Just nu i M3-nätverket
Jump to content

Vänligen kolla min HijackThis-logg


nisseö

Recommended Posts

Hej

 

I en xp-dator har Norman satt w32/dloader.mbvc i karantän och tagit bort w32/onlinegames.cldv. Spybot och Superantispyware hittar ingenting. Inte heller Ewido och Kaspersky online.

 

Trots det skulle jag vara tacksam för hjälp med en titt på nedanstående HijackThis-logg. Där finns ett par saker jag inte känner igen. Dessutom förefaller xp har blivit långsammare vid utloggningar från konton.

 

Stort tack på förhand

Nils Östergren

 

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:03:34, on 2009-01-17

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Ngs\Bin\Nprosec.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Npm\Bin\Zanda.exe

C:\Norman\npm\bin\nvoy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Norman\npf\bin\npfsvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

C:\Norman\Npm\Bin\Nvcsched.exe

C:\Norman\Npm\Bin\Njeeves.exe

C:\WINDOWS\System32\alg.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\Norman\Npm\Bin\ZLH.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program\Windows Defender\MSASCui.exe

C:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\iid.exe

C:\Program\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Norman\Nvc\Bin\Nip.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Norman\Nvc\Bin\cclaw.exe

C:\Program\Spybot - Search & Destroy\TeaTimer.exe

C:\Program\Windows Media Player\WMPNSCFG.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Hjt\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/EgenStartsida.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.datorbutiken.com/se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1904893017-2145715213-115614781-1013\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime (User 'Nisse_2')

O4 - HKUS\S-1-5-21-1904893017-2145715213-115614781-1017\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SPEL')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [iETI] C:\Program\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [iETI] C:\Program\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.datorbutiken.com/se/

O15 - Trusted Zone: http://support.f-secure.com

O15 - Trusted Zone: http://www.kaspersky.com

O15 - Trusted Zone: http://g.live.com

O15 - Trusted Zone: http://onecare.live.com

O15 - Trusted Zone: http://safety.live.com

O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com

O15 - Trusted Zone: http://Download.Windowsupdate.com

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229019795500

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229019782000

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab'>http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe

O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nprosec.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe

O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

 

--

End of file - 12431 bytes[/log]

 

Link to comment
Share on other sites

I en xp-dator har Norman satt w32/dloader.mbvc i karantän och tagit bort w32/onlinegames.cldv.
I vilka filer och mappar fanns de skadliga filerna?

 

Där finns ett par saker jag inte känner igen.
Vilka då?

 

Link to comment
Share on other sites

Tack för snabbt svar!

 

Vid Dloader-angreppet tog Norman bort nircmd.exe och getfile-081220-aps[1].gif.

 

Vid det andra angreppet angav Norman att ao218415.exe (möjligen ad218415.exe) togs bort.

 

EDIT:

Kan inte hitta någon Norman-logg som kan berätta i vilka mappar filerna fanns.

 

 

Följande i loggen ser obekant ut, men det är kanske bara ofarliga rester:

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

 

 

 

 

[inlägget ändrat 2009-01-17 17:49:56 av nisseö]

[inlägget ändrat 2009-01-17 17:50:36 av nisseö]

Link to comment
Share on other sites

nircmd.exe är en fil som ingår i ComboFix så den kan ha funnits där sedan i maj då du använde det programmet. Däremot getfile-081220-aps[1].gif låter ju som en falsk bildfil, men Norman fick kanske bort filen innan den gjorde någon skada i datorn.

 

Följande i loggen ser obekant ut, men det är kanske bara ofarliga rester:
Stämmer bra det, de första två efter Windows Live och den sista har med Adobe att göra.

 

Jag kan inte se något skadligt i loggen, men eftersom du tycker att datorn inte är riktigt normal så kan vi kolla lite till. Men om du fortfarande har ett begränsat konto så är ju risken för att råka ut för något betydligt mindre. ComboFix har kommit ut i nyare versioner sedan i våras så du behöver ladda ner en ny. Ladda ner ComboFix till Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

[log]Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.[/log]

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

 

Link to comment
Share on other sites

Combofix genererade nedansteånde logg, efter att ha misslyckats med att få kontakt med Microsoft och installera återställningskonsollen. Bra eller dåligt?

 

Dessutom reagerade Spybot, som jag uppenbarligen inte hade lyckats stänga av fullständigt, med en rad allow/deny-frågor. De flesta godkände jag eftersom de ställdes i direkt anslutning till combofixskanningen. Frågorna gällde startsideändringar från datortillverkarens startsida till Microsoft och sökpreferenser (Google/Microsoft), så det bör inte ha varit något farligt.

 

[log]ComboFix 09-01-17.01 - Nisse 2009-01-17 18:55:48.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1053.18.2046.1435 [GMT 1:00]

: c:\documents and settings\Nisse\Skrivbord\ComboFix.exe

AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Outdated)

FW: Norman Personal Firewall v. 1.4 *disabled*

FW: Personlig Brandvägg *disabled*

 

 

 

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

 

- BITS: Troligen infekterade webbplatser -

 

hxxp://www.sr.se

.

(((((((((((((((((((((((( Filer Skapade från 2008-12-17 till 2009-01-17 ))))))))))))))))))))))))))))))

.

 

2009-01-17 13:17 . 2009-01-17 13:17 <KAT> d c:\documents and settings\Nisse_2\Application Data\SUPERAntiSpyware.com

2009-01-17 13:10 . 2009-01-17 13:10 <KAT> d c:\program\SUPERAntiSpyware

2009-01-17 13:10 . 2009-01-17 13:10 <KAT> d c:\documents and settings\Nisse\Application Data\SUPERAntiSpyware.com

2009-01-17 13:10 . 2009-01-17 13:10 <KAT> d c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-17 13:09 . 2009-01-17 13:09 <KAT> d c:\program\Delade filer\Wise Installation Wizard

2009-01-17 13:04 . 2009-01-17 17:04 <KAT> d C:\Hjt

2009-01-17 12:42 . 2009-01-17 12:43 664 a c:\windows\system32\d3d9caps.dat

2009-01-17 04:13 . 2009-01-17 04:14 <KAT> d c:\documents and settings\Nisse_2\.housecall6.6

2009-01-15 23:22 . 2009-01-15 23:22 <KAT> d c:\documents and settings\Nisse\Application Data\KodakCredentialStore

2009-01-15 23:13 . 2009-01-15 23:13 <KAT> d c:\documents and settings\Nisse\Application Data\Skinux

2009-01-15 23:12 . 2009-01-15 23:12 <KAT> d c:\documents and settings\Nisse_2\Application Data\Skinux

2009-01-15 22:55 . 2008-05-02 14:30 466,432 - c:\windows\system32\imapi2fs.dll

2009-01-15 22:55 . 2008-05-02 14:30 466,432 -c- c:\windows\system32\dllcache\imapi2fs.dll

2009-01-15 22:55 . 2008-05-02 14:30 317,440 - c:\windows\system32\imapi2.dll

2009-01-15 22:55 . 2008-05-02 14:30 317,440 -c- c:\windows\system32\dllcache\imapi2.dll

2009-01-15 22:55 . 2008-05-02 11:49 62,976 -c- c:\windows\system32\dllcache\cdrom.sys

2009-01-10 22:14 . 2009-01-10 22:14 <KAT> d c:\documents and settings\Jens\Contacts

2009-01-10 12:52 . 2007-04-24 11:33 108,680 -ra c:\windows\system32\drivers\s125mdm.sys

2009-01-10 12:52 . 2007-04-24 11:33 83,336 -ra c:\windows\system32\drivers\s125bus.sys

2009-01-10 12:52 . 2008-04-13 20:45 32,128 a c:\windows\system32\drivers\usbccgp.sys

2009-01-10 12:52 . 2008-04-13 20:45 32,128 ac- c:\windows\system32\dllcache\usbccgp.sys

2009-01-10 12:52 . 2007-04-24 11:33 15,112 -ra c:\windows\system32\drivers\s125mdfl.sys

2009-01-10 12:52 . 2007-04-24 11:33 12,424 -ra c:\windows\system32\drivers\s125whnt.sys

2009-01-10 12:52 . 2007-04-24 11:33 12,424 -ra c:\windows\system32\drivers\s125wh.sys

2009-01-10 12:52 . 2007-04-24 11:33 12,424 -ra c:\windows\system32\drivers\s125cmnt.sys

2009-01-10 12:52 . 2007-04-24 11:33 12,424 -ra c:\windows\system32\drivers\s125cm.sys

2009-01-07 17:35 . 2009-01-07 17:35 268 ah- C:\sqmdata07.sqm

2009-01-07 17:35 . 2009-01-07 17:35 244 ah- C:\sqmnoopt07.sqm

2009-01-07 17:30 . 2009-01-07 17:34 <KAT> d c:\program\MSN Messenger

2009-01-06 23:31 . 2009-01-06 23:31 <KAT> d c:\program\Microsoft Sync Framework

2009-01-06 23:29 . 2009-01-06 23:29 <KAT> d c:\program\Microsoft SQL Server Compact Edition

2009-01-06 23:29 . 2006-11-29 13:06 3,426,072 a c:\windows\system32\d3dx9_32.dll

2009-01-06 22:49 . 2009-01-06 22:49 <KAT> d c:\documents and settings\Nisse_2\Tracing

2009-01-06 21:55 . 2009-01-06 21:55 200 a C:\sqmnoopt06.sqm

2009-01-06 21:55 . 2009-01-06 21:55 200 a C:\sqmdata06.sqm

2009-01-06 21:51 . 2009-01-06 21:51 <KAT> d c:\program\Windows Live SkyDrive

2009-01-06 21:17 . 2009-01-06 21:17 236 a C:\sqmdata05.sqm

2009-01-06 21:17 . 2009-01-06 21:17 200 a C:\sqmnoopt05.sqm

2009-01-06 21:11 . 2009-01-06 21:11 236 a C:\sqmdata04.sqm

2009-01-06 21:11 . 2009-01-06 21:11 200 a C:\sqmnoopt04.sqm

2008-12-29 23:28 . 2008-12-29 23:28 <KAT> d c:\program\Samsung

2008-12-29 23:28 . 2006-11-01 14:52 765,952 a c:\windows\system32\xvidcore.dll

2008-12-29 23:28 . 1998-07-09 19:41 217,088 a c:\windows\system32\skjpeg40.dll

2008-12-29 23:28 . 2006-11-01 14:54 180,224 a c:\windows\system32\xvidvfw.dll

2008-12-29 23:28 . 1998-03-04 10:40 83,968 a c:\windows\system32\Skbase40.dll

2008-12-29 23:28 . 2006-11-01 15:26 77,824 a c:\windows\system32\xvid.ax

2008-12-29 23:28 . 2004-03-09 10:39 8,704 a c:\windows\system32\vidccleaner.exe

 

.

 

.

2009-01-17 17:50 - d-w c:\documents and settings\Nisse\Application Data\WTablet

2009-01-17 16:09 - d-w c:\documents and settings\Nisse_2\Application Data\WTablet

2009-01-17 15:21 - d-w c:\documents and settings\LocalService\Application Data\WTablet

2009-01-17 11:33 - d-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-15 21:59 - d-w c:\documents and settings\All Users\Application Data\Kodak

2009-01-15 20:32 - d-w c:\documents and settings\Anja.DATORNR2\Application Data\WTablet

2009-01-15 15:30 - d-w c:\documents and settings\Jens\Application Data\WTablet

2009-01-15 14:39 - d-w c:\documents and settings\SPEL\Application Data\WTablet

2009-01-11 22:10 - d-w c:\documents and settings\Dina\Application Data\WTablet

2009-01-06 22:53 - d-w c:\documents and settings\Nisse\Application Data\Windows Live Writer

2009-01-06 22:31 - d-w c:\program\Windows Live

2009-01-01 23:01 - d-w c:\program\Skype

2009-01-01 22:32 - dhw c:\program\InstallShield Installation Information

2009-01-01 22:32 - d-w c:\program\Digimask

2009-01-01 20:44 - d-w c:\program\CCleaner

2009-01-01 20:32 - d-a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-01 20:32 - d-w c:\program\SpywareBlaster

2008-12-14 14:10 - d-w c:\program\Java

2008-12-11 10:57 333,952 a-w c:\windows\system32\drivers\srv.sys

2008-12-08 22:14 - d-w c:\documents and settings\Dina\Application Data\Skype

2008-12-04 22:04 308,072 a-w c:\windows\WLXPGSS.SCR

2008-12-04 14:26 - d-w c:\documents and settings\Anja.DATORNR2\Application Data\gtk-2.0

2008-11-14 22:46 9,048 a-w c:\windows\gdrv.sys

2008-11-10 04:43 410,984 a-w c:\windows\system32\deploytk.dll

2008-10-23 12:43 286,720 a-w c:\windows\system32\gdi32.dll

2008-05-18 20:31 32,768 sha-w c:\windows\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\MSHist012008051820080519\index.dat

.

 

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

 

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SpybotSD TeaTimer"="c:\program\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

"WMPNSCFG"="c:\program\Windows Media Player\WMPNSCFG.exe" [2006-11-15 204288]

"SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sony Ericsson PC Suite"="c:\program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]

"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"QuickTime Task"="c:\program\QuickTime\QTTask.exe" [2008-09-06 413696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]

"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 c:\windows\RTHDCPL.exe]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"= DrvTrNTm.dll

"wave"= DrvTrNTm.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

- 2006-11-15 10:49 204288 c:\program\Windows Media Player\wmpnscfg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=2 (0x2)

"usnjsvc"=3 (0x3)

"mnmsrvc"=3 (0x3)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"TkBellExe"="c:\program\Delade filer\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program\\Messenger\\msmsgs.exe"=

"c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program\\MSN Messenger\\livecall.exe"=

 

R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers\ndis_rd.sys [2008-02-17 79752]

R1 NPROSEC;Norman Security driver;c:\norman\Ngs\Bin\nprosec.sys [2008-07-22 53816]

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2004-03-19 1984]

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]

R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [2008-02-17 74624]

R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\bin\Nsesvc.exe [2008-07-22 322616]

R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2008-02-17 19512]

R3 nvcoas;Norman Virus Control on-access component;c:\norman\Nvc\BIN\Nvcoas.exe [2008-03-04 191544]

R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-07-22 154680]

R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [2007-04-18 55936]

R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [2007-04-18 19456]

R3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

R4 Ndiskio;Ndiskio;c:\norman\Nse\bin\Ndiskio.sys [2008-02-17 20448]

R4 NPFSvc32;Norman Personal Firewall Service;c:\norman\Npf\Bin\npfsvc32.exe [2008-09-22 597104]

R4 NPROSECSVC;Norman Security service;c:\norman\Ngs\Bin\nprosec.exe [2008-07-22 121912]

R4 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-07-22 121912]

R4 SeaPort;SeaPort;c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2008-12-04 226640]

R4 WinDefend;Windows Defender;c:\program\Windows Defender\MsMpEng.exe [2006-11-03 13592]

S3 AEXPAM;Philips SmartManage Service;c:\windows\system32\drivers\aexpamdrv.sys [2004-09-01 21824]

S3 MarkFun_NT;MarkFun_NT;c:\program\Gigabyte\@BIOS\markfun.w32 [2008-02-24 17912]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2E.tmp > c:\windows\system32\2E.tmp [?]

S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2009-01-10 83336]

S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2009-01-10 15112]

S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2009-01-10 108680]

S3 SaiNtSub;SaiNtSub;c:\windows\system32\drivers\saintsub.sys [2007-05-30 19200]

 

- Övriga tjänster/drivrutiner i minnet -

 

*Deregistered* - mchInjDrv

.

 

 

2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2009-01-17 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

 

2009-01-17 c:\windows\Tasks\User_Feed_Synchronization-{1932A038-87FA-4A88-AACB-CE5E1E2ED9B5}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]

 

2009-01-16 c:\windows\Tasks\User_Feed_Synchronization-{769C5851-2B64-47B6-827E-2314E667CEA5}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]

 

2009-01-17 c:\windows\Tasks\User_Feed_Synchronization-{A07FB218-A75B-4309-9276-B786AE877B6C}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]

.

- - - - - - - -

 

HKLM-Run-Cmaudio - cmicnfg.cpl

HKU-Default-RunOnce-IETI - c:\program\Skype\Phone\IEPlugin\unins000.exe

MSConfigStartUp-Profiler - c:\program\Saitek\Software\Profiler.exe

MSConfigStartUp-SaiSmart - c:\program\Saitek\Software\SaiSmart.exe

 

 

.

- -

.

