Spywarefri Forum | Tror jeg er inficeret med noget skrammel

Tror jeg er inficeret med noget skrammel

[ Ignorer ] Championo
09.02.2010 09:07:25 Antal indlæg: 4	Hej Spywarefri! Jeg er forholdsvis ny på forummet, men håber da i har tid til at kigge lidt på min HiJackThis log, da jeg tror at der er kommet noget snavs i efter jeg kom til at klikke på en fil som jeg ikke sku ha klikket på Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 08:06:56, on 09-02-2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\Shared Files\CTAudSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Auzentech\Auzen X-Fi Prelude 7.1\Volume Panel\VolPanlu.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe C:\Program Files\Cyberlink\Shared files\brs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\DAEMON Tools Lite\DTLite.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Documents and Settings\Vimarr\Local Settings\Apps\2.0\RCGY5O8R.9O3\0QPNXE40.R1T\curs..tion_eee711038731a406_0004.0000_1430d97334050788\CurseClient.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Steam\steam.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VentriloFix\Ventrilo\3.0\Ventrilo3.0.4.exe C:\Program Files\League of Legends\lol.launcher.exe C:\Program Files\League of Legends\Air\LOLClient.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\League of Legends\Game\League of Legends.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.getfirefox.com/ O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [VolPanel] “C:\Program Files\Auzentech\Auzen X-Fi Prelude 7.1\Volume Panel\VolPanlu.exe” /r O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe O4 - HKLM\..\Run: [MSSE] “c:\Program Files\Microsoft Security Essentials\msseces.exe” -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe” O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” O4 - HKLM\..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” O4 - HKLM\..\Run: [RemoteControl9] “C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe” O4 - HKLM\..\Run: [PDVD9LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe” O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKLM\..\Run: [HKLM] C:\WINDOWS\system32\system32\synscn.exe O4 - HKCU\..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background O4 - HKCU\..\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\DTLite.exe” -autorun O4 - HKCU\..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe” /systray /nologon O4 - HKCU\..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [HKCU] C:\WINDOWS\system32\system32\synscn.exe O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\system32\synscn.exe O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\system32\synscn.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’) O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’) O4 - Startup: CurseClientStartup.ccip O8 - Extra context menu item: Add to Google Photos Screensa&ver; - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Unibet - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\unibetpokerMPP\MPPoker.exe (file missing) (HKCU) O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe — End of file - 9254 bytes
[ Ignorer ] [ # 1 ] Peder TeamSpywarefri
09.02.2010 11:59:19 Redaktør Team Spywarefri Antal indlæg: 12991	Velkommen til Spywarefri Hent Malwarebytes Anti-Malware herfra: http://www.besttechie.net/tools/mbam-setup.exe Eller herfra -> http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Installer programmet - når det er gjort skal du lade programmet opdatere sig. Herefter åbner et vindue, hvor du skal flytte prikken til “Kør et fuldstændigt systemscan” - klik på Skan Knappen - lad programmet arbejde. Når det er færdig (det tager lidt tid afhængig af hvor meget du har på computeren). Derefter - Tryk på “Vis resultater” knappen efter scanningen - og herefter tryk på “Fjern det valgte” - nu åbnes log’en og du skal gemme den et sted, hvor du kan finde den igen. Kopier indholdet herind i denne tråd. Vigtigt: Du skal, inden du klikker på ”Skan” knappen i Malwarebytes Anti-Malware gå op i fanen ”Opdater”, klik på ”Tjek for opdatering”, bliv ved til den skriver du har nyeste database, (DET SKAL UDFØRES). Ved du hvad det er der kører her > O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\system32\synscn.exe
