Fjerne virus på maskin uten nettilgang

[brolle]

Jeg har fått virus på min stasjonære maskin som er tilknyttet det trådløse nettverket.

Den bruker utrolig lang tid på å komme i gang og jeg får ikke tilgang til nettet lengre.

Jeg kan kopiere inn antivirus og spyware-programmer fra min eksterne harddisk men vil jo ikke få disse oppdatert siden jeg ikke har tilgang til nett.

Prøvde å installere AVG på maskinen men da får jeg bare beskjed om at filen er korrupt og det er vel også viruset sin feil.

Håper de mange medlemmene kan hjelpe litt her

[norbat]

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix (c:\combofix.txt)

[brolle]

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix (c:\combofix.txt)

 

Her kommer loggen fra Combofix

[ComboFix 08-09-05.09 - Geir 2008-09-08 21:24:20.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.236 [GMT 2:00]

Running from: C:\Documents and Settings\Geir\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\Documents and Settings\Geir\Cookies\geir@clicktorrent[2].txt

C:\Documents and Settings\Geir\Cookies\geir@isohunt[1].txt

C:\Documents and Settings\Geir\Cookies\[email protected][2].txt

C:\Documents and Settings\Trine\Cookies\[email protected][2].txt

C:\Documents and Settings\Trine\Lokale innstillinger\Programdata\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\WINDOWS\BMaf861673.txt

C:\WINDOWS\BMaf861673.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\ehlnqcus.dll

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\qbsjrrls.ini

C:\WINDOWS\system32\wpcap.dll

F:\Autorun.inf

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_NPF

 

 

((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))

.

 

2008-09-07 23:28 . 2008-09-07 23:30 <DIR> d-------- C:\Programfiler\Spyware Doctor

2008-09-07 23:28 . 2008-09-07 23:28 <DIR> d-------- C:\Documents and Settings\Geir\Programdata\PC Tools

2008-09-07 23:28 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-09-07 23:28 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-09-07 23:28 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-09-07 23:28 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-09-07 22:48 . 2008-09-07 22:48 <DIR> d-------- C:\Documents and Settings\Geir\Programdata\F-Secure

2008-09-07 22:25 . 2008-09-07 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\F-Secure

2008-09-07 22:24 . 2008-09-07 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\fssg

2008-09-07 22:19 . 2008-09-08 20:48 <DIR> d-------- C:\Programfiler\F-Secure

2008-09-07 16:25 . 2008-09-07 16:25 <DIR> d-------- C:\Documents and Settings\Geir\Programdata\Malwarebytes

2008-09-07 16:24 . 2008-09-07 16:25 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-07 16:24 . 2008-09-07 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-07 16:24 . 2008-06-28 14:21 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-09-07 16:24 . 2008-06-28 14:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-07 16:03 . 2008-09-07 16:03 110,592 --a------ C:\Documents and Settings\Trine\Programdata\winsock32.exe

2008-09-07 14:49 . 2008-09-07 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Elaborate Bytes

2008-09-07 14:47 . 2008-09-07 14:49 48 --ahs---- C:\WINDOWS\S26447E86.tmp

2008-09-07 14:44 . 2008-09-07 14:55 <DIR> d-------- C:\Programfiler\Elaborate Bytes

2008-08-22 19:56 . 2008-08-22 19:56 <DIR> d-------- C:\Programfiler\Fellesfiler\Ankiro

2008-08-22 19:55 . 2008-09-07 14:49 <DIR> d-------- C:\Programfiler\SPAMfighter

2008-08-22 19:55 . 2008-08-22 19:55 <DIR> d-------- C:\Programfiler\Fellesfiler\Application

2008-08-21 18:46 . 2008-08-21 18:46 <DIR> d-------- C:\Documents and Settings\Geir\Programdata\AdobeUM

2008-08-21 18:38 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe

2008-08-21 18:38 . 2008-08-21 18:48 59 --a------ C:\WINDOWS\EliasAP.ini

2008-08-21 18:35 . 2008-08-21 18:35 <DIR> d-------- C:\Programfiler\Pan Vision

2008-08-14 12:22 . 2008-05-01 16:34 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-08 19:44 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-09-04 03:53 --------- d-----w C:\Documents and Settings\Geir\Programdata\dvdcss

2008-08-14 10:35 --------- d-----w C:\Documents and Settings\Geir\Programdata\U3

2008-08-09 18:24 --------- d-----w C:\Documents and Settings\All Users\Programdata\DVD Shrink

2008-08-08 18:55 --------- d-----w C:\Programfiler\Java

2008-08-05 19:24 --------- d-----w C:\Programfiler\Lexmark X1100 Series

2008-08-04 16:33 --------- d-----w C:\Programfiler\DVD Shrink

2008-08-03 11:31 --------- d-----w C:\Programfiler\ESET

2008-08-03 11:23 --------- d-----w C:\Documents and Settings\All Users\Programdata\ESET

