Gå til innhold

[Løst] Har jeg blitt kvitt malwaren? (med logger)

cozmos

Av cozmos
i IKT-drift og sikkerhet

Anbefalte innlegg

cozmos

cozmos

Skrevet
Skrevet (endret)

Har slitt med diverse popups o.l (virtumonde) en stund nå, og har fulgt stegene i den fantastiske veiledningen i sticky. bare lurte på om jeg har fått fjernet det som skal fjernes.

 

comofix:

Klikk for å se/fjerne innholdet nedenfor
ComboFix 08-09-10.04 - Christian 2008-09-12 8:45:30.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1642 [GMT 2:00]

Running from: C:\Documents and Settings\Christian \Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\aktqxlac.ini

C:\WINDOWS\system32\aqlgxnlb.ini

C:\WINDOWS\system32\cmbsexdj.ini

C:\WINDOWS\system32\cuyhritr.ini

C:\WINDOWS\system32\dgnahgsf.ini

C:\WINDOWS\system32\harpfypg.ini

C:\WINDOWS\system32\hknnmUtv.ini

C:\WINDOWS\system32\hknnmUtv.ini2

C:\WINDOWS\system32\ibakyfmd.ini

C:\WINDOWS\system32\pgqhilub.ini

C:\WINDOWS\system32\qctbaskc.ini

C:\WINDOWS\system32\SssssBeg.ini

C:\WINDOWS\system32\SssssBeg.ini2

C:\WINDOWS\system32\vgrtdgak.ini

C:\WINDOWS\system32\vphnhxfp.ini

C:\WINDOWS\system32\wctkayuo.ini

C:\WINDOWS\system32\ywtfoqhd.ini

 

.

((((((((((((((((((((((((( Files Created from 2008-08-12 to 2008-09-12 )))))))))))))))))))))))))))))))

.

 

2008-09-12 08:36 . 2008-09-12 08:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-09-12 08:36 . 2008-09-12 08:36 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\Malwarebytes

2008-09-12 08:36 . 2008-09-12 08:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-12 08:36 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-12 08:36 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-12 08:35 . 2008-09-12 08:35 <DIR> d-------- C:\Program Files\CCleaner

2008-09-11 11:58 . 2008-09-11 11:58 <DIR> d-------- C:\Program Files\Windows Defender

2008-09-04 08:04 . 2008-09-04 08:04 <DIR> d-------- C:\VundoFix Backups

2008-09-02 10:14 . 2008-09-02 10:14 <DIR> d-------- C:\Program Files\MSXML 4.0

2008-08-29 12:34 . 2008-08-29 12:34 <DIR> d-------- C:\Program Files\Winamp

2008-08-29 12:34 . 2008-08-29 12:34 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\Winamp

2008-08-27 13:17 . 2008-09-02 16:36 253 --a------ C:\WINDOWS\wininit.ini

2008-08-26 15:04 . 2008-08-26 15:04 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\vlc

2008-08-26 15:02 . 2008-08-26 15:02 <DIR> d-------- C:\Program Files\VideoLAN

2008-08-26 14:16 . 2008-08-26 14:34 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-08-26 14:10 . 2008-08-26 14:10 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\Nero

2008-08-26 14:07 . 2008-08-26 14:51 <DIR> d-------- C:\Program Files\Common Files\Nero

2008-08-26 14:07 . 2008-08-26 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

2008-08-26 13:55 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-08-26 13:55 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2008-08-26 13:55 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-08-26 12:46 . 2008-08-26 12:46 <DIR> d-------- C:\WINDOWS\Sun

2008-08-26 12:46 . 2008-09-03 18:48 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\LimeWire

2008-08-26 12:46 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-26 12:45 . 2008-08-26 12:46 <DIR> d-------- C:\Program Files\Java

2008-08-26 12:44 . 2008-08-26 12:44 <DIR> d-------- C:\Program Files\Common Files\Java

2008-08-26 12:39 . 2008-08-26 12:40 <DIR> d-------- C:\Program Files\LimeWire

2008-08-26 12:18 . 2008-08-26 12:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-08-26 12:18 . 2008-09-12 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-08-26 12:17 . 2008-08-26 12:17 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\Logitech

2008-08-26 12:17 . 2008-08-26 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd

2008-08-26 12:15 . 2008-08-26 12:15 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-08-26 12:15 . 2008-08-26 12:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2008-08-26 12:15 . 2008-08-26 12:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf

2008-08-26 12:14 . 2008-08-26 12:14 <DIR> d-------- C:\Program Files\Common Files\Logishrd

2008-08-26 12:14 . 2008-08-26 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech

2008-08-26 12:14 . 2008-05-02 02:38 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll

2008-08-26 12:14 . 2008-05-02 02:39 170,512 --a------ C:\WINDOWS\system32\kemutb.dll

2008-08-26 12:14 . 2008-05-02 02:39 145,936 --a------ C:\WINDOWS\system32\KemUtil.dll

2008-08-26 12:14 . 2008-05-02 02:40 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll

2008-08-26 12:14 . 2008-05-02 02:40 84,496 --a------ C:\WINDOWS\system32\KemXML.dll

2008-08-26 12:13 . 2008-08-26 12:13 <DIR> d-------- C:\Program Files\Logitech

2008-08-26 12:11 . 2008-08-26 12:11 <DIR> d-------- C:\Program Files\Razer Barracuda AC-1 Gaming Audio Card

2008-08-26 12:11 . 2008-08-26 12:11 <DIR> d-------- C:\Program Files\OpenAL

2008-08-26 12:11 . 2006-07-26 15:51 5,718,016 --a------ C:\WINDOWS\system\cmicnfgp.cpl

2008-08-26 12:08 . 2007-11-13 15:48 119,848 --a------ C:\WINDOWS\system32\SilSupp.dll

2008-08-26 12:08 . 2007-11-13 15:48 71,720 --a------ C:\WINDOWS\system32\drivers\PnP680.sys

2008-08-26 12:05 . 2007-12-01 00:25 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-08-26 12:05 . 2007-12-01 00:25 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

2008-08-26 12:05 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2008-08-26 12:05 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys

2008-08-26 12:04 . 2007-11-30 17:31 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-08-26 12:04 . 2007-11-30 17:31 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-08-26 12:04 . 2007-11-30 17:23 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys

2008-08-26 12:04 . 2007-11-30 17:23 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys

2008-08-26 12:04 . 2007-11-30 17:31 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2008-08-26 12:04 . 2007-11-30 17:31 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

2008-08-26 12:01 . 2008-08-26 12:01 <DIR> d-------- C:\WINDOWS\OPTIONS

2008-08-26 12:01 . 2008-08-26 12:01 <DIR> d-------- C:\Program Files\Realtek

2008-08-26 12:00 . 2008-08-26 12:00 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\InstallShield

2008-08-26 11:38 . 2008-08-26 11:38 <DIR> d-------- C:\Program Files\ESET

2008-08-26 11:33 . 2008-09-12 08:41 <DIR> d-------- C:\Program Files\MSA

2008-08-26 11:17 . 2008-09-12 08:48 <DIR> d-------- C:\Program Files\mIRC

2008-08-26 11:17 . 2008-09-12 08:48 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\mIRC

2008-08-26 11:16 . 2007-09-02 20:56 1,686,016 --a------ C:\WINDOWS\system32\clinetsuitex6.ocx

2008-08-26 11:16 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX

2008-08-26 11:16 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX

2008-08-26 11:16 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll

2008-08-26 11:15 . 2008-08-26 11:25 <DIR> d-------- C:\Program Files\Driver-Soft

2008-08-26 11:04 . 2008-08-26 11:04 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\ESET

2008-08-26 11:03 . 2008-08-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-08-26 10:59 . 2008-08-26 11:04 <DIR> d-------- C:\Documents and Settings\Christian \Contacts

2008-08-26 10:55 . 2008-08-26 10:58 <DIR> d-------- C:\Program Files\Windows Live

2008-08-26 10:55 . 2008-08-26 10:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

2008-08-26 10:55 . 2008-08-26 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-08-26 10:50 . 2008-08-26 10:50 <DIR> d-------- C:\Program Files\uTorrent

2008-08-26 10:50 . 2008-09-07 06:29 <DIR> d-------- C:\Documents and Settings\Christian \Application Data\uTorrent

2008-08-26 10:43 . 2008-06-13 13:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-08-26 10:43 . 2008-06-13 13:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-08-26 10:40 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2008-08-26 10:40 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-08-26 10:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-08-26 10:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-08-26 10:40 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-08-26 10:33 . 2008-08-26 10:36 <DIR> d-------- C:\Program Files\Setup Files

2008-08-26 10:28 . 2008-02-25 20:54 105,088 --a------ C:\WINDOWS\system32\drivers\Rtnicxp.sys

2008-08-26 10:25 . 2008-08-26 10:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2008-08-26 10:25 . 2008-08-26 10:25 <DIR> d-------- C:\Program Files\Intel

2008-08-26 10:25 . 2008-08-26 10:25 <DIR> d-------- C:\Intel

2008-08-26 10:23 . 2008-08-26 11:06 <DIR> d-------- C:\Program Files\MSI

2008-08-26 10:23 . 2008-08-26 12:14 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

2008-08-26 10:23 . 2003-07-14 13:57 143,360 --a------ C:\WINDOWS\system32\IpLib.dll

2008-08-26 10:23 . 2003-09-02 11:25 11,266 --a------ C:\WINDOWS\system32\drivers\diag69xp.sys

2008-08-26 10:23 . 2003-09-17 15:57 8,440 --a------ C:\WINDOWS\system32\drivers\LANPkt.sys

2008-08-26 10:18 . 2008-08-26 10:18 <DIR> d-------- C:\WINDOWS\nview

2008-08-26 10:18 . 2008-08-26 10:23 <DIR> d-------- C:\Program Files\Common Files\InstallShield

