Takkforden Skrevet 2. september 2008 Del Skrevet 2. september 2008 (endret) AJ, har fått en type malware, sannsynlig gjennom MSN da jeg var så dum å trykke på en link jeg trodde venninna mi sendte F-secure programmet mitt har reagert, og fant noe som lå under C:/WINDOWS/system32/killvbs.vbs, men jeg kan ikke se at HJT finner dette. Vel, kult hvis noen gidder å sjekke loggene, for å se hva jeg kan gjøre HJT-log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:49:22, on 02.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\Common\FSMA32.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\Common\FSMB32.EXE C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\F-Secure\Common\FCH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsqh.exe C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsrw.exe C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure\Common\FIH32.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\SMINST\Scheduler.exe C:\Program Files\Macrogaming\SweetIM\SweetIM.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe C:\Program Files\F-Secure\FSGUI\fsguidll.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://trafikanten.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 10779 bytes SAS-log SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 09/02/2008 at 06:13 PM Application Version : 3.9.1008 Core Rules Database Version : 3259 Trace Rules Database Version: 1270 Scan type : Quick Scan Total Scan Time : 00:25:19 Memory items scanned : 620 Memory threats detected : 0 Registry items scanned : 780 Registry threats detected : 0 File items scanned : 17450 File threats detected : 0 Combox-log ComboFix 08-09-01.03 - xx 2008-09-02 18:21:00.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT 2:00] Running from: C:\Documents and Settings\xx\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\kmd.exe . ((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 ))))))))))))))))))))))))))))))) . 2008-08-17 20:32 . 2008-05-01 16:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-03 23:43 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-08-03 23:43 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-02 15:48 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-09-01 18:32 --------- d-----w C:\Documents and Settings\xx\Application Data\OpenOffice.org2 2008-08-25 19:51 19,242 ----a-w C:\Documents and Settings\xx\Application Data\wklnhst.dat 2008-08-05 08:16 --------- d-----w C:\Program Files\Java 2008-08-03 20:48 --------- d-----w C:\Program Files\Common Files\Adobe 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys 2007-12-07 15:00 3,381,280 ----a-w C:\Program Files\LimeWireWin.exe 2007-07-19 08:32 74,728 ----a-w C:\Documents and Settings\xx\Application Data\GDIPFONTCACHEV1.DAT 2007-03-20 16:29 56 --sha-w C:\WINDOWS\SMINST\hpboot.sys 2008-03-05 18:53 7,486 --sha-r C:\WINDOWS\system32\killVBS.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 73840] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094] "Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-21 1187840] "Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-10 806912] "Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 892928] "WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 73840] "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929] "F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-07 282624] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\xx\Start Menu\Programs\Startup\ OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-09-11 393216] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2007-04-16 32807] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SMINST\\Scheduler.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 70896] R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-04-16 32807] R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 48816] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 48256] R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 16720] S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 87808] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11726f18-e176-11dc-9868-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11726f19-e176-11dc-9868-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b3ca694-c582-11db-9751-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5345c0ac-906d-11dc-9810-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60806b95-eae1-11dc-9878-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6436dea2-350e-11dc-97bf-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs *Newly Created Service* - CATCHME . - - - - ORPHANS REMOVED - - - - HKCU-Run-MsnMsgr - ~C:\Program Files\MSN Messenger\MsnMsgr.Exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://trafikanten.no/ R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.hp.com/ R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-02 18:23:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????W?????????|?????? ??4B??????????????hB? ????W? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-02 18:25:31 ComboFix-quarantined-files.txt 2008-09-02 16:25:26 ComboFix2.txt 2008-02-28 07:01:10 Pre-Run: 14,022,385,664 bytes free Post-Run: 14,016,995,328 bytes free 152 --- E O F --- 2008-08-18 07:08:08 Endret 2. september 2008 av Takkforden Lenke til kommentar