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 15:41 658,944 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39B15A4A-8C87-43B7-9859-E98F429DDEBB}]

C:\WINDOWS\system32\geBuRJbb.dll [bU]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80B556E8-EAF1-4AF6-9CE4-D91D670FF6ED}]

C:\WINDOWS\system32\xxyxvWqN.dll [bU]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-29 68856]

"Nokia.PCSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896]

"PC Suite Tray"="C:\Programfiler\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Lexmark X1100 Series"="C:\Programfiler\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]

"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-06-08 778318]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SPAMfighter Agent"="C:\Programfiler\SPAMfighter\SFAgent.exe" [2008-07-29 321672]

"F-Secure Manager"="C:\Programfiler\F-Secure\Common\FSM32.EXE" [2008-06-19 182936]

"F-Secure TNB"="C:\Programfiler\F-Secure\FSGUI\TNBUtil.exe" [2008-06-19 895584]

"ISTray"="C:\Programfiler\Spyware Doctor\pctsTray.exe" [2007-12-10 1103752]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{39B15A4A-8C87-43B7-9859-E98F429DDEBB}"= "C:\WINDOWS\system32\geBuRJbb.dll" [bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuRJbb]

geBuRJbb.dll [bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\BitLord\\BitLord.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"C:\\Programfiler\\Fellesfiler\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp

"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp

"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

 

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

S2 SPAMfighter Update Service;SPAMfighter Update Service;C:\Programfiler\SPAMfighter\sfus.exe [2008-07-29 184968]

S2 SqueezeMySQL;SqueezeMySQL;C:\PROGRA~1\SLIMSE~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2008-03-03 4149248]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure\Anti-Virus\minifilter\fsgk.sys [ ]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]

S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]

S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys [2001-08-17 23936]

S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-02 306432]

S4 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSfilter.sys [ ]

S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure\Anti-Virus\Win2K\FSrec.sys [ ]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7799CA4C-5CB8-5209-AD5A-65F042F3F496}]

C:\WINDOWS\system32:winsock32.exe

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{D9F848F4-42B1-4FB9-957C-327698A67FF7} - (no file)

Toolbar-SITEguard - (no file)

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.no/ig?ct=1056757711

R0 -: HKCU-Main,Search Page = hxxp://www.google.com

R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-08 21:49:17

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-09-08 21:53:52

ComboFix-quarantined-files.txt 2008-09-08 19:53:37

 

Pre-Run: 70,726,365,184 byte ledig

Post-Run: 70,718,996,480 byte ledig

 

162 --- E O F --- 2008-08-14 15:05:07]

[norbat]

Åpne notisblokk og kopier inn det som står i fet skrift under. Lagre fila på skrivebordet som CFScript.txt

Dra fila og slipp den over Combofix-iconet. Combofix vil starte igjen.

 

File::

C:\Documents and Settings\Trine\Programdata\winsock32.exe

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39B15A4A-8C87-43B7-9859-E98F429DDEBB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80B556E8-EAF1-4AF6-9CE4-D91D670FF6ED}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{39B15A4A-8C87-43B7-9859-E98F429DDEBB}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuRJbb]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7799CA4C-5CB8-5209-AD5A-65F042F3F496}]

 

Klikk deretter Start->Kjør

Skriv: netsh winsock reset catalog

 

Restart pc og se om du kommer deg på nett.

Hvis ikke, gjør følgende:

Klikk: Start->Kjør

Skriv: cmd

Fra ledetekst, skriv: ipconfig

Hva står det av ipadresse under den tilkoblingen du bruker (lokal eller trådløs)

[brolle]

Åpne notisblokk og kopier inn det som står i fet skrift under. Lagre fila på skrivebordet som CFScript.txt

Dra fila og slipp den over Combofix-iconet. Combofix vil starte igjen.

 

File::

C:\Documents and Settings\Trine\Programdata\winsock32.exe

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39B15A4A-8C87-43B7-9859-E98F429DDEBB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80B556E8-EAF1-4AF6-9CE4-D91D670FF6ED}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{39B15A4A-8C87-43B7-9859-E98F429DDEBB}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuRJbb]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7799CA4C-5CB8-5209-AD5A-65F042F3F496}]

 

Klikk deretter Start->Kjør

Skriv: netsh winsock reset catalog

 

Restart pc og se om du kommer deg på nett.

Hvis ikke, gjør følgende:

Klikk: Start->Kjør

Skriv: cmd

Fra ledetekst, skriv: ipconfig

Hva står det av ipadresse under den tilkoblingen du bruker (lokal eller trådløs)

 

 

 

Jeg bøyer meg i støvet for Norbat og de alltid hjelpsomme folk her på Hardware.

Oppskriften fungerte perfekt og nå er antivirus oppdatert og maskinen scannet med opptil flere programmer for å få fjernet dritte.

Takk for hjelpen !!

[norbat]

Det kan være lurt å fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

 

Får du problemer igjen, er det bare å komme tilbake.

 

Surf trygt.