Gå til innhold

Hjelp til å fjerne spyware,virus på en PC.


Anbefalte innlegg

Hei!

 

Maskinen til mamma og typen har fått spyware,virus (malware) på seg og jeg får det ikke bort.

Søker derfor etter hjelp her på forumet til dette.

 

Det kommer popups ved bruk av Internet explorer,fks.`unsecure internet...`,så begynner en scanner å gå av seg selv,og finner masse rart og man må betale for å fjerne dette.

2 ikoner har dukket opp på skrivebordet også og et kryss som blinker nede til høyre på oppgavelinjen,og flere popups som sier at det er virus på maskinen...

Fryktelig irriterende greier altså.

 

 

Søkte med Bitdefender online scanner i sikkerhetsmodus,den fant endel Trojanere,deleted dem men de forsvant ikke.

Har søkt med Trojan Hunter fra Misec,den fant de også,cleanet dem men de er der fortsatt,i allefall ikonene,popupsene,krysset på oppgavelinjen etc...

 

 

Skrev ned hva noen av tingene heter;

Memscan:Trojan.zlob.cxd

Dropped:Trojan.fakeav.BC

Trojan.Downloader.winfixer.I

Trojan.rkit.agen.A+(eller en t).2.B

Fraudtool.spyheal.105

 

 

Håper på hjelp for jeg klarer ikke å få bukt med dette her på egenhånd...

 

Hilsen Stian.V.H:)

 

 

(Dersom tråden er feilpostet beklager jeg og ber moderator flytte denne til eventuelt passende kategori...)

Lenke til kommentar
Videoannonse
Annonse

Ta å last ned AVG 8.0 fra itpro.no (gratis) , kjør full skan med dette.

AVG finner utrolig med Virus og spam. å den er flik til å slette det.

 

Last også ned Spybot search and destroy , Dette er også et veldig bra progam.

Veit ikke om noen steder du får lastet ned full versjonen av dette.

 

Men søk på de Trojanene navnene på google + remove. da vill du finne guider på hvordan du skal fjerne dem manuelt. Tror Symantec har en søke side for dette.

 

Hvis ikke dette hjelper kan du jo altids prøve å ta en System restore av maskinen da.

Start - Acssories - system tools - system restore.

Da vill Windows sette systemet tilbake til slik som det var på den datoen du velger

 

Håper noe av dette hjelper :)

Endret av deum
Lenke til kommentar

Følg dette og posten.

https://www.diskusjon.no/index.php?showtopic=691246

Logger poster her i tråden din,så ser vi over dem om noe må tas manuelt.

Du får du en pc som blir helt ren for malware.

 

Ta å last ned AVG 8.0 fra itpro.no (gratis) , kjør full skan med dette.

AVG finner utrolig med Virus og spam. å den er flik til å slette det.

Gir litt råd til deg.

En skal ikke be noen innstalere et antivirus til.

Det kan bli konfilkt med det som allerede er innstalert,så man man i tillegg feilsøke på det.

Det er mange onlinescanner som er bedere og bruke.

Nå skal vi bruke norbat sin veiledning da får vi logger og får fjernet alt grums.

 

 

Gå til denne nettsiden

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

,last ned combofix, legg det på desktopen, restart maskinen i sikkermodus (safemode) og kjør combofix.

La maskinen arbeide ferdig og restarte seg. Du skal helst lukke alle virusprogrammer og liknende før kjøring.

Litt råd til deg og.

Comofix er et kraftig program den er med i veiledningen.

En skal aldrig be noen kjøre den uten at loggen postes.

Loggen skal gås igjennom,det kreves mye erfaring for og gi support ut ifra comofix.fordi en kan lage script for og slette maleware manuelt.

Den skal også avinnstalers etter bruk.

Derfor er det viktig at den ikke brukes uten support.

NB.den skal ikke kjøres i sikkerhetmodus,eneste grunn til det er viss pcen ikke booter win.

Endret av SNIPPSAT
Lenke til kommentar

pass på at du tar en virusscan i sikkerhetsmodus, så filene som skal fjernes ikke er i bruk av Windows, da det kan føre til at filene ikke blir slettet.

 

Anbefaler Avast! og Adaware. Videre bør du installere Windows Defender når du har fått pc'en virus- og spyware-fri, da Windows Defender har sanntidsbeskyttelse.

Lenke til kommentar

Rensa en Acer laptop senest i dag faktisk. Nøyaktig samme symptomer, men denne forsøkte konstant og åpne nettsider, deaktiverte oppgavebehandling og krasjet explorer. Forsøkte først diverse virus/malware-scannere i sikkermodus uten at det ble rent (20-talls trojanere).

 

På min egen maskin ville jeg kanskje fortsatt dette, siden jeg kjører web og databaseservere, ide'er og mye spesiell software, men for vanlige maskiner folk bruker til media og web, er dette ofte bortkastet tid. Jeg tok backup av brukerområder, rebootet, trykket Alt + F10 og valgte gjennoppretting av systemet. Skannet backup og la den tilbake. Tok ca 30 min. Som nu igjen.

Lenke til kommentar

RulleRimfrost: Veiledningen og eventuelt opprensing etterpå ref. snippsat sin post, vil ta ca. en time (Ccleaner: 1-2 min, Combofix: 5-10 min, MBAM: 5-10 min, hijackthis: 1 min + resten av tiden til logg-veksling og analysering) hvis begge brukerene er online og gjør "som de skal". Maskinen blir så rask som den skal være, og du slipper stresset med å ta back-up, legge inn igjen backup, installere programmer som slutter å fungere osv.

Lenke til kommentar
pass på at du tar en virusscan i sikkerhetsmodus, så filene som skal fjernes ikke er i bruk av Windows, da det kan føre til at filene ikke blir slettet.

Magic vi renser pcer hver dag.

Blir veiledning fulgt og logger postet blir pcen helt ren.

 

tviler jeg ikke på. for å være ærlig leste jeg ikke posten din, no offense...

Lenke til kommentar
Jeg skal til mamma i morgen og vil da følge tråden det ble linket til å legge ut logger,oppdatering i tråden kommer i morgen.

Takk igjen til fine svar!:)

 

Husk å ta backup selv om du følger tråden for opprydding. Lærerikt, men feilsteg kan føre til at restore er eneste alternativ. Husk da å søke utenfor mine dokumenter etter store .jpeg, avi, doc og ta en manuell export av mail. Mye gøyere om man er klar for en restore. Da blir man ikke så svett når blåskjermene begynner.

 

Lykke til

Lenke til kommentar

Fikk desverre ikke dratt til mamma i denne helgen,men skal dit i morgen så da kommer oppdateringen og logger.

Takk for tipset om backup,det skal jeg også følge da mamma har en del bilder etc.

Men kan viruset/malwaren komme seg inn på min eksterne harddisk (og infisere den) dersom jeg bruker den til å ta backup av filer som er på den infiserte maskinen?

Lenke til kommentar

Hei igjen!

 

Her er oppdateringen i tråden...

 

Fulgte Norbat sin instruksjon som det ble linket til.

Etter å ha søkt med Malwarebytes programmet (CCleaner først) virker det ved første øyekast som om malware forsvant/ble fjernet...

 

Her er loggene etter at Malwarebytes ble kjørt;

 

 

Malwarebytes log:

-----------------

Malwarebytes' Anti-Malware 1.29

Database versjon: 1297

Windows 5.1.2600 Service Pack 2

 

20.10.2008 14:54:35

mbam-log-2008-10-20 (14-54-35).txt

 

Skanntype: Full Skann (C:\|D:\|)

Objekter skannet: 144057

Tid tilbakelagt: 24 minute(s), 56 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 24

Registerverdier infisert: 4

Registerfiler infisert: 7

Mapper infisert: 3

Filer infisert: 34

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\WINDOWS\system32\eivrbsi.dll (Trojan.Zlob) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_CLASSES_ROOT\CLSID\{da75fab1-136e-4ead-834d-0e04fbd6edc1} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\virrlwarning.warningbho (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a81ebfd7-0fa3-41ec-b60d-6dae78b4d31a} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a81ebfd7-0fa3-41ec-b60d-6dae78b4d31a} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\virrlwarning.warningbho.1 (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\z444.z444mgr (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\z444.z444mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{be1a344f-9ff5-4024-949b-52205e6db2d0} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be1a344f-9ff5-4024-949b-52205e6db2d0} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{F5734812-E6A1-8833-ECA9-949B5B8A88BF} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\virrl2009 (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirRL2009 (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEBrowse Tool (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Bar (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warning Center (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{da75fab1-136e-4ead-834d-0e04fbd6edc1} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

 

Mapper infisert:

C:\Program Files\VirRL2009 (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\675873 (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Arne \Start Menu\Programs\VirusResponse Lab 2009 2.1 (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

 

Filer infisert:

C:\WINDOWS\system32\eivrbsi.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\Program Files\VirRL2009\VirRLWarning.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\675873\675873.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Program Files\Applications\iebr.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\iebt.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\VirRL2009\uninst.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{90F43D4D-8520-4A9B-A97E-25EDEE1AEED7}\RP1002\A0086524.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully.

C:\Documents and Settings\Arne Nordli\Start Menu\Programs\VirusResponse Lab 2009 2.1\VirusResponse Lab 2009 2.1.lnk (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\algg.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\iebtm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\iebtmm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\iebtu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\iebu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\wcm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\wcs.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\Applications\wcu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Arne \My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Arne \My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Arne \My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Arne \My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Arne \Local Settings\Temp\xrg1.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Online Spyware Test.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\\Start Menu\VirusResponse Lab 2009 2.1.lnk (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusResponse Lab 2009 2.1.lnk (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

______________________________________________________________________________________

 

 

 

Combofix log:

-------------

ComboFix 08-10-19.04 - Administrator 2008-10-20 15:01:37.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))

.

 

2008-10-20 14:26 . 2008-10-20 14:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-10-20 14:26 . 2008-10-20 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-10-20 14:26 . 2008-10-20 14:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-10-20 14:26 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-20 14:26 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-16 18:49 . 2008-10-16 18:49 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts

2008-10-16 18:48 . 2008-10-16 18:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter

2008-10-16 18:07 . 2008-10-16 18:52 <DIR> d-------- C:\Program Files\TrojanHunter 5.0

2008-10-16 18:05 . 2008-10-16 18:07 <DIR> d-------- C:\Program Files\Trojan Hunter

2008-10-16 17:23 . 2008-10-16 18:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-10-16 17:19 . 2008-10-16 17:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2008-10-14 18:49 . 2008-10-14 18:49 <DIR> d-------- C:\Program Files\Applications

2008-10-14 18:49 . 2008-10-15 08:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-14 16:50 --------- d-----w C:\Program Files\Opera

2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll

2008-09-21 15:43 --------- d-----w C:\Documents and Settings\Birgit\Application Data\Ahead

2008-09-21 15:37 --------- d-----w C:\Program Files\Telenor Sikker Lagring

2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys

2008-09-15 11:57 1,846,016 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-08-28 10:04 333,056 ------w C:\WINDOWS\system32\dllcache\srv.sys

2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-08-25 08:38 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-08-25 08:37 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-08-23 05:56 635,848 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 10:00 2,180,352 ------w C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2008-08-14 09:58 2,136,064 ------w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2008-08-14 09:51 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-08-14 09:22 2,057,728 ------w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2008-08-14 09:22 2,015,744 ------w C:\WINDOWS\system32\dllcache\ntkrpamp.exe

2006-01-28 06:45 541,279 ----a-w C:\Program Files\ccsetup126.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"NeroHomeFirstStart"="C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" [2006-12-23 10752]

"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 155648]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 118784]

"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128]

"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-04-01 49152]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2004-05-05 491520]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-18 98304]

"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-09-10 1056928]

"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-16 1257104]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 C:\WINDOWS\LOGI_MWX.EXE]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

 

C:\Documents and Settings\Birgit\Start Menu\Programs\Startup\

Telenor Sikker Lagring.lnk - C:\Program Files\Telenor Sikker Lagring\safestorage.exe [2007-04-18 43008]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-16 67128]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hurtigstart for Adobe Reader.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hurtigstart for Adobe Reader.lnk

backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk

backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2005-06-24 15:16 278528 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

 

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]

S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

S2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [ ]

S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys [2001-08-17 23936]

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-17 C:\WINDOWS\Tasks\HP Usg Daily.job

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 16:52]

.

- - - - ORPHANS REMOVED - - - -

 

HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.fujitsu-siemens.com

R0 -: HKLM-Main,Search Bar = hxxp://www.google.com/

R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://www.google.com/

R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://housecall.antivirus.com/

R1 -: HKLM-Internet Explorer,SearchURL = hxxp://www.google.com/

O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - %~$path:i

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-20 15:06:18

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-10-20 15:07:37

ComboFix-quarantined-files.txt 2008-10-20 13:07:35

 

Pre-Run: 258 134 016 bytes free

Post-Run: 1,251,000,320 bytes free

 

139 --- E O F --- 2008-10-17 21:24:28

____________________________________________________________________________

 

 

 

 

Hijackthis log:

----------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:11:43, on 20.10.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Safe mode with network support

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fujitsu-siemens.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall.antivirus.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Automatisk LiveUpdate-planlegging - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 6359 bytes

-----------------------------------------------------------------------------

 

 

Det var alle loggene,venter på svar om alt malware er blitt fjernet...

 

Hilsen Stian.V.H:)

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
  • Hvem er aktive   0 medlemmer

    • Ingen innloggede medlemmer aktive
×
×
  • Opprett ny...