Pjunin

Pjunin:

 

Gå til nettstedet http://virusscan.jotti.org/ og last opp følgende fil for sjekk: C:\WINDOWS\system32\drivers\qbqydcex.sys

(Du må antakelig slå på "Vis skjulte filer og mapper" og slå av "Skjul beskyttede operativsystemfiler" for å se den). Gi tilbakemelding på om de ble funnet noe.

 

Fann ingenting

 

Kjørte combofix en gang til og fekk denna følgende rapport;

 

ComboFix 08-01-11.3 - Eldar Godø 2008-01-12 17:38:50.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.681 [GMT 1:00]

Running from: C:\Documents and Settings\Eldar Godø\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Eldar Godø\Desktop\CFScript.txt

* Created a new restore point

 

FILE

C:\ojbehyqa.bat

.

 

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))

.

 

2008-01-12 03:19 . 2008-01-12 03:19 1,159 --a------ C:\zia02540

2008-01-12 03:12 . 2008-01-12 03:12 60,416 --a------ C:\WINDOWS\system32\drivers\vcannlmg.sys

2008-01-12 02:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-12 02:34 . 2008-01-12 03:12 <DIR> d-------- C:\Program Files\Avenger

2008-01-12 01:52 . 2008-01-12 01:52 <DIR> d-------- C:\Program Files\Opera

2008-01-11 22:45 . 2008-01-11 22:46 <DIR> d-------- C:\Program Files\Crimson Editor

2008-01-07 15:57 . 2008-01-12 17:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-07 15:57 . 2008-01-07 15:57 1,409 --a------ C:\WINDOWS\QTFont.for

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 05:42 --------- d-----w C:\Program Files\Trillian

2008-01-12 02:15 202 ----a-w C:\Program Files\lmktpuyv.txt

2008-01-11 20:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-01-11 20:58 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

2008-01-11 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-11 20:57 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-11-30 15:25 --------- d-----w C:\Documents and Settings\Eldar Godø\Application Data\Ventrilo

2007-11-14 16:43 --------- d-----w C:\Program Files\Ventrilo

2007-11-14 16:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-03-02 00:25 21,822,168 ----a-w C:\Program Files\AdbeRdr80_en_US.exe

2007-03-02 00:19 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-12_ 2.43.15.10 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-12 01:42:05 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-12 16:38:45 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-12 01:42:05 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-12 16:38:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-12 01:42:05 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-12 16:38:45 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-12 01:42:05 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-12 16:38:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-12 01:42:05 6,238,208 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-12 16:38:46 6,238,208 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

- 2008-01-12 01:42:05 102,400 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-12 16:38:46 102,400 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-05-30 12:52 868352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-01-08 19:54 65536 C:\WINDOWS\SOUNDMAN.EXE]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 10:31 335872]

"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 08:41 35328]

"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-12 22:50 167936]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-09-22 17:59 921600]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]

"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 16:31 1122304]

"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 16:14 497152]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]

"dieayepa"="C:\gexfsth^.bat" [ ]

"jlxmaswg"="C:\bqeixjyd.bat" [ ]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Wireless Config.lnk - C:\Program Files\Wireless Technology Corporation\Wireless LAN 802.11b USB\ZDConfig.exe [2006-09-22 17:51:37]

 

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 12:12]

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 08:02]

R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 05:41]

R3 ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1201u.sys [2003-07-31 16:41]

R3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 10:43]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92bb3f4d-c08e-11dc-82a9-000e8e000fc2}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

 

.

Contents of the 'Scheduled Tasks' folder

"2008-01-12 04:02:50 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"

- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-12 17:39:42

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-12 17:40:03

ComboFix2.txt 2008-01-12 01:43:30

.

2007-07-11 15:48:16 --- E O F ---

 

 

EDIT:

Scannet følgende filer på virusscan.jotti

C:\WINDOWS\system32\drivers\vcannlmg.sys

Panda Antivirus Found Rootkit/Booto.C

 

C:\WINDOWS\NirCmd.exe

AntiVir Found APPL/NirCmd.3

Panda Antivirus Found Application/NirCmd.A

Yo. Jeg fikk en sånn link fra en kompis i dag, gjennom msn messenger.

Har lastet ned Avenger og Combofix. Men før jeg gjor det, slettet jeg;

c:\windows\lssas.exe

c:\windows\images.zip

c:\windows\prefetch\DC49380.JPG*.*

c:\windows\prefetch\lssas.exe*.*

 

og ellers gjort det samme som Xoduz har gjort

 

 

Fekk lest litt her, så jeg har kjørt combofix og fekk følgende rapport:

 

ComboFix 08-01-11.3 - Eldar Godø 2008-01-12 2:42:16.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.574 [GMT 1:00]

Running from: C:\Documents and Settings\Eldar Godø\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Eldar Godø\Application Data\STEM~1

C:\Documents and Settings\Eldar Godø\Application Data\STEM~1\??stem\

C:\WINDOWS\system32\smbols~1

 

.

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))

.

 

2008-01-12 02:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-12 02:36 . 2008-01-12 02:36 126,976 --a------ C:\zip.exe

2008-01-12 02:36 . 2008-01-12 02:36 60,416 --a------ C:\WINDOWS\system32\drivers\qbqydcex.sys

2008-01-12 02:36 . 2008-01-12 02:36 1,080 --a------ C:\ojbehyqa.bat

2008-01-12 02:34 . 2008-01-12 02:34 <DIR> d-------- C:\Program Files\Avenger

2008-01-12 01:52 . 2008-01-12 01:52 <DIR> d-------- C:\Program Files\Opera

2008-01-11 22:45 . 2008-01-11 22:46 <DIR> d-------- C:\Program Files\Crimson Editor

2008-01-07 15:57 . 2008-01-11 14:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-07 15:57 . 2008-01-07 15:57 1,409 --a------ C:\WINDOWS\QTFont.for

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-11 20:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-01-11 20:58 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

2008-01-11 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-11 20:57 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-11-30 15:25 --------- d-----w C:\Documents and Settings\Eldar Godø\Application Data\Ventrilo

2007-11-14 16:43 --------- d-----w C:\Program Files\Ventrilo

2007-11-14 16:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-03-02 00:25 21,822,168 ----a-w C:\Program Files\AdbeRdr80_en_US.exe

2007-03-02 00:19 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-05-30 12:52 868352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-01-08 19:54 65536 C:\WINDOWS\SOUNDMAN.EXE]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 10:31 335872]

"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 08:41 35328]

"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-12 22:50 167936]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-09-22 17:59 921600]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]

"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 16:31 1122304]

"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 16:14 497152]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]

"aycfsbei"="C:\ojbehyqa.bat" [2008-01-12 02:36 1080]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Wireless Config.lnk - C:\Program Files\Wireless Technology Corporation\Wireless LAN 802.11b USB\ZDConfig.exe [2006-09-22 17:51:37]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzd32]

winzzd32.dll

 

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 12:12]

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 08:02]

R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 05:41]

R3 ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1201u.sys [2003-07-31 16:41]

R3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 10:43]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92bb3f4d-c08e-11dc-82a9-000e8e000fc2}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

 

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

"2008-01-12 01:38:00 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"

- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-12 02:43:09

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-12 2:43:30

.

2007-07-11 15:48:16 --- E O F ---

 

 

 

Er det noe rart med denne raporten?