norbat Skrevet 2. september 2008 Del Skrevet 2. september 2008 Kunne du også ha kjørt en rask skan med MBAM: Last ned Malwarebytes Anti-Malware til skrivebordet. Kjør og installer programmet. Velg Norsk-språk La programmet oppdatere seg og velg å kjør en 'hurtig systemscan', klikk Skann. Det kommer en meldingsboks om at scannen er ferdig, klikk Ok Klikk på 'Vis resultat'-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet. Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet. Det vil deretter åpnes en logg i notisblokk. Den kopiere du og poster. PS. IKKE legg loggene i code-bokser. Legg de heller mellom SPOILER Lenke til kommentar
Takkforden Skrevet 2. september 2008 Forfatter Del Skrevet 2. september 2008 (endret) Sorry!! Her er den.. På forhånd tusen takk for dette, assa, norbat Malwarebytes' Anti-Malware 1.26 Database versjon: 1104 Windows 5.1.2600 Service Pack 2 02.09.2008 22:51:15 mbam-log-2008-09-02 (22-51-15).txt Skanntype: Rask Skann Objekter skannet: 44430 Tid tilbakelagt: 6 minute(s), 0 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 1 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) Endret 2. september 2008 av Takkforden Lenke til kommentar
norbat Skrevet 2. september 2008 Del Skrevet 2. september 2008 (endret) Kunne du poste MBAM-loggen (ikke combofix) - om den fant noe. Endret 2. september 2008 av norbat Lenke til kommentar
norbat Skrevet 2. september 2008 Del Skrevet 2. september 2008 Ok, før vi begynner med noe manuelt: Last ned og kjør Killvbs-remover.rar og kjør programmet. Følg veiledningen. Etterpå kjører du combofix på nytt og poster loggen. Lenke til kommentar
Takkforden Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 Tok noen dager detta her.. men her er den siste CF-loggen. ComboFix 08-09-05.03 -xxx 2008-09-07 21:13:05.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT 2:00] Running from: C:\Documents and Settings\xxx\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-02 22:42 . 2008-09-02 22:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-02 22:42 . 2008-09-02 22:42 <DIR> d-------- C:\Documents and Settings\xxx\Application Data\Malwarebytes 2008-09-02 22:42 . 2008-09-02 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-02 22:42 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-02 22:42 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-17 20:32 . 2008-05-01 16:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-07 19:07 --------- d-----w C:\Documents and Settings\xxx\Application Data\OpenOffice.org2 2008-09-04 11:25 19,564 ----a-w C:\Documents and Settings\xxx\Application Data\wklnhst.dat 2008-09-02 19:45 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-08-05 08:16 --------- d-----w C:\Program Files\Java 2008-08-03 20:48 --------- d-----w C:\Program Files\Common Files\Adobe 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys 2007-12-07 15:00 3,381,280 ----a-w C:\Program Files\LimeWireWin.exe 2007-07-19 08:32 74,728 ----a-w C:\Documents and Settings\xxx\Application Data\GDIPFONTCACHEV1.DAT 2007-03-20 16:29 56 --sha-w C:\WINDOWS\SMINST\hpboot.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 73840] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912] "msnmsgr"="~C:\Program Files\MSN Messenger\msnmsgr.exe" [bU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094] "Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-21 1187840] "Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-10 806912] "Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 892928] "WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 73840] "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929] "F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-07 282624] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\xxx\Start Menu\Programs\Startup\ OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-09-11 393216] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2007-04-16 32807] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogOff"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SMINST\\Scheduler.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 70896] R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-04-16 32807] R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 48816] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 48256] R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 16720] S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 87808] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11726f18-e176-11dc-9868-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11726f19-e176-11dc-9868-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b3ca694-c582-11db-9751-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5345c0ac-906d-11dc-9810-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60806b95-eae1-11dc-9878-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6436dea2-350e-11dc-97bf-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://trafikanten.no/ R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.hp.com/ R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm . . ------- File Associations (Beta) ------- . regfile=regedit.exe "%1" %* . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 21:17:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????W?????????|?????? ??4B??????????????hB? ????W? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-07 21:18:26 ComboFix-quarantined-files.txt 2008-09-07 19:18:19 ComboFix2.txt 2008-09-02 16:25:33 ComboFix3.txt 2008-02-28 07:01:10 Pre-Run: 13,798,993,920 bytes free Post-Run: 13,951,533,056 bytes free 157 --- E O F --- 2008-08-18 07:08:08 Lenke til kommentar
norbat Skrevet 7. september 2008 Del Skrevet 7. september 2008 Du kjørte Killvbs remover? Lenke til kommentar
Takkforden Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 Ja, det sto tilogmed at virus var fjerna.. Lenke til kommentar
