Windows XP "Antivirus" 2008

[Patrik89]

Ok, av en eller annen grunn klarte jeg å få dette på PCen min. Men jeg har fjernet det! trodde jeg...

Selve pop-upen som poppet opp når jeg startet pcen er borte nå, og disse fake blue screen tingene er også borte. Men jeg har mistanker om at det er noen rester igjen av viruset på Pcen, spesielt noe filer som ødelegger Firefox.

Når jeg bruker firefox så går alt latterlig treigt, firefox stopper opp sån 1 gang i minuttet for 5 sekunder og når jeg søker på google og trykker en link, så kommer jeg bare til forskjellige dritt sider. ALDRI den originale siden jeg egentlig skulle til (men det går bra å skrive inn i address bar).

 

Noen som har noe erfaring med å fjerne dette? River nesten av meg håret snart. Virker som at når jeg er på youtube så klikker firefox spesielt mye iforhold til vanlig forum browsing osv, hvis det har noe å si.

[r2d290]

Følg veiledningen på https://www.diskusjon.no/index.php?showtopic=691246 og post loggene her i din egen tråd, så skal vi få fikset det

[Patrik89]

Tusen takk =).

 

Men har ett lite problem med Combofix. På min C:\ har jeg Vista, ikke XP. XP er på D:\. Viser seg at combofix bare ser på C:\ siden jeg får en feilmelding om feil OS. Jeg kan ikke google svaret så jeg vet ikke helt hva jeg skal gjøre..

 

 

Edit: Prøvde et google søk, noe som funket nå etter Malware programmet fjernet det. Så skal se om jeg finner svar så laster jeg opp nødvendige logger.

 

Second edit: Finner det ikke ut jeg. Må jeg ha en combofix logg? Isåfall sliter jeg litt :o

Endret 21. september 2008 av Patrik89

[norbat]

Det kan være at du har et 64 bit OS.

Fortsett bare med HJT og legg ut de loggene du får til.

[Patrik89]

Ok, her er dem.

 

MBAM

 

Malwarebytes' Anti-Malware 1.28

Database versjon: 1186

Windows 5.1.2600 Service Pack 3

 

9/21/2008 6:30:21 PM

mbam-log-2008-09-21 (18-30-21).txt

 

Skanntype: Rask Skann

Objekter skannet: 36885

Tid tilbakelagt: 1 minute(s), 33 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 3

Registerverdier infisert: 4

Registerfiler infisert: 3

Mapper infisert: 0

Filer infisert: 10

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhc5ucj0et1j (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

D:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

D:\WINDOWS\system32\blphc1ucj0et1j.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

D:\WINDOWS\system32\phc1ucj0et1j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

 

 

HJT

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:37:48 PM, on 9/21/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\acs.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\RUNDLL32.EXE

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\Synaptics\SynTP\SynTPEnh.exe

D:\PROGRA~1\LAUNCH~1\LManager.exe

D:\WINDOWS\system32\agrsmsvc.exe

D:\WINDOWS\PLFSetL.exe

D:\Program Files\Bonjour\mDNSResponder.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\Acrotray.exe

D:\Program Files\DAEMON Tools Lite\daemon.exe

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RtkBtMnt.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\cuteftppro.exe

C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe

C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe

D:\Program Files\mIRC\mirc.exe

D:\WINDOWS\system32\NOTEPAD.EXE

D:\Documents and Settings\Administrator\Desktop\HiJackThis\olawd.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] D:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [synTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [LManager] D:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [PLFSetL] D:\WINDOWS\PLFSetL.exe

O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\system32\msconfig.exe /auto

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\S-1-5-21-789336058-1220945662-842925246-500\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0XP\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O13 - DefaultPrefix:

O13 - WWW Prefix:

O13 - Home Prefix:

O13 - Mosaic Prefix:

O13 - FTP Prefix:

O13 - Gopher Prefix:

O23 - Service: Atheros Configuration Service (ACS) - Atheros - D:\WINDOWS\system32\acs.exe

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - D:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 6672 bytes

 

 

 

Og forresten så restartet jeg PCen etter MBAM ba meg om å gjøre det.

Endret 21. september 2008 av Patrik89

[norbat]

Prøv å kjøre combofix igjen

[Patrik89]

Funker ikke.

[norbat]

MBAM har i all hovedsak fjernet problemfilene. HJT-loggen ser grei ut. Kjører pc'n ok?

[Patrik89]

Den gjør det nå altså. Virker som alt funker. Google søk osv. er ikke korrupt nå. Så tusen takk! Tror det gjorde susen.

[norbat]

Det kan være lurt å kjøre en scan med ditt antivirusprogram (NOD32) til slutt for å se om det finner noe av interesse.