[ Ignorer ] [ # 2 ] Championo
09.02.2010 18:58:53 Antal indlæg: 4	Her er loggen: Malwarebytes’ Anti-Malware 1.44 Database version: 3712 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 09-02-2010 09:58:20 mbam-log-2010-02-09 (09-58-20).txt Skan type: Fuldstændig skanning (C:\\|) Objekter skannet: 230317 Tid tilbagelagt: 1 hour(s), 11 minute(s), 16 second(s) Inficerede Hukommelses Processer: 0 Inficerede Hukommelses Moduler: 0 Inficerede Registeringsdatabase Nøgler: 2 Inficerede Registeringsdatabase Værdier: 4 Inficerede Registeringsdatabase Filer: 0 Inficerede Mapper: 1 Inficerede Filer: 6 Inficerede Hukommelses Processer: (Ingen mistænkelige filer fundet) Inficerede Hukommelses Moduler: (Ingen mistænkelige filer fundet) Inficerede Registeringsdatabase Nøgler: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8w260mte-j7e0-v0sc-b0x7-b3hfwrll7wm6} (Generic.Bot.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{xx1jm5s8-n3k2-355v-jsy5-wt2wo4481t05} (Generic.Bot.H) -> Quarantined and deleted successfully. Inficerede Registeringsdatabase Værdier: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hklm (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Trojan.Dropper) -> Quarantined and deleted successfully. Inficerede Registeringsdatabase Filer: (Ingen mistænkelige filer fundet) Inficerede Mapper: C:\WINDOWS\system32\system32 (Trojan.Agent) -> Quarantined and deleted successfully. Inficerede Filer: C:\WINDOWS\system32\system32\synscn.exe (Generic.Bot.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D23667B2-DB7C-4892-AB1F-92929BF2A8C6}\RP299\A0045688.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D23667B2-DB7C-4892-AB1F-92929BF2A8C6}\RP299\A0045765.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D23667B2-DB7C-4892-AB1F-92929BF2A8C6}\RP299\A0045769.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Vimarr\Application Data\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Vimarr\Local Settings\temp\XxX.xXx (Malware.Trace) -> Delete on reboot. og nej, kender intet til den synscn.exe fil
[ Ignorer ] [ # 3 ] Peder TeamSpywarefri
09.02.2010 19:54:28 Redaktør Team Spywarefri Antal indlæg: 12991	Hent Combofix, og gem den i en mappe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Åbn mappen med Combofix, højreklik, vælg Ny->tekstdokument, åbn tekstdokumentet, kopier følgende ind: Killall:: Snapshot:: klik på Filer->Gem som, navngiv den CFScript, luk tekstdokumentet. Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen. http://www.fromsej.saknet.dk/billeder/swfcombo.gif Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse. Deaktiver dit antivirusprogram medens du kører Combofix, hvis Combofix advarer så klik bare ok så vil den forsætte. Kopier den fremkomne log herind i denne tråd.
[ Ignorer ] [ # 4 ] Championo
09.02.2010 20:11:10 Antal indlæg: 4	Der sker intet overhovedet når jeg gør det, programmet åbner ikke op
[ Ignorer ] [ # 5 ] Fromsej TeamSpywarefri
09.02.2010 20:20:50 Administrator Team Spywarefri Antal indlæg: 54662	Hent disse to værktøjer: http://www.ctrlaltdel.dk/programmer/tklog.zip http://support.kaspersky.com/downloads/utils/tdsskiller.zip ...og pak begge ud til dit Skrivebord. Dobbeltklik herefter på TKLog.bat. TDSSKiller vil køre og forsøge at rense din computer. Efter dette vil en log åbne sig - kopier venligst indholdet herind. Genstart, prøv så Combofix igen. Signatur Member of “Alliance of Security Analysis Professionals” - Alle angaben wie immer “nur mit pistole” Græd du også over eventyret om smedens kat, da du var lille? http://www.spywarefri.dk/medarbejderne/ Nierne bomaye - You’ll never walk alone qui potest, obligatur
[ Ignorer ] [ # 6 ] Championo
