Tosha0007 Skrevet 16. oktober 2008 Del Skrevet 16. oktober 2008 (endret) har ein kompis som har seriøse problem med virus. Eg har klart å fjerne ein del, men eg kan diverre ikkje lese combofix logger (enno), difor treng eg litt hjelp. Vil bli veldig glad viss nokon kan ta seg tid. På førehand takk for hjelpa! Combofix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-10-16.01 - Thomas Smith Eide 2008-10-16 21:38:03.1 - FAT32x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1578 [GMT 2:00] Running from: C:\Documents and Settings\Thomas Smith Eide\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Thomas Smith Eide\Cookies\kymorequ.scr C:\xcrashdump.dat . ((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 ))))))))))))))))))))))))))))))) . 2008-10-16 18:55 . 2008-10-16 18:55 <DIR> d-------- C:\Programfiler\Avira 2008-10-16 18:55 . 2008-10-16 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avira 2008-10-16 18:38 . 2008-10-16 18:39 143 --a------ C:\WINDOWS\wininit.ini 2008-10-16 18:24 . 2008-10-16 18:24 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-10-16 18:24 . 2008-10-16 18:24 <DIR> d-------- C:\Documents and Settings\Thomas Smith Eide\Programdata\Malwarebytes 2008-10-16 18:24 . 2008-10-16 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-16 18:24 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-16 18:24 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-16 18:21 . 2008-10-16 18:21 <DIR> d-------- C:\Programfiler\Trend Micro 2008-10-16 16:35 . 2008-10-16 16:35 <DIR> d-------- C:\Programfiler\Alwil Software 2008-10-16 16:35 . 2003-03-18 22:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2008-10-16 16:35 . 2003-03-18 21:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll 2008-10-16 16:35 . 2003-02-21 05:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll 2008-10-16 16:26 . 2008-10-16 16:26 <DIR> dr-h----- C:\Documents and Settings\Thomas Smith Eide\Siste 2008-10-16 16:02 . 2008-10-16 16:02 17,150 --a------ C:\Programfiler\Fellesfiler\gacen.pif 2008-10-16 16:02 . 2008-10-16 16:02 17,133 --a------ C:\Documents and Settings\Thomas Smith Eide\Programdata\xomerokov.bin 2008-10-16 16:02 . 2008-10-16 16:02 16,761 --a------ C:\WINDOWS\idelewe._dl 2008-10-16 16:02 . 2008-10-16 16:02 16,611 --a------ C:\WINDOWS\erahohuj.sys 2008-10-16 16:02 . 2008-10-16 16:02 15,961 --a------ C:\WINDOWS\system32\vetoca.exe 2008-10-16 16:02 . 2008-10-16 16:02 15,831 --a------ C:\Programfiler\Fellesfiler\hiruz.bat 2008-10-16 16:02 . 2008-10-16 16:02 15,086 --a------ C:\WINDOWS\iwazatyn.inf 2008-10-16 16:02 . 2008-10-16 16:02 14,937 --a------ C:\WINDOWS\seqawu.lib 2008-10-16 16:02 . 2008-10-16 16:02 14,399 --a------ C:\WINDOWS\system32\feqarud.vbs 2008-10-16 16:02 . 2008-10-16 16:02 14,192 --a------ C:\Documents and Settings\Thomas Smith Eide\Programdata\oweq.reg 2008-10-16 16:02 . 2008-10-16 16:02 13,775 --a------ C:\Documents and Settings\All Users\Programdata\tuquzyhu.pif 2008-10-16 16:02 . 2008-10-16 16:02 13,550 --a------ C:\Programfiler\Fellesfiler\vajoxe.vbs 2008-10-16 16:02 . 2008-10-16 16:02 13,392 --a------ C:\WINDOWS\nijy.dl 2008-10-16 16:02 . 2008-10-16 16:02 12,262 --a------ C:\Programfiler\Fellesfiler\emabe.dll 2008-10-16 16:02 . 2008-10-16 16:02 12,102 --a------ C:\Programfiler\Fellesfiler\afixeka.vbs 2008-10-16 16:02 . 2008-10-16 16:02 11,197 --a------ C:\Programfiler\Fellesfiler\xyzegi.bat 2008-10-16 15:57 . 2008-10-16 15:57 <DIR> d-------- C:\Programfiler\svvtmod 2008-10-16 14:22 . 2008-10-16 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\mzsfqtqj 2008-10-16 13:58 . 2008-10-16 13:58 <DIR> d--hs---- C:\FOUND.000 2008-10-14 23:16 . 2008-10-14 23:16 268 --ah----- C:\sqmdata13.sqm 2008-10-14 23:16 . 2008-10-14 23:16 244 --ah----- C:\sqmnoopt13.sqm 2008-10-07 11:40 . 2008-10-07 11:40 <DIR> d-------- C:\Programfiler\CCleaner 2008-10-07 11:37 . 2008-10-07 11:37 <DIR> d-------- C:\Programfiler\Lavasoft 2008-10-07 11:36 . 2008-10-07 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-10-07 11:34 . 2008-10-07 11:34 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy 2008-10-07 11:34 . 2008-10-07 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy 2008-09-30 18:50 . 2008-09-30 18:50 268 --ah----- C:\sqmdata12.sqm 2008-09-30 18:50 . 2008-09-30 18:50 244 --ah----- C:\sqmnoopt12.sqm 2008-09-29 23:02 . 2008-09-29 23:02 <DIR> d-------- C:\Documents and Settings\Thomas Smith Eide\Programdata\Ventrilo 2008-09-29 22:58 . 2008-09-29 22:58 <DIR> d-------- C:\Documents and Settings\Thomas Smith Eide\Programdata\Hamachi 2008-09-29 22:57 . 2008-09-29 22:57 <DIR> d-------- C:\Programfiler\Hamachi 2008-09-29 22:57 . 2008-09-29 22:57 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys 2008-09-27 15:50 . 2008-09-27 15:50 221 --a------ C:\WINDOWS\RomeTW.ini 2008-09-16 12:29 . 