Selvinstallerende Trojan - Games.exe!
Hej alle eksperter!Jeg er ved at være helt slidt ned over at prøve at komme af med en grim, grim trojansk hest. Avast finder ind i mellem, nogle gange mange gange om dagen, en Trojan kaldet "Games.exe". Virus'en har både været identificeret som
Win32:Crypt-CMV [Trj] og
Win32:Pakes-AJD [Trj]
Det går fint, man sletter eller sætter trojan'en i karantæne, men efter et stykke tid, dukker Avast frem med samme advarsel igen. Nu har jeg været igennem F-secure's online skanning. Den ryddede noget, men hjalp ikke på problemet. Nu har jeg så fulgt fromsej's vejledning, og har kørt Crapcleaner, Hijackthis, Superantispyware og Combofix. Som del af fromsej's anden artikel kørte jeg også dr. Web, som pudsigt nok genkendte Combofix som spyware?!?!? Det kan I se i log'en.
Nå men her kommer loggene:
I nævnte rækkefølge: Hijackthis, Superantispyware, Combofix og Dr. Web.
HIJACKTHIS
-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:49:32, on 24-09-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\HP_Administrator\Desktop\Games.exe fix\alternativ.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Pictures - {8E929F51-5914-11D6-971F-0050FC3F9161} - C:\Program Files\Pictures Toolbar\Pictures.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp2.cvusyd.dk/qp2.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail1.cvusyd.dk/iNotes6.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1177963654812
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174012650072
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://holmfoto.click.dk/click/_res/developer/ImageUploader3.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://www.clickteam.com/vitalize3/vitalize.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Automatisk LiveUpdate-planlægning - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
SUPERANTISPYWARE
-----------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/24/2008 at 09:54 PM
Application Version : 4.0.1154
Core Rules Database Version : 3578
Trace Rules Database Version: 1566
Scan type : Complete Scan
Total Scan Time : 00:55:36
Memory items scanned : 174
Memory threats detected : 0
Registry items scanned : 5786
Registry threats detected : 0
File items scanned : 26357
File threats detected : 11
Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adtech[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
C:\Documents and Settings\Carina\Cookies\carina@advertising[1].txt
C:\Documents and Settings\Carina\Cookies\carina@doubleclick[1].txt
C:\Documents and Settings\Carina\Cookies\carina@online.adservicemedia[2].txt
C:\Documents and Settings\Carina\Cookies\carina@atdmt[2].txt
C:\Documents and Settings\Carina\Cookies\carina@adtech[1].txt
C:\Documents and Settings\Carina\Cookies\carina@tradedoubler[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adtech[1].txt
COMBOFIX
-----------------------------------------------------------
ComboFix 08-09-24.03 - HP_Administrator 2008-09-24 23:21:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.541 [GMT 2:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\Games.exe fix\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-24 20:24 . 2008-09-24 20:24 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 15:58 . 2008-09-22 15:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-22 15:57 . 2008-09-22 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-09-22 15:02 . 2008-09-22 15:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ZipGenius
2008-09-22 13:49 . 2008-09-22 13:49 <DIR> d-------- C:\fsaua.data
2008-09-22 13:46 . 2008-09-22 13:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2008-09-14 23:17 . 2008-09-14 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-14 23:16 . 2008-09-24 22:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-14 23:16 . 2008-09-24 20:47 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-09-08 21:59 . 2008-09-08 22:04 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-09-08 21:59 . 2008-09-08 22:04 30,981 --a------ C:\WINDOWS\scunin.dat
2008-09-08 21:59 . 2008-09-08 22:04 967 --a------ C:\WINDOWS\ScUnin.pif
2008-09-02 13:00 . 2008-09-02 13:00 1,409 --a------ C:\WINDOWS\TWAPHON.FOT
2008-09-02 13:00 . 2008-09-02 13:00 1,409 --a------ C:\WINDOWS\TWAOTHER.FOT
2008-08-31 23:02 . 2008-09-01 20:55 <DIR> d-------- C:\Program Files\adgangforalle.dk
2008-08-26 03:10 . 2008-08-26 03:10 <DIR> d-------- C:\Documents and Settings\Carina\Application Data\Diodia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 21:20 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Free Download Manager
2008-09-24 18:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-24 00:03 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\CoreFTP
2008-09-23 23:12 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2008-09-23 13:29 --------- d-----w C:\Documents and Settings\Carina\Application Data\OpenOffice.org2
2008-09-23 01:03 --------- d-----w C:\Program Files\Google
2008-09-23 01:00 2,910 ----a-w C:\WINDOWS\ZDStartupInfo.bin
2008-09-22 23:45 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ZipGenius
2008-09-22 13:04 --------- d-----w C:\Program Files\Psp50
2008-09-08 21:27 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-08-26 01:06 --------- d-----w C:\Documents and Settings\Carina\Application Data\ZipGenius
2008-08-11 19:32 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-08-11 19:31 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-30 17:36 --------- d-----w C:\Program Files\Avast4
2008-07-29 20:32 --------- d-----w C:\Documents and Settings\Carina\Application Data\Cryptomathic
2008-07-29 20:31 --------- d-----w C:\Program Files\TDC
2008-07-29 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-07-28 20:20 --------- d-----w C:\Program Files\The Games Factory 2
2008-07-28 10:20 --------- d-----w C:\Program Files\Mihov Picture Downloader
