Just nu i M3-nätverket
Jump to content

Trojan via Messenger


Sandis

Recommended Posts

Av misstag klickade jag på en länk jag fått från en kompis på messenger. Något installerades på datorn och mina kontakter i messenger fick samma chatlänk som jag fick utan att jag var inloggad. Nu har jag bytt lösenord och rensat datorn med Avast. Vet någon om man kan kontrollera om programmet finns kvar?

/Sandis

 

Link to comment
Share on other sites

Om något installerade men inget har tagits bort så bör ju det som installerades finnas kvar.

Vi kan se om HijackThis visar något till att börja med:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Installera, starta och välj "Do a system scan and save a logfile", kopiera loggen som kommer upp (inget annat).

 

I ditt svar bifogar du HijackThis-loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

Link to comment
Share on other sites

Här är loggen[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:27:53, on 2008-08-25

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\HP\HP Software Update\HPWuSchd2.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\SecCopy\SecCopy.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Spybot - Search & Destroy\TeaTimer.exe

C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

C:\Documents and Settings\Sandis\Skrivbord\DateInTray.exe

C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program\Delade filer\Teleca Shared\Generic.exe

C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avanza.se/aza/home/home.jsp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [statusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM\..\Run: [HPLJ Config] C:\Program\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1053 -sl 120000

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [second Copy] "C:\Program\SecCopy\SecCopy.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Genväg till DateInTray.lnk = C:\Documents and Settings\Sandis\Skrivbord\DateInTray.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Konvertera länkmål till Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konvertera länkmål till befintlig PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Konvertera markering till Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konvertera markering till befintlig PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Konvertera till Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konvertera till befintlig PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Konvertera valda länkar till Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Konvertera valda länkar till befintlig PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O15 - Trusted Zone: *.handelsbanken.se

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.fujidirekt.se/aurigma2/ImageUploader4.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: spkrmon - Unknown owner - C:\Program\Analog Devices\SoundMAX\spkrmon.exe

 

--

End of file - 10214 bytes

[/log]

 

Link to comment
Share on other sites

Jag ser inget skadligt i den loggen i alla fall.

 

Ladda ner MSNFix till Skrivbordet.

http://sosvirus.changelog.fr/MSNFix.zip

Packa upp filen och starta MSNFix.bat genom att dubbelklicka på den (XP), högerklicka och välja Kör som administratör (Vista).

 

Välj språk genom att trycka på motsvarande bokstav.

Tryck R för att starta skanningen.

Om något hittas så tryck på valfri tangent för att starta borttagningen.

Ibland så kommer det upp ett meddelande om att starta om datorn, gör det i så fall.

 

Klistra in loggen som kommer upp i ditt svar här.

Om den inte kommer upp så hittar du den i den mappen där programmet ligger och namnet på loggen innehåller datum och klockslag för körningen.

 

Link to comment
Share on other sites

Den hittade inget. Här är loggen:[log]MSNFix 1.742

 

C:\MSNFix

Sokningen var klar pa 2008-08-25 - 15:59:31,23 By Sandis

normalt lage

 

************************ Kollar filer

 

Inga Filer Funna

 

************************ Kollar mappar

 

Inga Mappar Funna

 

 

 

 

************************ Hostsclean

 

Cleanhosts v 0.1.0.7 By Laurent

 

-- Backup : C:\WINDOWS\system32\drivers\etc\hosts-20080825160029

-- original size 255.46 Kb / 9127 lines

-- Start cleaning Hosts file ....

 

/!\... antivirus.com ..... Found and removed

/!\... avast.com ..... Found and removed

/!\... ca.com ..... Found and removed

/!\... mcafee.com ..... Found and removed

/!\... spybot.info ..... Found and removed

 

 

-- final size 254.1 Kb / 9085 lines

-- entry Found : 5 / Entry check : 310

 

End .............................. 25.62 Secondes

 

 

 

************************ Misstankta Filer

 

Inga Filer Funna

 

 

************************ HKLM\...\Winlogon\Userinit

 

Userinit = C:\WINDOWS\system32\userinit.exe,

 

------------------------------------------------------------------------

Gjord av : !aur3n7 Contact: http://changelog.fr

------------------------------------------------------------------------

 

--------------------------------------------- END ---------------------------------------------

 

[/log] Sökte på nätet på basfipm.exe som finns med. Stod ev. om Goubot virus?

 

Link to comment
Share on other sites

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

Är en del av en drivrutin för något nätverkskort eller liknande.

 

Ladda ner ComboFix till Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

[log]Dra ur internetanslutningen och stäng av alla program du ser inklusive antivirusprogram, antispionprogram och brandvägg, alternativt starta om datorn i felsäkert läge.

Kör ComboFix och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram och brandvägg är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.[/log]

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

 

Link to comment
Share on other sites

När man ska köra combofix varnar den för att endast 1 av 100 datorer fungerar efteråt. Kan man köra utan att den åtgärdar nått?

 

Link to comment
Share on other sites

Nja, tvärtom ska det väl vara i alla fall.

 

Det finns andra skanningsprogram, men OTViewIt är bara en beta-version, sedan finns OTScanIt men jag är inte van vid det så det kan tänkas att jag missar något.

 

Link to comment
Share on other sites

Här är loggen från combo:[log]ComboFix 08-08-24.03 - Sandis 2008-08-25 17:32:34.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.631 [GMT 2:00]

Running from: C:\Documents and Settings\Sandis\Mina dokument\Virusrensning\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Sandis\Cookies\sandis@2o7[1].txt

C:\Documents and Settings\Sandis\Cookies\sandis@ad.adtoma[2].txt

C:\Documents and Settings\Sandis\Cookies\sandis@adtoma.expressen[1].txt

C:\Documents and Settings\Sandis\Cookies\sandis@clicktorrent[1].txt

C:\Documents and Settings\Sandis\Cookies\sandis@stl.p.a1.traceworks[2].txt

C:\Documents and Settings\Sandis\Cookies\sandis@www.gulex[2].txt

C:\Documents and Settings\Sandis\Cookies\sandis@www.hitta[1].txt

C:\WINDOWS\system32\drivers\fad.sys

 

.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))

.