2008-08-26 10:18 . 2008-05-16 11:48 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE

2008-08-26 10:18 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe

2008-08-26 10:18 . 2008-09-12 08:48 186,500 --a------ C:\WINDOWS\system32\nvapps.xml

2008-08-26 10:18 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu

2008-08-26 08:40 . 2007-11-30 17:31 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

2008-08-25 16:00 . 2008-09-12 08:38 <DIR> d-------- C:\Documents and Settings\Christian

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-26 10:11 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2008-08-26 10:11 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2008-08-25 13:56 --------- d-----w C:\Program Files\microsoft frontpage

2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-02-01 08:39 113,664 ----a-w C:\WINDOWS\inf\hdaudio.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-11-30 15360]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]

"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-04 36352]

"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-08-26 805392]

mIRC.lnk - C:\Program Files\mIRC\mirc.exe [2008-07-18 2808320]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 02:42 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\mIRC\\mirc.exe"=

"D:\\Program Files\\Steam\\steamapps\\turbo\\team fortress classic\\hl.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

 

R0 Pnp680;SiI 680 ATA Controller;C:\WINDOWS\system32\DRIVERS\pnp680.sys [2007-11-13 71720]

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]

R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;C:\WINDOWS\system32\drivers\cmudaxp.sys [2006-12-07 1423360]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f2c388e-79d7-11dd-ab71-00161711f34d}]

\Shell\AutoRun\command - F:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0fbcf42-72bc-11dd-a3d0-806d6172696f}]

\Shell\AutoRun\command - D:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e686ca0a-7339-11dd-ab52-a73a88f8cdb9}]

\Shell\AutoRun\command - F:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{81B3054D-8E9E-4AAD-8BB5-B147DD493B49} - C:\WINDOWS\system32\geBssssS.dll

BHO-{B7D8BCFE-1926-4C81-A052-784E64CA7122} - C:\WINDOWS\system32\vtUmnnkh.dll

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

HKLM-Run-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

HKLM-Run-Cmaudio8788 - cmicnfgp.cpl

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = about:blank

 

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab

C:\WINDOWS\Downloaded Program Files\MSIWDev.inf

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-12 08:48:10

Windows 5.1.2600 Service Pack 3, v.3264 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Razer Barracuda AC-1 Gaming Audio Card\CustomApp\Program\Razer Barracuda AC-1 Gaming Audio card.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

C:\WINDOWS\SoftwareDistribution\Download\f6d390a5c8cb03ef1624d5e3583de48b\update\update.exe

.

**************************************************************************

.

Completion time: 2008-09-12 8:49:32 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-12 06:49:26

 

Pre-Run: 27,705,323,520 bytes free

Post-Run: 27,635,449,856 bytes free

 

230 --- E O F --- 2008-09-02 08:15:30

 

Malwarebytes' Anti-Malware:

Klikk for å se/fjerne innholdet nedenfor
Malwarebytes' Anti-Malware 1.28

Database versjon: 1141

Windows 5.1.2600 Service Pack 3, v.3264

 

12.09.2008 08:41:31

mbam-log-2008-09-12 (08-41-31).txt

 

Skanntype: Rask Skann

Objekter skannet: 36581

Tid tilbakelagt: 1 minute(s), 39 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 3

Registernøkler infisert: 11

Registerverdier infisert: 22

Registerfiler infisert: 2

Mapper infisert: 0

Filer infisert: 29

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\WINDOWS\system32\ddcBRllk.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\spvhadlo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\stpsey.dll (Trojan.Vundo) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0744fd92-e378-4c7a-9a83-884f60d71bff} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{0744fd92-e378-4c7a-9a83-884f60d71bff} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d872ee57-ffda-4310-a752-9e77dec06131} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d872ee57-ffda-4310-a752-9e77dec06131} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\100b7aaf (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie411.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie412.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie413.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie414.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie4ba.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie9a7.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie411.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie412.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie413.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie414.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie4ba.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie9a7.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddcbrllk -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcbrllk -> Delete on reboot.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\WINDOWS\system32\ddcBRllk.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\kllRBcdd.ini (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\kllRBcdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\stpsey.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\spvhadlo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\oldahvps.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ixquwk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kfkroxdv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ofvhbxia.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdcgtuht.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bdocessu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bgjtxssl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\eeovnm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\elqdjw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fxkxcy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qsqndevc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\stnkansa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tmenjt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wttona.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yayvVNFU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yaywurQG.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ytzpbn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ldltteit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

C:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

 

Hijackthis:

Klikk for å se/fjerne innholdet nedenfor
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:54:39, on 12.09.2008

Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Razer Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Documents and Settings\Christian\Desktop\HijackThis\Testx.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://asia.msi.com.tw

O15 - Trusted Zone: http://global.msi.com.tw

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219740028031

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 5017 bytes

 

edit: Tok vekk 

 så det skulle bli enklere å lese.
Endret av cozmos
Lenke til kommentar

Videoannonse

Videoannonse
Annonse

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste
×
×
  • Opprett ny...