2008-07-27 21:57 --------- d-----w C:\Program Files\Trillian
2008-07-27 18:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 18:10 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-07-27 18:10 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-03 13:15 342 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-06-15 04:33 190 ----a-w C:\Documents and Settings\Carina\Application Data\wklnhst.dat
1998-10-10 04:38 198,656 ----a-w C:\Program Files\StartMgr.exe
2007-04-19 14:13 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 7311360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\HP_Administrator\My Documents\My Pictures\Baggrund\kalenderlys\kalenderlys.htm
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"VIDC.ZMBV"= zmbv.dll
"msvideo"= CxCap.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xlmlEN.dll]
"Debugger"=ntsd -d
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Spil\\half-life\\hl.exe"=
"C:\\Spil\\Hidden and Dangerous\\H&D.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\ntvdm.exe"=
"C:\\Spil\\Unreal Tournament\\System\\UnrealTournament.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Spil\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\The Games Factory 2\\Data\\Runtime\\edrt.exe"=
"C:\\Program Files\\gfactory\\Gfact32.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Spil\\FIFA_08\\FIFA08.exe"=
"C:\\Spil\\Quake3 - Arena\\Quake3.exe"=
"C:\\Program Files\\Microsoft Chat\\CChat.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Spil\\Star Wars Empire at War\\GameData\\fpupdate.exe"=
"C:\\Spil\\Scorched3D\\scorcheds.exe"=
"C:\\Program Files\\Steam\\SteamApps\\peer3000\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\peer3000\\half-life\\hl.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Spil\\Freeciv\\civserver.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Spil\\Starcraft\\StarCraft.exe"=
R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2002-06-04 26624]
R1 Asapi;ASAPI;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 11264]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 vbev5mp;vbev5mp;C:\WINDOWS\system32\DRIVERS\vbev5mp.sys [2003-09-09 56064]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 Automatisk LiveUpdate-planlægning;Automatisk LiveUpdate-planlægning;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-08-03 100032]
S3 CxUSB;Logitech QuickCam VC USB;C:\WINDOWS\system32\DRIVERS\CxUSB.sys [1999-02-05 20992]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);C:\WINDOWS\system32\Drivers\usbvm323.sys [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CChat25.inf,PerUserAdd.NT
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://signon.stofanet.dk/
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=64&bd=PAVILION&pf=desktop
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=64&bd=PAVILION&pf=desktop
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 -: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O16 -: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 -: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
C:\WINDOWS\Downloaded Program Files\e-Safekey.inf
C:\WINDOWS\Downloaded Program Files\e-Safekey.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 23:22:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vbev5mp]
"ImagePath"="system32\DRIVERS\vbev5mp.sys"
.
Completion time: 2008-09-24 23:23:20
ComboFix-quarantined-files.txt 2008-09-24 21:23:17
ComboFix2.txt 2008-09-24 20:57:49
Pre-Run: 235.648.008.192 bytes free
Post-Run: 235,632,979,968 byte ledig
182 --- E O F --- 2008-09-10 16:30:35
DR.WEB
-----------------------------------------------------------
13D556AF.exe\data003;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13D556AF.exe;Adware.Msearch;;
13D556AF.exe\data004;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13D556AF.exe;Adware.IESearch;;
13D556AF.exe\data005;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13D556AF.exe;Adware.MyWay;;
13D556AF.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Archive contains infected objects;Moved.;
141A4863.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\141A4863.exe;Adware.PeerNet;;
141A4863.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Archive contains infected objects;Moved.;
54427431.dll;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.PeerNet;Renamed.;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\HP_Administrator\Desktop\Games.exe fix\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\HP_Administrator\Desktop\Games.exe fix;Archive contains infected objects;Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Renamed.;
A0024389.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP183\A0024389.exe;Program.PsExec.171;;
A0024389.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP183;Archive contains infected objects;Moved.;
A0024479.exe\data003;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184\A0024479.exe;Adware.Msearch;;
A0024479.exe\data004;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184\A0024479.exe;Adware.IESearch;;
A0024479.exe\data005;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184\A0024479.exe;Adware.MyWay;;
A0024479.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184;Archive contains infected objects;Moved.;
A0024480.exe\data001;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184\A0024480.exe;Adware.PeerNet;;
A0024480.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184;Archive contains infected objects;Moved.;
A0024481.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184;Adware.PeerNet;Renamed.;
A0024482.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184\A0024482.exe;Program.PsExec.171;;
A0024482.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184;Archive contains infected objects;Moved.;
A0024483.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184;Tool.ProcessKill;Renamed.;
På forhånd tusind tak for hjælpen!
Med venlig hilsen
Bjarne