12.02.2010 03:16:12 Antal indlæg: 4	Hej! Jeg fik ComboFix til at virke uden det ekstra program der, her er loggen: ComboFix 10-02-11.04 - Vimarr 12-02-2010 2:01.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.45.1033.18.2047.1627 [GMT 1:00] Kører fra: c:\documents and settings\Vimarr\Desktop\ComboFix\ComboFix.exe Kommandoer benyttet :: c:\documents and settings\Vimarr\Desktop\ComboFix\CFScript.txt AV: Microsoft Security Essentials On-access scanning disabled (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !! . ((((((((((((((((((((((((((((( Filer skabt fra 2010-01-12 til 2010-02-12 ))))))))))))))))))))))))))))))))))) . 2010-02-11 23:06 . 2010-02-11 23:17 ———— d——-w- c:\documents and settings\Vimarr\Local Settings\Application Data\Unity 2010-02-10 15:49 . 2009-12-14 07:08 33280 ———w- c:\windows\system32\dllcache\csrsrv.dll 2010-02-10 15:49 . 2009-12-08 09:23 474112 ———w- c:\windows\system32\dllcache\shlwapi.dll 2010-02-10 15:49 . 2009-11-27 17:23 17920 ———w- c:\windows\system32\dllcache\msyuv.dll 2010-02-10 15:49 . 2009-11-27 16:07 8704 ———w- c:\windows\system32\dllcache\tsbyuv.dll 2010-02-10 15:49 . 2009-11-27 16:07 28672 ———w- c:\windows\system32\dllcache\msvidc32.dll 2010-02-10 15:49 . 2009-11-27 16:07 48128 ———w- c:\windows\system32\dllcache\iyuv_32.dll 2010-02-10 15:49 . 2009-11-27 16:07 11264 ———w- c:\windows\system32\dllcache\msrle32.dll 2010-02-10 15:49 . 2009-12-16 18:43 343040 ———w- c:\windows\system32\dllcache\mspaint.exe 2010-02-10 15:49 . 2009-12-04 17:25 456832 ———w- c:\windows\system32\dllcache\mrxsmb.sys 2010-02-09 07:44 . 2010-01-07 15:07 38224 ——a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-09 07:43 . 2010-01-07 15:07 19160 ——a-w- c:\windows\system32\drivers\mbam.sys 2010-02-09 07:43 . 2010-02-09 07:44 ———— d——-w- c:\program files\Malwarebytes’ Anti-Malware 2010-02-09 06:49 . 2010-02-09 06:49 388096 ——a-r- c:\documents and settings\Vimarr\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-02-09 06:49 . 2010-02-09 06:49 ———— d——-w- c:\program files\TrendMicro 2010-02-06 21:16 . 2010-02-06 21:16 ———— d——-w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-02-06 21:15 . 2010-02-09 09:15 ———— d——-w- c:\documents and settings\Vimarr\Application Data\SUPERAntiSpyware.com 2010-02-06 21:15 . 2010-02-09 09:15 ———— d——-w- c:\program files\SUPERAntiSpyware 2010-02-06 20:06 . 2010-02-06 20:06 ———— d——-w- c:\windows\system32\wbem\snmp 2010-02-06 20:06 . 2010-02-06 20:06 ———— d——-w- c:\windows\system32\xircom 2010-02-06 20:06 . 2010-02-06 20:06 ———— d——-w- c:\program files\microsoft frontpage 2010-02-06 19:44 . 2010-02-06 19:44 100 —-ha-w- C:\aaw7boot.cmd 2010-02-06 18:03 . 2010-02-09 09:15 ———— d——-w- c:\program files\Spybot - Search & Destroy 2010-02-06 18:03 . 2010-02-09 09:15 ———— d——-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-06 18:02 . 2010-02-06 19:45 ———— d——-w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-02-06 17:44 . 2010-02-06 17:45 ———— d——-w- c:\documents and settings\Vimarr\Local Settings\Application Data\Cyberlink 2010-02-06 17:40 . 2010-02-06 17:39 53319 ——a-w- c:\documents and settings\All Users\Application Data\Temp\{8C20787A-7402-4FA7-BF25-6E5750930FDC}\PostBuild.exe 2010-02-06 17:39 . 2010-02-06 17:39 ———— d——-w- c:\documents and settings\Vimarr\Local Settings\Application Data\PowerDVDCox 2010-02-06 17:39 . 2010-02-06 17:39 ———— d——-w- c:\documents and settings\Vimarr\Local Settings\Application Data\PowerDVDCinema 2010-02-06 17:39 . 2010-02-06 17:39 ———— d——-w- c:\documents and settings\Vimarr\Application Data\CyberLink 2010-02-06 17:38 . 2010-02-06 17:44 ———— d——-w- c:\documents and settings\All Users\Application Data\CyberLink 2010-02-06 17:38 . 2010-02-06 17:38 ———— d——-w- c:\program files\Common Files\CyberLink 2010-02-06 17:36 . 2010-02-06 17:39 29480 ——a-w- c:\windows\system32\msxml3a.dll 2010-02-06 17:35 . 2010-02-09 09:09 53319 ——a-w- c:\documents and settings\All Users\Application Data\Temp\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe 2010-02-06 17:35 . 