 

2008-08-25 15:58 . 2008-08-25 16:01 <KAT> d-a------ C:\MSNFix

2008-08-25 15:58 . 2008-08-25 15:58 790,893 --a------ C:\MSNFix.zip

2008-08-25 15:27 . 2008-08-25 15:27 <KAT> d-------- C:\Program\Trend Micro

2008-08-21 21:22 . 2008-08-21 21:22 <KAT> d-------- C:\Documents and Settings\Gäst\Application Data\Teleca

2008-08-21 21:22 . 2008-08-21 21:22 <KAT> d-------- C:\Documents and Settings\Gäst\Application Data\Sony Ericsson

2008-08-21 21:22 . 2008-08-21 21:22 <KAT> d-------- C:\Documents and Settings\Gäst\Application Data\Netscape

2008-08-21 21:21 . 2008-08-24 21:13 <KAT> d-------- C:\Documents and Settings\Gäst\Mallar

2008-08-21 21:21 . 2008-08-25 17:34 <KAT> d-------- C:\Documents and Settings\Gäst\Lokala inställningar

2008-08-21 21:21 . 2008-08-24 21:13 <KAT> d-------- C:\Documents and Settings\Gäst\Favoriter

2008-08-21 21:21 . 2008-08-24 21:13 <KAT> d---s---- C:\Documents and Settings\Gäst

2008-08-16 22:33 . 2008-08-16 22:33 <KAT> d-------- C:\Program\Sun

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-24 19:13 --------- d-----w C:\Program\Spybot - Search & Destroy

2008-08-21 14:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-08-18 14:40 --------- d-----w C:\Documents and Settings\Sandis\Application Data\MailWasherPro

2008-08-16 20:33 --------- d-----w C:\Program\Java

2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:25 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:42 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 17:29 15360]

"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-16 20:33 68856]

"Second Copy"="C:\Program\SecCopy\SecCopy.exe" [2006-02-17 11:38 2665472]

"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]

"SpybotSD TeaTimer"="C:\Program\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DVDLauncher"="C:\Program\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 08:04 53248]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]

"Acrobat Assistant 7.0"="C:\Program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]

"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"HP Software Update"="C:\Program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]

"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-10-03 18:20 286720]

"avast!"="C:\Program\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]

"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]

"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]

"StatusClient"="C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 17:51 36864]

"TomcatStartup"="C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 20:28 155648]

"HPLJ Config"="C:\Program\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" [2003-03-31 19:32 28672]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 17:29 15360]

 

C:\Documents and Settings\Sandis\Start-meny\Program\AutostartAdobe Gamma.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

Genv„g till DateInTray.lnk - C:\Documents and Settings\Sandis\Skrivbord\DateInTray.exe [2007-08-20 18:14:16 74752]

 

C:\Documents and Settings\All Users\Start-meny\Program\AutostartAdobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1044-F000-7760-000000000002}\SC_Acrobat.exe [2007-08-20 07:55:04 25214]

HP Digital Imaging Monitor.lnk - C:\Program\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

Personal.lnk - C:\Program\Personal\bin\Personal.exe [2007-08-16 22:02:01 894504]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program\\MSN Messenger\\livecall.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Program\\D-Link Media Server\\MediaServer.exe"=

"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=

"C:\\Program\\D-Link Media Server\\MediaGUI.exe"=

"C:\\Program\\Sony Ericsson\\Update Service\\Update Service.exe"=

"C:\\Program\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=

"C:\\Program\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\WINDOWS\\system32\\ftp.exe"=

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-09-15 17:40]

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-11 18:38]

S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 15:58]

S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 15:58]

S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 15:58]

S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 15:58]

S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 15:58]

S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 15:58]

S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 15:58]

S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 16:49]

S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 16:50]

S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 16:50]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 16:50]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.avanza.se/aza/home/home.jsp

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

R1 -: HKCU-Internet Settings,ProxyOverride = <local>

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: E&xportera till Microsoft Excel - C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 -: Konvertera länkmål till Adobe PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 -: Konvertera länkmål till befintlig PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 -: Konvertera markering till Adobe PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 -: Konvertera markering till befintlig PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 -: Konvertera till Adobe PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 -: Konvertera till befintlig PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 -: Konvertera valda länkar till Adobe PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 -: Konvertera valda länkar till befintlig PDF - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O15 -: Trusted Zone: *.handelsbanken.se

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-25 17:34:36

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-08-25 17:36:15

ComboFix-quarantined-files.txt 2008-08-25 15:35:52

 

Pre-Run: 73,865,019,392 byte ledigt

Post-Run: 73,874,812,928 byte ledigt

 

154 --- E O F --- 2008-08-17 01:03:18

[/log]

 

Link to comment
Share on other sites

Där försvann något i alla fall.

Ominstallera MSN för säkerhets skull och sedan får du provköra MSN lite försiktigt.

 

Här kan du läsa mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

http://ceblstockholm.googlepages.com/home

 

PS. "roughly 1\100 machines failed to make it through the disinfection process" betyder ju inte att 1 av 100 inte fungerar efteråt utan att 1 av 100 inte kunde genomföra ComboFix-körningen pga hängning, krasch etc. (Tack Zipp för komplett meddelande!)

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...