[LØST] Hjelp med mbam og combofix logger

[sepersen]

Har ikke noe særlig grei på dette så jeg håper noen kan hjelpe meg og se over mbam og combofix logger...

 

mbam

 

Malwarebytes' Anti-Malware 1.27

Database versjon: 1133

Windows 5.1.2600 Service Pack 2

 

09.09.2008 21:05:02

mbam-log-2008-09-09 (21-05-02).txt

 

Skanntype: Rask Skann

Objekter skannet: 41471

Tid tilbakelagt: 2 minute(s), 56 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 2

Registernøkler infisert: 2

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 3

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\WINDOWS\system32\__c00E28CE.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\__c0084B97.dat (Trojan.Zlob) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e28ce (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cca44e95382 (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\WINDOWS\system32\__c00E28CE.dat (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\__c0084B97.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\__c00A6E56.dat (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

Combofix

 

ComboFix 08-09-05.12 - Svein-Erik & Hege 2008-09-09 21:11:16.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.212 [GMT 2:00]

Running from: C:\Documents and Settings\Svein-Erik & Hege\Skrivebord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\_000005_.tmp.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))

.

 

2008-09-09 20:56 . 2008-09-09 20:56 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-09 20:56 . 2008-09-09 20:56 <DIR> d-------- C:\Documents and Settings\Svein-Erik & Hege\Programdata\Malwarebytes

2008-09-09 20:56 . 2008-09-09 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-09-09 20:56 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-09 20:56 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-08 23:37 . 2008-09-08 23:37 <DIR> dr-h----- C:\Documents and Settings\Svein-Erik & Hege\Siste

2008-09-04 20:15 . 2008-09-04 20:15 <DIR> d-------- C:\WINDOWS\ShellNew

2008-09-01 20:05 . 2008-09-01 20:05 <DIR> d-------- C:\Documents and Settings\Svein-Erik & Hege\Programdata\PCF-VLC

2008-08-29 22:17 . 2008-08-29 23:04 <DIR> d-------- C:\Documents and Settings\Svein-Erik & Hege\browser - logitech

2008-08-29 22:16 . 2008-08-29 22:16 <DIR> d-------- C:\Documents and Settings\Svein-Erik & Hege\logitech

2008-08-29 22:14 . 2008-08-29 22:14 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2008-08-29 22:14 . 2008-08-29 22:14 <DIR> d-------- C:\Programfiler\Fellesfiler\Remote Control USB Driver

2008-08-26 14:21 . 2008-08-26 14:21 12,307,651 --------- C:\avg7qt.dat

2008-08-26 13:08 . 2008-09-02 08:34 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy

2008-08-26 13:08 . 2008-09-01 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-08-25 07:22 . 2008-08-26 13:16 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-08-13 20:00 . 2008-05-01 16:34 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-09 19:14 32,069,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-09-09 19:06 380,444 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-09-04 18:51 --------- d-----w C:\Documents and Settings\Svein-Erik & Hege\Programdata\AVG7

2008-09-01 15:42 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-08-31 06:00 --------- d-----w C:\Documents and Settings\LocalService\Programdata\AVG7

2008-08-09 09:11 --------- d-----w C:\Programfiler\Java

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-14 18:02 --------- d-----w C:\Programfiler\Zone Labs

2008-07-09 07:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2008-07-09 07:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-05-25 10:25 22,616 ----a-w C:\Documents and Settings\Svein-Erik & Hege\Programdata\GDIPFONTCACHEV1.DAT

2008-04-13 21:01 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLec.DAT

2008-04-13 21:01 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLds.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

"NBJ"="C:\Programfiler\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 1961984]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Norton Ghost 9.0"="D:\Norton Ghost\Programfiler\Agent\GhostTray.exe" [2004-07-29 1122304]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-21 579584]

"Easy-PrintToolBox"="C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]

"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]

"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"NVMixerTray"="C:\Programfiler\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"ZoneAlarm Client"="C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

"WD Button Manager"="WDBtnMgr.exe" [2007-11-23 C:\WINDOWS\system32\WDBtnMgr.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 219136]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= msaud32_divx.acm

"VIDC.YV12"= yv12vfw.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Grisoft\\AVG Free\\avginet.exe"=

"C:\\Programfiler\\Grisoft\\AVG Free\\avgemc.exe"=

"C:\\Programfiler\\Grisoft\\AVG Free\\avgamsvr.exe"=

"C:\\Programfiler\\Grisoft\\AVG Free\\avgcc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\SveinE filer\\LimeWire\\LimeWire.exe"=

 

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 138780]

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\si3112r.sys [2003-02-24 85265]

R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 46779]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bf900fe-1cd5-11db-afb3-806d6172696f}]

\Shell\AutoRun\command - F:\Autorun.exe root.ini

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5d7edcf-1cd4-11db-aae9-806d6172696f}]

\Shell\AutoRun\command - F:\Autorun.exe root.ini

 

*Newly Created Service* - PROCEXP90

.

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.startsiden.no/

O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

 

O16 -: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp08.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab

C:\WINDOWS\Downloaded Program Files\ImageUploader_3.inf

C:\WINDOWS\Downloaded Program Files\ImageUploader_3.ocx

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-09 21:13:43

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\Ati2evxx.dll

.

Completion time: 2008-09-09 21:15:40

ComboFix-quarantined-files.txt 2008-09-09 19:15:36

 

Pre-Run: 6,499,938,304 byte ledig

Post-Run: 6,483,177,472 byte ledig

 

139 --- E O F --- 2008-08-26 11:02:57

 

 

 

På forhånd takk.

 

SEP

Endret 9. september 2008 av sepersen

[norbat]

Ser greit ut dette.

Fortsatt problemer?

 

Hvis ikke, avinstaller combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

 

Surf trygt

[sepersen]

Har ikke fått utforsket nærmere om det er løst, men satser på det.

 

Takker for veldig raskt svar norbat!

 

SEP