2010-02-06 17:40 ———— d——-w- c:\documents and settings\All Users\Application Data\Temp 2010-02-06 05:41 . 2010-02-06 05:41 691696 ——a-w- c:\windows\system32\drivers\sptd.sys 2010-02-06 05:41 . 2010-02-06 05:43 ———— d——-w- c:\program files\DAEMON Tools Lite 2010-02-06 05:41 . 2010-02-06 05:47 ———— d——-w- c:\documents and settings\Vimarr\Application Data\DAEMON Tools Lite 2010-02-06 05:41 . 2010-02-06 05:41 ———— d——-w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite 2010-02-05 02:24 . 2010-02-05 02:24 6971392 ——a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{A7B2CAF8-BFB8-5C0B-6EBF-0EDDEFBDFD5A}-League of Legends.exe 2010-02-02 19:43 . 2010-02-09 09:09 ———— d——-w- c:\program files\Absolute Video Converter 2010-02-01 13:22 . 2010-02-01 13:22 ———— d——-w- c:\documents and settings\Vimarr\Local Settings\Application Data\Rawr 2010-01-22 13:09 . 2010-01-05 10:00 192512 ———w- c:\windows\system32\dllcache\iepeers.dll 2010-01-20 22:31 . 2010-02-11 23:22 ———— d——-w- c:\program files\League of Legends 2010-01-20 21:50 . 2010-01-20 22:30 814143398 ——a-w- c:\documents and settings\Vimarr\loleusetup.exe 2010-01-17 19:57 . 2010-01-17 19:57 6926336 ——a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{0B31C7D2-EF0E-48D2-D9F9-21B235FEDF0C}-League of Legends.exe 2010-01-17 19:50 . 2010-01-17 19:50 487424 ——a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{69855BD2-877A-34E0-CCDF-B7DC99FA5CEC}-lol.launcher.exe 2010-01-17 19:50 . 2010-01-17 19:50 ———— d——-w- c:\documents and settings\Vimarr\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1 2010-01-17 19:49 . 2010-01-17 19:49 38784 ——a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-01-17 19:43 . 2010-01-17 19:43 ———— d——-w- C:\Riot Games 2010-01-14 23:22 . 2010-01-14 23:22 3016192 ——a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{194D38A9-4350-FDAF-6EF5-2EA4B134F08F}-ZeroGearServer.exe 2010-01-14 22:21 . 2010-01-14 22:21 ———— d——-w- c:\program files\OpenAL 2010-01-13 12:27 . 2009-11-21 15:51 471552 ———w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-12 00:59 . 2009-11-08 12:42 862760 ——a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-02-11 22:15 . 2009-06-27 16:00 ———— d——-w- c:\program files\Steam 2010-02-11 17:59 . 2009-04-22 20:30 ———— d——-w- c:\program files\Mozilla Thunderbird 2010-02-11 02:57 . 2009-08-01 20:40 ———— d——-w- c:\documents and settings\Vimarr\Application Data\vlc 2010-02-09 09:15 . 2009-05-05 10:47 ———— d——-w- c:\program files\WC3Banlist 2010-02-09 09:15 . 2009-10-25 14:51 ———— d——-w- c:\program files\Common Files\Wise Installation Wizard 2010-02-09 09:14 . 2009-12-27 00:20 ———— d——-w- c:\program files\Spesoft Audio Converter 2010-02-09 09:14 . 2009-10-08 20:58 ———— d——-w- c:\program files\Notepad++ 2010-02-09 09:14 . 2009-10-08 20:58 ———— d——-w- c:\documents and settings\Vimarr\Application Data\Notepad++ 2010-02-09 09:09 . 2009-04-22 19:54 ———— d—h—w- c:\program files\InstallShield Installation Information 2010-02-09 06:24 . 2009-07-16 16:37 0 ——a-w- c:\documents and settings\Vimarr\temp.dat 2010-02-06 17:39 . 2009-04-28 09:47 353576 ——a-w- c:\windows\system32\msvcr71.dll 2010-02-06 17:39 . 2009-04-28 09:47 505128 ——a-w- c:\windows\system32\msvcp71.dll 2010-02-06 05:48 . 2009-09-08 18:31 ———— d——-w- c:\documents and settings\Vimarr\Application Data\dvdcss 2010-02-03 04:00 . 2009-06-03 11:35 ———— d——-w- c:\program files\World of Warcraft 2010-02-01 16:04 . 2009-04-25 20:25 ———— d——-w- c:\documents and settings\Vimarr\Application Data\uTorrent 2010-02-01 13:18 . 2009-04-22 21:02 1 ——a-w- c:\documents and settings\Vimarr\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-02-01 11:50 . 2009-08-11 18:13 ———— d——-w- c:\program files\Sony Ericsson 2010-02-01 04:03 . 2009-04-24 22:00 ———— d——-w- c:\program files\Common Files\Adobe 2010-01-26 01:29 . 2009-05-21 22:17 ———— d——-w- c:\program files\Full Tilt Poker 2010-01-20 13:52 . 2009-04-23 00:11 ———— d——-w- c:\program files\Microsoft Silverlight 2010-01-17 19:49 . 2009-04-24 22:01 ———— d——-w- c:\program files\Common Files\Adobe AIR 2010-01-17 19:49 . 2009-04-24 22:21 38784 ——a-w- c:\documents and settings\Vimarr\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-01-17 19:02 . 2009-06-07 14:13 ———— d——-w- c:\program files\TeamViewer 2010-01-14 10:12 . 2009-11-03 18:23 181120 ———w- c:\windows\system32\MpSigStub.exe 2010-01-14 00:13 . 2009-04-22 19:51 ———— d——-w- c:\program files\Warcraft III 2010-01-11 14:12 . 2009-04-22 20:30 ———— d——-w- c:\documents and settings\Vimarr\Application Data\Thunderbird 2010-01-05 10:00 . 2008-10-16 19:38 832512 ———w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2009-01-08 19:20 78336 ——a-w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2009-01-08 19:20 17408 ——a-w- c:\windows\system32\corpol.dll 2010-01-01 07:58 . 2009-01-08 19:12 353792 ——a-w- c:\windows\system32\drivers\srv.sys 2009-12-29 00:18 . 2009-12-28 22:56 ———— d——-w- c:\program files\mmmJukebox 2009-12-28 23:26 . 2009-12-28 23:13 ———— d——-w- c:\program files\The JukeBoxer 2009-12-27 13:40 . 2009-04-24 21:58 ———— d——-w- c:\documents and settings\All Users\Application Data\NOS 2009-12-27 00:32 . 2009-09-10 17:51 1924200 ——a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe 2009-12-27 00:21 . 2009-12-27 00:21 ———— d——-w- c:\documents and settings\Vimarr\Application Data\Spesoft Audio Converter 2009-12-23 01:11 . 2009-12-23 01:11 ———— d——-w- c:\program files\K-Lite Codec Pack 2009-12-21 12:56 . 2009-04-22 19:41 86327 ——a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-12-16 18:43 . 2009-04-22 19:37 343040 ——a-w- c:\windows\system32\mspaint.exe 2009-12-15 14:00 . 2009-06-07 14:13 ———— d——-w- c:\documents and settings\Vimarr\Application Data\TeamViewer 2009-12-14 07:08 . 2008-04-14 04:41 33280 ——a-w- c:\windows\system32\csrsrv.dll 2009-12-12 20:52 . 2009-04-13 00:33 7276 ——a-w- c:\documents and settings\Vimarr\Application Data\Thinstall\Allok 3GP PSP MP4 iPod Video Converter 5.1.0814\%ProgramFilesDir%\Allok 3GP PSP MP4 iPod Video Converter\savedata.dll 2009-12-12 18:48 . 2009-12-12 18:48 7680 ——a-w- c:\documents and settings\Vimarr\Application Data\Thinstall\Allok 3GP PSP MP4 iPod Video Converter 5.1.0814\40000081e00003i\ave.exe 2009-12-12 18:47 . 2009-12-12 18:47 7680 ——a-w- c:\documents and settings\Vimarr\Application Data\Thinstall\Allok 3GP PSP MP4 iPod Video Converter 5.1.0814\4000008000002i\Splash Screen.exe 2009-12-11 23:53 . 2009-04-22 20:41 19504 ——a-w- c:\documents and settings\Vimarr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-08 18:20 . 2009-01-08 19:10 2145280 ———w- c:\windows\system32\ntoskrnl.exe 2009-12-08 17:40 . 2008-08-14 10:09 2023936 ———w- c:\windows\system32\ntkrnlpa.exe 2009-12-04 17:25 . 2009-01-08 19:07 456832 ——a-w- c:\windows\system32\drivers\mrxsmb.sys 2009-11-27 17:23 . 2009-01-08 19:11 1291776 ——a-w- c:\windows\system32\quartz.dll 2009-11-27 17:23 . 2008-04-14 05:42 17920 ——a-w- c:\windows\system32\msyuv.dll 2009-11-27 16:07 . 2001-08-23 11:00 28672 ——a-w- c:\windows\system32\msvidc32.dll 2009-11-27 16:07 . 2001-08-17 22:36 8704 ——a-w- c:\windows\system32\tsbyuv.dll 2009-11-27 16:07 . 2008-04-14 05:41 48128 ——a-w- c:\windows\system32\iyuv_32.dll 2009-11-27 16:07 . 2008-04-14 04:42 11264 ——a-w- c:\windows\system32\msrle32.dll 2009-11-27 16:07 . 2008-04-14 04:41 84992 ——a-w- c:\windows\system32\avifil32.dll 2009-11-21 15:51 . 2008-04-14 04:41 471552 ——a-w- c:\windows\AppPatch\aclayers.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ——a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ——a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ———- Sigcheck———- [-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys [-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((( Start steder i reg.basen )))))))))))))))))))))))))))))))))))))))))))))))) . . Bemærk tomme linier & lovlige standard linier vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MsnMsgr”=“c:\program files\Windows Live\Messenger\MsnMsgr.Exe” [2009-07-26 3883856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-10-22 