uStart Page = file:///C:/EgenStartsida.htm

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel

Trusted Zone: *.//stream.sf-anytime.com/

Trusted Zone: members.chello.se

Trusted Zone: ftp.ea-europe.com

Trusted Zone: account.ea.com

Trusted Zone: ssl.extrafilm.org

Trusted Zone: support.f-secure.com

Trusted Zone: desktop.google.com

Trusted Zone: earth.google.com

Trusted Zone: kh.google.com

Trusted Zone: maps.google.com

Trusted Zone: eforum.idg.se

Trusted Zone: www.kaspersky.com

Trusted Zone: g.live.com

Trusted Zone: onecare.live.com

Trusted Zone: safety.live.com

Trusted Zone: *.microsoft.com

Trusted Zone: download.microsoft.com

Trusted Zone: update.microsoft.com

Trusted Zone: V4.Windowsupdate.microsoft.com

Trusted Zone: v5.windowsupdate.microsoft.com

Trusted Zone: Windowsupdate.microsoft.com

Trusted Zone: winqual.microsoft.com

Trusted Zone: www.microsoft.com

Trusted Zone: V5.Windowsupdate.microsoft.com

Trusted Zone: www.miljoforum.n.se

Trusted Zone: *.ostergrenfria.se

Trusted Zone: eplusgiro.plusgirot.se

Trusted Zone: www.plusgirot.se

Trusted Zone: secure.sandrewmetronome.se

Trusted Zone: taz.vv.sebank.se

Trusted Zone: *.sl.se

Trusted Zone: www.stff.se

Trusted Zone: *.svt.se

Trusted Zone: webbmejl.tv4.se

Trusted Zone: Download.Windowsupdate.com

Trusted Zone: *.www.ne.se

Trusted Zone: *.www.sf.se

Trusted Zone: *.www.sl.se

Trusted Zone: *.www.sr.se

Trusted Zone: *.yahoo.com

Trusted Zone: mail.yahoo.com

 

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}

hxxp://download.ewido.net/ewidoOnlineScan.cab

FF - ProfilePath - c:\documents and settings\Nisse\Application Data\Mozilla\Firefox\Profiles\e55dio7u.defaultFF - prefs.js: browser.startup.homepage - file:///C:/EgenStartsida.htm

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

FF - plugin: c:\program\Mozilla Firefox\plugins\npiidplg.dll

FF - plugin: c:\program\Windows Live\Photo Gallery\NPWLPG.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-17 19:03:00

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]

"ImagePath"="\??\c:\program\Gigabyte\@BIOS\markfun.w32"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\2E.tmp"

.

- LÅSTA REGISTERNYCKLAR -

 

[HKEY_USERS\S-1-5-21-1904893017-2145715213-115614781-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_USERS\S-1-5-21-1904893017-2145715213-115614781-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:20,e8,05,95,fa,38,07,78,1a,04,3c,22,37,f1,28,d9,7a,be,93,60,a2,57,3d,

9f,c5,ed,c6,40,ee,8c,b7,99,39,0d,c1,94,98,e4,55,b1,ef,b2,c5,f4,ac,a0,6c,10,"??"=hex:5a,e7,35,97,00,c9,58,19,f9,a5,ab,aa,eb,1b,a1,fc

.

- DLLer som "laddats" under processer som körs -

 

- - - - - - - > 'winlogon.exe'(688)

c:\program\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

.

: 2009-01-17 19:06:28

ComboFix-quarantined-files.txt 2009-01-17 18:06:17

ComboFix2.txt 2008-05-15 20:56:33

 

: 13 793 230 848 byte ledigt

: 14,531,362,816 byte ledigt

 

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4

285 - E O F - 2008-01-08 23:25:08[/log]

Ändrat KOD- till LOG-taggar

Cecilia - Moderator för Virus, skadliga program & botemedel

 

[inlägget ändrat 2009-01-17 19:43:10 av Cecilia]

Link to comment
Share on other sites

Det är förstås bra att installera återställningskonsolen, utifall att det skulle hända något under rensningen men din dator verkar ju inte ha någon större infektion.

 

Vad finns i mapparna:

2009-01-15 23:13 . 2009-01-15 23:13 <KAT> d c:\documents and settings\Nisse\Application Data\Skinux

2009-01-15 23:12 . 2009-01-15 23:12 <KAT> d c:\documents and settings\Nisse_2\Application Data\Skinux

 

Men om du just har installerat något som är igång för jämnan, t ex Sony Ericsson-programmet, så kan det ju vara sådant som får utloggningen att gå långsammare för jag ser inget skadligt i loggen.

 

Link to comment
Share on other sites

verkar ju inte ha någon större infektion.

Någon större... Ser du alltså någon mindre? ;)

 

Skinux-mapparna är tomma. Att döma av tidpunkten när de skapades har de samband med en installation av ett program tillhörande en digitalkamera (Kodak).

 

Du har gjort det igen:

 

Först får man snabbt svar. Sedan en analys. Därefter ännu en koll. Minst dubbla poäng, alltså.

 

Du är bäst och du ska som vanligt ha stort tack för din hjälp.

/Nisse

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...