2008-09-16 12:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-27 19:18 137,728 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-09-27 19:16 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-09-15 15:42 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-15 15:42 1,846,016 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys 2008-09-05 14:50 --------- d-----w C:\Documents and Settings\Thomas Smith Eide\Programdata\AdobeUM 2008-09-04 18:55 --------- d-----w C:\Programfiler\Windows Media Connect 2 2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\dllcache\srv.sys 2008-08-27 20:14 --------- d-----w C:\Programfiler\LimeWire 2008-08-27 20:14 --------- d-----w C:\Documents and Settings\Thomas Smith Eide\Programdata\LimeWire 2008-08-26 20:30 --------- d-----w C:\Documents and Settings\Thomas Smith Eide\Programdata\vlc 2008-08-26 20:08 --------- d-----w C:\Documents and Settings\Thomas Smith Eide\Programdata\DivX 2008-08-26 19:56 --------- d-----w C:\Programfiler\VideoLAN 2008-08-25 16:49 --------- d-----w C:\Programfiler\Fellesfiler\Adobe 2008-08-19 09:30 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2008-08-18 07:57 --------- d-----w C:\Documents and Settings\Thomas Smith Eide\Programdata\CyberLink 2008-08-14 13:48 2,182,144 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 13:48 2,182,144 ------w C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-08-14 13:48 2,138,112 ------w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-08-14 13:48 2,059,520 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-08-14 13:48 2,059,520 ------w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-08-14 13:48 2,017,792 ------w C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-08-14 09:51 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll 2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-07 126976] "PCMService"="C:\Programfiler\Arcade\PCMService.exe" [2004-08-27 81920] "EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-01-25 180224] "ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-01-21 2889216] "LManager"="C:\Programfiler\Launch Manager\QtZgAcer.EXE" [2004-12-09 311296] "eRecoveryService"="C:\Windows\System32\Check.exe" [2004-11-24 245760] "ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-07 344064] "acerWireless"="C:\Programfiler\acer\Wireless\Utility\WlanUtil.exe" [2004-06-09 417792] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "avgnt"="C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe" [2007-06-11 190696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\EA GAMES\\Battlefield 2\\BF2.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\Electronic Arts\\Battlefield 2142\\BF2142.exe"= "C:\\Programfiler\\Electronic Arts\\EADM\\Core.exe"= "C:\\Programfiler\\Steam\\steamapps\\thomaseidesmith\\counter-strike\\hl.exe"= "C:\\Programfiler\\Steam\\steamapps\\thomaseidesmith\\day of defeat\\hl.exe"= "C:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "D:\\BF 1942 frå øystein på Thomasse på Familien Haltevik (192.168.1.20)\\BF1942.exe"= "C:\\Programfiler\\Hamachi\\hamachi.exe"= "C:\\Programfiler\\Steam\\steamapps\\thomaseidesmith\\garrysmod\\hl2.exe"= "C:\\Programfiler\\Steam\\steamapps\\thomaseidesmith\\counter-strike source\\hl2.exe"= "D:\\Rome Total War\\RomeTW.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 4096] R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-01-03 78208] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2004-09-20 10363] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2004-06-01 4054] R3 int15.sys;int15.sys;C:\Programfiler\acer\eRecovery\int15.sys [2005-01-13 69632] *Newly Created Service* - SSMDRV . - - - - ORPHANS REMOVED - - - - HKCU-Run-Start WingMan Profiler - D:\lwemon.exe HKLM-Run-IgfxTray - C:\WINDOWS\system32\igfxtray.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Thomas Smith Eide\Programdata\Mozilla\Firefox\Profiles\y0yyzi5w.default\ FF -: plugin - C:\Programfiler\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Programfiler\Real\RhapsodyPlayerEngine\nprhapengine.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-16 21:42:48 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\Ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Acer\eManager\anbmServ.