7700480] “nwiz”=“nwiz.exe” [2006-10-22 1622016] “NvMediaCenter”=“NvMCTray.dll” [2006-10-22 86016] “VolPanel”=“c:\program files\Auzentech\Auzen X-Fi Prelude 7.1\Volume Panel\VolPanlu.exe” [2009-02-03 237693] “CTxfiHlp”=“CTXFIHLP.EXE” [2008-08-22 19968] “UpdReg”=“c:\windows\UpdReg.EXE” [2000-05-10 90112] “DeathAdder”=“c:\program files\Razer\DeathAdder\razerhid.exe” [2008-09-05 159744] “MSSE”=“c:\program files\Microsoft Security Essentials\msseces.exe” [2009-09-13 1048392] “SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-10-11 149280] “Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-12-22 35760] “Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2009-12-11 948672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “_nltide_2”=“shell32” [X] c:\documents and settings\Vimarr\Start Menu\Programs\Startup\ CurseClientStartup.ccip [2009-10-30 0] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] Trusted 213e [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @=“Driver” [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\\Network Diagnostic\\xpnetdiag.exe”= “%windir%\\system32\\sessmgr.exe”= “c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe”= “c:\\WINDOWS\\system32\\java.exe”= “c:\\WINDOWS\\system32\\PnkBstrA.exe”= “c:\\WINDOWS\\system32\\PnkBstrB.exe”= “c:\\Program Files\\Mozilla Firefox\\firefox.exe”= “c:\\Program Files\\Warcraft III\\Frozen Throne.exe”= “c:\\Program Files\\Java\\jre6\\bin\\java.exe”= “c:\program files\Microsoft ActiveSync\rapimgr.exe”= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager “c:\program files\Microsoft ActiveSync\wcescomm.exe”= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager “c:\program files\Microsoft ActiveSync\WCESMgr.exe”= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application “c:\\Program Files\\Java\\jre6\\bin\\javaw.exe”= “c:\\Program Files\\World of Warcraft\\Launcher.exe”= “c:\\Program Files\\World of Warcraft\\Repair.exe”= “c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe”= “c:\\Program Files\\Curse\\CurseClient.exe”= “c:\\Program Files\\Activision\\Wolfenstein\\MP\\Wolf2MP.exe”= “c:\\Program Files\\Activision\\Wolfenstein\\MP\\Wolf2MPLite.exe”= “c:\\Program Files\\Ventrilo\\Ventrilo.exe”= “c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe”= “c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”= “c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe”= “c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe”= “c:\\Riot Games\\League of Legends\\air\\LolClient.exe”= “c:\\Riot Games\\League of Legends\\game\\League of Legends.exe”= “c:\\Program Files\\League of Legends\\Air\\LolClient.exe”= “c:\\Program Files\\League of Legends\\Game\\League of Legends.exe”= “c:\\Documents and Settings\\Vimarr\\My Documents\\Downloads\\utorrent.exe”= “c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe”= “c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe”= “c:\\Documents and Settings\\Vimarr\\Local Settings\\Apps\\2.0\\RCGY5O8R.9O3\\0QPNXE40.R1T\\curs..tion_eee711038731a406_0004.0000_1430d97334050788\\CurseClient.exe”= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “6113:TCP”= 6113:TCP:WC3 “26675:TCP”= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service “8375:TCP”= 8375:TCP:League of Legends Launcher “8375:UDP”= 8375:UDP:League of Legends Launcher “8394:TCP”= 8394:TCP:League of Legends Launcher “8394:UDP”= 8394:UDP:League of Legends Launcher R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06-02-2010 06:41 691696] R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [01-02-2010 12:51 90112] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [22-04-2009 21:42 22784] R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [15-08-2009 16:30 27632] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [22-04-2009 20:56 79360] S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [22-04-2009 21:42 31104] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [11-08-2009 19:14 13224] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06-11-2007 