norbat Skrevet 7. september 2008 Del Skrevet 7. september 2008 Åpne notisblokk og kopier/lim inn det som står i fet skrift under: REGEDIT4 [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11726f18-e176-11dc-9868-001a730615cc}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b3ca694-c582-11db-9751-001a730615cc}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5345c0ac-906d-11dc-9810-001a730615cc}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60806b95-eae1-11dc-9878-001a730615cc}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6436dea2-350e-11dc-97bf-001a730615cc}] Lagre fila på skrivebordet som regfix.reg Dobbeltklikk på fila og si ja til til å legge til info restart pc, ny combofix-logg. Lenke til kommentar
Takkforden Skrevet 7. september 2008 Forfatter Del Skrevet 7. september 2008 ComboFix 08-09-05.03 - xxx2008-09-07 22:14:29.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.51 [GMT 2:00] Running from: C:\Documents and Settings\xxx\Desktop\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-02 22:42 . 2008-09-02 22:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-02 22:42 . 2008-09-02 22:42 <DIR> d-------- C:\Documents and Settings\xxx\Application Data\Malwarebytes 2008-09-02 22:42 . 2008-09-02 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-02 22:42 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-02 22:42 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-17 20:32 . 2008-05-01 16:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-07 20:13 --------- d-----w C:\Documents and Settings\xxx\Application Data\OpenOffice.org2 2008-09-04 11:25 19,564 ----a-w C:\Documents and Settings\xxx\Application Data\wklnhst.dat 2008-09-02 19:45 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-08-05 08:16 --------- d-----w C:\Program Files\Java 2008-08-03 20:48 --------- d-----w C:\Program Files\Common Files\Adobe 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys 2007-12-07 15:00 3,381,280 ----a-w C:\Program Files\LimeWireWin.exe 2007-07-19 08:32 74,728 ----a-w C:\Documents and Settings\xxx\Application Data\GDIPFONTCACHEV1.DAT 2007-03-20 16:29 56 --sha-w C:\WINDOWS\SMINST\hpboot.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 73840] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912] "msnmsgr"="~C:\Program Files\MSN Messenger\msnmsgr.exe" [bU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094] "Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-21 1187840] "Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-10 806912] "Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 892928] "WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 73840] "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929] "F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-07 282624] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\xxx\Start Menu\Programs\Startup\ OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-09-11 393216] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2007-04-16 32807] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogOff"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SMINST\\Scheduler.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 70896] R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-04-16 32807] R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 48816] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 48256] R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 16720] S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 87808] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11726f19-e176-11dc-9868-001a730615cc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://trafikanten.no/ R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.hp.com/ R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm . . ------- File Associations (Beta) ------- . regfile=regedit.exe "%1" %* . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 22:17:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????W????z????|?????? ??4B??????????????hB? ????W? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-07 22:19:32 ComboFix-quarantined-files.txt 2008-09-07 20:19:22 ComboFix2.txt 2008-09-07 19:18:28 ComboFix3.txt 2008-09-02 16:25:33 ComboFix4.txt 2008-02-28 07:01:10 Pre-Run: 13,956,288,512 bytes free Post-Run: 13,947,150,336 bytes free 147 --- E O F --- 2008-08-18 07:08:08 Lenke til kommentar
norbat Skrevet 7. september 2008 Del Skrevet 7. september 2008 Lag en ny .reg-fil med følgende innhold. Samme prosedyre. REGEDIT4 [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11726f19-e176-11dc-9868-001a730615cc}] Restart og sjekk om registeroppføringen er fjernet (enten vha combofix el. bruk regedit og naviger deg til riktig plass) Lenke til kommentar
Takkforden Skrevet 8. september 2008 Forfatter Del Skrevet 8. september 2008 Hm, vet ikke om jeg skjønte det helt. Men jeg har bladd meg frem til denne stien i regedit: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2 , og under mountpoints2 ligger det flere mapper, men ikke med det eksakte navnet: 11726f19-e176-11dc-9868-001a730615cc... Finner heller ikke de andre filene/mappene som var i den første .reg fila. Så da er de vel fjernet?! Hva med de andre mappene, de ser skumle ut de også Aner ikke hvordan jeg sjekker med Combofix.. Vil du ha noen logger? Lenke til kommentar
norbat Skrevet 8. september 2008 Del Skrevet 8. september 2008 Hvis du ikke finner den der, så er den nok fjernet. IKKE rør de andre oppføringene som ligger der. Trenger ikke å se noen flere logger, da den ikke viser mer malware. Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør) Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå