ComboFix2.txt 2008-01-27 10:23:33
ComboFix3.txt 2008-01-27 09:19:38
.
2008-01-16 02:01:11 --- E O F ---


Håper noen kan ta seg tid til å se på loggene og fortelle meg hva jeg skal gøre videre for å få en virusfri pc :)
Jobb hardt, lek hardere
0

#2 Bruker avlogget   norbat Ikon

  • Don't panic
  • PipPipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 1.780
  • Registrert 12-apr 07
  • System: xp, win mobile, win 7

Skrevet 27 januar 2008 - 12:21

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:
O4 - HKLM\..\Run: [Nod32 Runtime] sysregi.exe
O4 - HKLM\..\RunServices: [Nod32 Runtime] sysregi.exe
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.
Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::
C:\WINDOWS\system32\sysregi.exe
C:\WINDOWS\system32\NTSpool.exe


Hent SAS, installer, oppdater og kjør en full scan.

Post følgende logger:
Combofix
SAS (preferences->statistics/logs)
ny HJT-logg

Det ligger noen flere filer i loggene som skal vekk, men vi ser hva SAS fjerner automatisk. Husk og post loggene :)

Dette innlegget er endret av norbat: 27 januar 2008 - 12:32

Sikkerhetsmodus-bloggen

Member of "Alliance of Security Analysis Professionals "
0

#3 Bruker avlogget   Neonlightning Ikon

  • Senior
  • PipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 535
  • Registrert 08-mai 06

Skrevet 27 januar 2008 - 12:30

Startet scanningen med SAS nå... Går ut på ski og nyter solen i mens dataen scannes :D Kommer tilbake med logger etterpå. Takk så lang:)
Jobb hardt, lek hardere
0

#4 Bruker avlogget   norbat Ikon

  • Don't panic
  • PipPipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 1.780
  • Registrert 12-apr 07
  • System: xp, win mobile, win 7

Skrevet 27 januar 2008 - 12:33

Vis innlegg-Eyvind-, den 27. January 2008 Sunday 12:30, skrev:

Startet scanningen med SAS nå... Går ut på ski og nyter solen i mens dataen scannes :D Kommer tilbake med logger etterpå. Takk så lang:)


Er på vei ut selv, så ha en fortsatt fin vinterdag :)
Sikkerhetsmodus-bloggen

Member of "Alliance of Security Analysis Professionals "
0

#5 Bruker avlogget   Neonlightning Ikon

  • Senior
  • PipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 535
  • Registrert 08-mai 06

Skrevet 27 januar 2008 - 14:27

Okei, nå er pc-en scannet og jeg har kjørt combofix og hijackthis igjen... SAS fant ingenting, men poster loggen alikevel.

SAS-loggen

Sitat

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/27/2008 at 12:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 00:24:33

Memory items scanned : 405
Memory threats detected : 0
Registry items scanned : 6003
Registry threats detected : 0
File items scanned : 30724
File threats detected : 0


Combofix:

Sitat

ComboFix 08-01-23.1C - Kjersti Estenstad 2008-01-27 14:20:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.491 [GMT 1:00]
Running from: C:\Documents and Settings\Kjersti Estenstad\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kjersti Estenstad\Skrivebord\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\sysregi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\sysregi.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 12:27 . 2008-01-27 12:28 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware
2008-01-27 12:27 . 2008-01-27 12:27 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-01-27 11:40 . 2008-01-27 11:40 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000004-20051102}.BAK
2008-01-27 11:15 . 2008-01-27 11:42 40,960 --a------ C:\WINDOWS\system32\winupdats.exe
2008-01-27 10:20 . 2008-01-27 10:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-27 10:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 01:00 . 2008-01-27 01:00 <DIR> d-------- C:\Programfiler\Trend Micro
2008-01-27 00:55 . 2008-01-27 11:20 <DIR> d-------- C:\Programfiler\Eraser
2008-01-27 00:55 . 2008-01-27 00:55 155,648 --a------ C:\WINDOWS\system32\stuninstall.exe
2008-01-26 18:08 . 2008-01-26 18:08 354,816 --a------ C:\WINDOWS\RBossing05.exe
2008-01-21 18:26 . 2008-01-21 18:26 <DIR> d-------- C:\Programfiler\Skype
2008-01-21 18:26 . 2008-01-21 18:26 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype
2008-01-19 18:05 . 2008-01-19 18:05 <DIR> d-------- C:\Programfiler\Audacity
2008-01-18 18:01 . 2008-01-19 22:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Symantec Shared
2008-01-17 20:43 . 2008-01-17 20:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 20:43 . 2008-01-17 20:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 20:15 . 2008-01-17 20:15 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-17 20:15 . 2008-01-17 20:15 <DIR> d-------- C:\Programfiler\Sony Ericsson
2008-01-17 20:15 . 2008-01-17 20:16 <DIR> d-------- C:\Programfiler\Fellesfiler\Teleca Shared
2008-01-17 20:13 . 2008-01-17 20:13 <DIR> d-------- C:\Programfiler\Disc2Phone
2008-01-16 03:01 . 2008-01-16 03:01 <DIR> d-------- C:\Programfiler\MSXML 4.0
2008-01-14 21:04 . 2007-12-14 17:19 82,432 --------- C:\WINDOWS\system32\msxml4r.dll
2008-01-14 21:04 . 2007-12-14 17:19 44,544 --------- C:\WINDOWS\system32\msxml4a.dll
2008-01-14 21:03 . 2007-08-23 21:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL
2008-01-14 21:02 . 1998-11-13 12:09 306,688 --a------ C:\WINDOWS\IsUn0414.exe
2008-01-14 20:59 . 2008-01-14 20:59 <DIR> d-------- C:\My Video
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Programfiler\XviD
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Programfiler\Lame MP3 Codec
2008-01-14 20:58 . 2002-12-03 22:13 1,048,576 --a------ C:\WINDOWS\system32\lameACM.acm
2008-01-14 20:58 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2008-01-14 20:58 . 2008-01-14 20:58 65,024 --a------ C:\WINDOWS\IFinst26.exe
2008-01-14 20:58 . 2004-12-10 21:29 401 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-01-14 20:57 . 2008-01-14 20:57 <DIR> d-------- C:\Programfiler\Samsung
2008-01-14 20:57 . 2008-01-14 20:57 <DIR> d-------- C:\Programfiler\MarkAny
2008-01-12 21:16 . 2008-01-12 21:16 268 --ah----- C:\sqmdata00.sqm
2008-01-12 21:16 . 2008-01-12 21:16 244 --ah----- C:\sqmnoopt00.sqm
2008-01-12 16:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-12 16:31 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-12 16:31 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-12 13:47 . 2008-01-27 11:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-12 13:31 . 2008-01-12 13:35 <DIR> d-------- C:\Programfiler\Windows Live
2008-01-12 13:31 . 2008-01-12 13:34 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller
2008-01-12 00:56 . 2008-01-12 00:56 <DIR> d-------- C:\Programfiler\Lavalys
2008-01-12 00:28 . 2008-01-12 00:28 <DIR> d-------- C:\Programfiler\SiSoftware
2008-01-12 00:24 . 2008-01-12 00:24 <DIR> d-------- C:\Programfiler\Bonjour
2008-01-12 00:17 . 2008-01-12 00:17 <DIR> d-------- C:\Programfiler\CDBurnerXP
2008-01-12 00:15 . 2008-01-12 00:15 <DIR> d-------- C:\Programfiler\Fellesfiler\Macrovision Shared
2008-01-12 00:12 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-12 00:12 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-12 00:11 . 2008-01-12 00:11 <DIR> d-------- C:\Programfiler\Fellesfiler\Creative
2008-01-12 00:11 . 2008-01-12 00:13 <DIR> d--h----- C:\Programfiler\Creative Installation Information
2008-01-11 23:46 . 2008-01-11 23:47 <DIR> d-------- C:\WINDOWS\nview
2008-01-11 23:46 . 2006-06-01 17:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-11 23:46 . 2008-01-27 11:42 63,804 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-11 23:46 . 2006-06-01 17:22 16,960 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-11 23:45 . 2008-01-11 23:45 <DIR> d-------- C:\NVIDIA
2008-01-11 23:45 . 2006-06-01 19:09 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-01-11 23:35 . 2008-01-11 23:35 <DIR> d-------- C:\Programfiler\MSXML 6.0
2008-01-11 23:34 . 2008-01-11 23:34 <DIR> d-------- C:\Programfiler\iTunes
2008-01-11 23:34 . 2008-01-11 23:34 <DIR> d-------- C:\Programfiler\iPod
2008-01-11 23:33 . 2008-01-17 20:16 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-11 23:33 . 2008-01-11 23:34 <DIR> d-------- C:\Programfiler\QuickTime
2008-01-11 23:33 . 2008-01-11 23:33 <DIR> d-------- C:\Programfiler\Apple Software Update
2008-01-11 23:32 . 2008-01-11 23:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Apple
2008-01-11 23:30 . 2008-01-18 20:23 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe
2008-01-11 23:28 . 2008-01-11 23:28 <DIR> d-------- C:\Programfiler\Opera
2008-01-11 23:24 . 2008-01-27 11:41 30,888 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-0000000B-00001102-00000004-20051102}. rfx
2008-01-11 23:24 . 2008-01-27 11:41 30,888 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-0000000B-00001102-00000004-20051102}.rfx
2008-01-11 23:24 . 2008-01-27 11:41 29,952 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-0000000B-00001102-00000004-20051102}. rfx
2008-01-11 23:24 . 2008-01-27 11:41 29,952 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-0000000B-00001102-00000004-20051102}. rfx
2008-01-11 23:24 . 2008-01-27 11:41 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000004-20051102}.rfx
2008-01-11 23:24 . 2008-01-27 11:41 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-11 23:24 . 2008-01-27 11:41 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-11 23:06 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-11 23:03 . 2008-01-11 23:03 <DIR> d-------- C:\Programfiler\Microsoft Works
2008-01-11 23:02 . 2008-01-11 23:02 <DIR> d-------- C:\Programfiler\Microsoft.NET
2008-01-11 23:00 . 2008-01-11 23:00 <DIR> d-------- C:\Programfiler\Microsoft Visual Studio 8
2008-01-11 22:59 . 2008-01-11 23:03 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-11 22:59 . 2008-01-11 22:59 <DIR> dr-h----- C:\MSOCache
2008-01-11 22:47 . 2008-01-11 22:54 <DIR> d-------- C:\WINDOWS\system32\nb-NO
2008-01-11 22:46 . 2008-01-11 23:03 <DIR> d-------- C:\Programfiler\MSBuild
2008-01-11 22:45 . 2008-01-11 22:45 <DIR> d-------- C:\WINDOWS\system32\Data
2008-01-11 22:45 . 2008-01-12 00:11 <DIR> d-------- C:\Programfiler\Creative
2008-01-11 22:44 . 2008-01-17 20:13 <DIR> d-------- C:\Programfiler\Fellesfiler\InstallShield
2008-01-11 22:42 . 2008-01-11 22:47 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-11 22:41 . 2008-01-11 22:41 <DIR> d-------- C:\Programfiler\Reference Assemblies
2008-01-11 22:41 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-11 22:40 . 2008-01-11 22:40 <DIR> d-------- C:\Programfiler\Windows Media Connect 2
2008-01-11 22:39 . 2008-01-12 00:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-11 22:39 . 2008-01-14 21:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-11 22:37 . 2006-08-21 10:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\SET217.tmp
2008-01-11 22:37 . 2006-08-21 10:14 23,040 --a------ C:\WINDOWS\system32\SET215.tmp
2008-01-11 22:37 . 2006-08-21 10:14 23,040 --a--c--- C:\WINDOWS\system32\dllcache\SET218.tmp
2008-01-11 22:37 . 2006-08-21 13:28 16,896 --a------ C:\WINDOWS\system32\SET216.tmp
2008-01-11 22:37 . 2006-08-21 13:28 16,896 --a--c--- C:\WINDOWS\system32\dllcache\SET219.tmp
2008-01-11 22:32 . 2008-01-11 22:32 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-01-11 22:13 . 2005-10-20 23:31 1,082,368 --a------ C:\WINDOWS\system32\SET1B4.tmp
2008-01-11 22:00 . 2008-01-16 21:47 <DIR> d-------- C:\Downloads
2008-01-11 22:00 . 2008-01-11 22:00 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 20:04 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-01-11 21:45 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-01-11 21:45 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-01-11 21:00 --------- d-----w C:\Programfiler\BitComet
2008-01-11 20:53 --------- d-----w C:\Programfiler\PC Drivers HeadQuarters
2008-01-11 20:51 --------- d-----w C:\Programfiler\CCleaner
2008-01-11 20:47 --------- d-----w C:\Programfiler\Alwil Software
2008-01-11 20:44 --------- d--h--w C:\Programfiler\Uninstall Information
2008-01-11 20:39 --------- d-----w C:\Programfiler\microsoft frontpage
2008-01-11 20:37 --------- d-----w C:\Programfiler\Elektroniske tjenester
2008-01-11 20:36 --------- d-----w C:\Programfiler\Fellesfiler\Tjenester
2008-01-11 20:36 --------- d-----w C:\Programfiler\Fellesfiler\MSSoap
2008-01-11 19:59 --------- d-----w C:\Programfiler\Fellesfiler\SpeechEngines
2008-01-11 19:59 --------- d-----w C:\Programfiler\Fellesfiler\ODBC
2007-12-14 16:19 40,960 ------w C:\WINDOWS\system32\MAMACExtract.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-20 14:36 118,784 ----a-w C:\WINDOWS\system32\MaDRM.dll
2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_10.19.24,70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 09:17:22 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 13:20:11 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 09:17:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 13:20:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 09:17:23 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 13:20:11 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 09:17:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 13:20:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 09:17:23 2,977,792 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 13:20:12 2,977,792 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-27 09:17:23 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 13:20:12 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 11:27:51 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2008-01-27 11:27:51 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-27 10:41:51 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_49c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Eraser"="C:\Programfiler\Eraser\eraser.exe" [2008-01-27 00:55 487424]
"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Programfiler\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcqu]
--------- 2006-03-08 08:56 278528 C:\Programfiler\Creative\MediaSource5\MtdAcqu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Programfiler\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 15:08 21686568 C:\Programfiler\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Programfiler\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

R2 NMSAccessU;NMSAccessU;C:\Programfiler\CDBurnerXP\NMSAccessU.exe [2007-10-12 08:34]

*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 14:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 14:22:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 14:22:35
ComboFix-quarantined-files.txt 2008-01-27 13:22:33
ComboFix2.txt 2008-01-27 10:53:40
ComboFix3.txt 2008-01-27 10:23:33
ComboFix4.txt 2008-01-27 09:19:38
.
2008-01-16 02:01:11 --- E O F ---


Hijackthis:

Sitat

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:26:34, on 27.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programfiler\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Eraser\eraser.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Opera\Opera.exe
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Programfiler\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programfiler\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programfiler\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Programfiler\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Programfiler\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe

--
End of file - 8153 bytes

Jobb hardt, lek hardere
0

#6 Bruker avlogget   norbat Ikon

  • Don't panic
  • PipPipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 1.780
  • Registrert 12-apr 07
  • System: xp, win mobile, win 7

Skrevet 27 januar 2008 - 15:01

Sjekk følgende fil på http://virusscan.jotti.org/:

C:\WINDOWS\system32\winupdats.exe
(Du må antakelig slå på "Vis skjulte filer og mapper" for å finne fila)

Gi tilbakemelding/kopier rapporten på fila.
Sikkerhetsmodus-bloggen

Member of "Alliance of Security Analysis Professionals "
0

#7 Bruker avlogget   Neonlightning Ikon

  • Senior
  • PipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 535
  • Registrert 08-mai 06

Skrevet 27 januar 2008 - 15:26

Da var det gjort... Her er hva den fant om fila:

Sitat

File: winupdats.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 80b93211fa066e496c9c02803522d305
Packers detected: -
Bit9 reports: File not found

Scan taken on 27 Jan 2008 14:20:47 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found DeepScan:Generic.Malware.SI!Bdldg.E4E6BF2D
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Når jeg tenker meg om, så var dette en av de filene som bitdefender slettet under den første online scanen... Men den har visst kommet tilbake.
Jobb hardt, lek hardere
0

#8 Bruker avlogget   norbat Ikon

  • Don't panic
  • PipPipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 1.780
  • Registrert 12-apr 07
  • System: xp, win mobile, win 7

Skrevet 27 januar 2008 - 15:39

Opprett en ny CFScript-fil med følgende innhold:

File::
C:\WINDOWS\system32\winupdats.exe


Post loggen på ny og fortell hvordan det går med 'problemet' (Kjør gjerne en ny scan med antivirusprog. og se om du fortsatt får melding om ett eller annet)
Sikkerhetsmodus-bloggen

Member of "Alliance of Security Analysis Professionals "
0

#9 Bruker avlogget   Neonlightning Ikon

  • Senior
  • PipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 535
  • Registrert 08-mai 06

Skrevet 27 januar 2008 - 16:16

Har nå gjort det siste du sa. MEN når jeg skulle prøve å foreta en online-scan med bitdefender, og den skal laste ned virus signatures, så står det failed. Så får jeg spørsmål om å scanne allikevel. Scanninga fungerer,men veit ikke om den er til å stole på da??
Jobb hardt, lek hardere
0

#10 Bruker avlogget   Torstein M Ikon

  • Senior
  • PipPipPip
  • Gruppe: Medlemmer
  • Innlegg: 548
  • Registrert 06-jul 07
  • System: windows

Skrevet 27 januar 2008 - 18:21

sjekk denne tråden her http://itpro.no/supp...showtopic=52058
Mvh Torstein
0

Del dette emnet:


Side 1 av 1
  • Du kan ikke starte et nytt emne
  • Du kan ikke svare på dette emnet

1 bruker(e) leser dette emnet
0 brukere, 1 gjester, 0 anonyme brukere


ITpro TechNett

ITpro.no | X6.no | Forumet.no | TechNett.no

E-post redaksjonen: Red@ITpro.no | Forumreredaktør: Martin Aleksander Holm
Copyright © 2000-2010 ITpro | Med enerett | Serverhousing fra Mbit.no