21:22 34064] S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [11-08-2009 19:29 86824] S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [11-08-2009 19:29 15016] S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [11-08-2009 19:29 114728] S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [11-08-2009 19:29 106208] S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [11-08-2009 19:29 26024] S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [11-08-2009 19:29 104744] S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [11-08-2009 19:29 109864] . Indhold af mappen ‘Planlagte Opgaver’ 2010-02-12 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 16:36] 2010-02-12 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-11-06 21:18] . . ———- Yderligere scanning———- . uInternet Connection Wizard,ShellNext = hxxp://www.getfirefox.com/ IE: Add to Google Photos Screensa&ver; - c:\windows\system32\GPhotos.scr/200 Trusted Zone: danid.dk FF - ProfilePath - c:\documents and settings\Vimarr\Application Data\Mozilla\Firefox\Profiles\zaj9zu3q.default\ FF - prefs.js: browser.search.selectedEngine - WoW Heroes (EU - Bladefist) FF - prefs.js: browser.startup.homepage - hxxp://www.google.dk/ FF - component: c:\documents and settings\Vimarr\Application Data\Mozilla\Firefox\Profiles\zaj9zu3q.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-12 02:08 Windows 5.1.2600 Service Pack 3 NTFS scanner skjulte processer ... scanner skjulte autostarter ... scanner skjulte filer ... scanning gennemført med succes skjulte filer: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spxc.sys hal.dll >>UNKNOWN [0x8A600938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28 \Driver\ACPI -> ACPI.sys @ 0xf74a3cb8 \Driver\atapi -> atapi.sys @ 0xf7978b40 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66b6 ParseProcedure -> ntoskrnl.exe @ 0x80580a6f \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66b6 ParseProcedure -> ntoskrnl.exe @ 0x80580a6f NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7b3abb0 PacketIndicateHandler -> NDIS.sys @ 0xf7b47a21 SendHandler -> NDIS.sys @ 0xf7b2587b user & kernel MBR OK ********************************************************************** . ——————————- DLLs startet under kørende Processer——————————- - - - - - - - > ‘explorer.exe’(2528) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ————————————Andre kørende processer———————————— . c:\program files\Microsoft Security Essentials\MsMpEng.exe c:\program files\Creative\Shared Files\CTAudSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\wscntfy.exe c:\windows\system32\RunDLL32.exe c:\windows\SYSTEM32\CTXFISPI.EXE c:\program files\Microsoft ActiveSync\wcescomm.exe c:\progra~1\MICROS~2\rapimgr.exe c:\program files\Razer\DeathAdder\razerofa.exe c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe c:\program files\Windows Live\Contacts\wlcomm.exe . ************************************************************************ . Gennemført tid: 2010-02-12 02:14:33 - maskinen blev genstartet ComboFix-quarantined-files.txt 2010-02-12 01:14 ComboFix2.txt 2010-02-06 18:34 Pre-Kørsel: 95.638.712.320 bytes free Post-Kørsel: 95.638.319.104 bytes free - - End Of File - - C631FDA6D338E6722BFAC80595F04B1D
[ Ignorer ] [ # 7 ] Magic Emeritus
12.02.2010 08:54:25 Administrator Supporter Emeritus Antal indlæg: 29147	Åben Notesblok og kopier følgende (tekst med fed skrift) ind - og gem tekst-filen som CFScript samme sted som du har ComboFix: Killall:: Snapshot:: Mia:: c:\windows\system32\drivers\tcpip.sys c:\windows\system32\sfcfiles.dll SrPeek:: c:\windows\system32\drivers\tcpip.sys c:\windows\system32\sfcfiles.dll Restore:: c:\windows\system32\drivers\tcpip.sys c:\windows\system32\sfcfiles.dll Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen. Som vist her -> http://www.fromsej.saknet.dk/billeder/swfcombo.gif Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse. Læg den nye ComboFix log herind. Den kan findes her - C:\combofix Txt