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\acer\eRecovery\Monitor.exe . ************************************************************************** . Completion time: 2008-10-16 21:45:00 - machine was rebooted [Thomas Smith Eide] ComboFix-quarantined-files.txt 2008-10-16 19:44:56 Pre-Run: 6,310,428,672 byte ledig Post-Run: 6,573,719,552 byte ledig 217 --- E O F --- 2008-10-15 22:43:50 MBAM Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.28Database versjon: 1276 Windows 5.1.2600 Service Pack 2 2008-10-16 19:10:04 mbam-log-2008-10-16 (19-09-45).txt Skanntype: Full Skann (C:\|D:\|) Objekter skannet: 110483 Tid tilbakelagt: 43 minute(s), 0 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 15 Registerverdier infisert: 1 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 5 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> No action taken. HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\XP_Antispyware (Rogue.XPAntiSpyware) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> No action taken. HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> No action taken. HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> No action taken. HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> No action taken. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> No action taken. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\WINDOWS\system32\ai66q6IR.exe.a_a (Trojan.Agent) -> No action taken. C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\wini104552663.exe (Trojan.FakeAlert) -> No action taken. HijackThis Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:51:02, on 16.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Acer\eManager\anbmServ.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\Arcade\PCMService.exe C:\acer\epm\epm-dm.exe C:\Programfiler\Launch Manager\QtZgAcer.EXE C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\acer\Wireless\Utility\WlanUtil.exe C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\acer\eRecovery\Monitor.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programfiler\Windows Live\Messenger\msnmsgr.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Arcade\PCMService.exe" O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot O4 - HKLM\..\Run: [LManager] C:\Programfiler\Launch Manager\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [acerWireless] C:\Programfiler\acer\Wireless\Utility\WlanUtil.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 7109 bytes Alle problem i MBAM er tatt hand om, veit ikkje kvifor det berre kjem opp no action taken i loggen når det står at det fiksa alle andre stader. Endret 17. oktober 2008 av tosha0007 Lenke til kommentar
snippsat Skrevet 16. oktober 2008 Del Skrevet 16. oktober 2008 (endret) På denne datoen kom det 11 filer. 2008-10-16 16:02 Har du kjennskap til disse. Vi scanner en av dem. Scann denne filen her Virustotal C:\WINDOWS\system32\vetoca.exe Merk av så MBAM sletter det den finner. Da skal det ikke stå No action taken. Endret 16. oktober 2008 av SNIPPSAT Lenke til kommentar
Tosha0007 Skrevet 16. oktober 2008 Forfatter Del Skrevet 16. oktober 2008 (endret) beklaga at da blei som bilde, men ingenting anna gjekk. Ser ikkje ut til å ha blitt nokon treff på denne fila. Ny MBAM logg: Klikk for å se/fjerne innholdet nedenfor Skanntype: Full Skann (C:\|D:\|)Objekter skannet: 110483 Tid tilbakelagt: 44 minute(s), 0 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) Ser ut som alt blei tatt i den første loggen likevell Endret 16. oktober 2008 av tosha0007 Lenke til kommentar
snippsat Skrevet 16. oktober 2008 Del Skrevet 16. oktober 2008 Greit da regner jeg med at de filene er gode. Da ser det bra ut. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Surf trygt. Lenke til kommentar
snippsat Skrevet 16. oktober 2008 Del Skrevet 16. oktober 2008 (endret) Vi gjøre en liten jobb til. Pratet litt med norbat om dette det er noen filer vi lurer på. Alle kom til på samme dato,du scannet en av dem "vetoca.exe" og den var god. C:\Programfiler\Fellesfiler\gacen.pif C:\Documents and Settings\Thomas Smith Eide\Programdata\xomerokov.bin C:\WINDOWS\idelewe._dl C:\WINDOWS\erahohuj.sys C:\WINDOWS\system32\vetoca.exe C:\Programfiler\Fellesfiler\hiruz.bat C:\WINDOWS\iwazatyn.inf C:\WINDOWS\seqawu.lib C:\WINDOWS\system32\feqarud.vbs C:\Documents and Settings\Thomas Smith Eide\Programdata\oweq.reg C:\Documents and Settings\All Users\Programdata\tuquzyhu.pif C:\Programfiler\Fellesfiler\vajoxe.vbs C:\WINDOWS\nijy.dl C:\Programfiler\Fellesfiler\emabe.dll C:\Programfiler\Fellesfiler\afixeka.vbs C:\Programfiler\Fellesfiler\xyzegi.bat Kunne du forandret filendelse på disse til .bak Eksp:C:\Programfiler\Fellesfiler\gacen.pif.bak Eventuelt scanne flere av dem på virustotal. Dette er for og teste om det har innvirking på noe. Endret 17. oktober 2008 av SNIPPSAT Lenke til kommentar
Tosha0007 Skrevet 17. oktober 2008 Forfatter Del Skrevet 17. oktober 2008 (endret) har gjort det no, førebels opplev eg ingen problem. Skal fjerne eit antivirus program og oppdatera windows java. Kjem tilbake seinare viss det er problem. Viss eg ikkje opplev problem kan eg vell berre sletta filene. Endret 17. oktober 2008 av tosha0007 Lenke til kommentar
snippsat Skrevet 17. oktober 2008 Del Skrevet 17. oktober 2008 Viss eg ikkje opplev problem kan eg vell berre sletta filene. Ja bare ha den på systemet en stund,fungere alt fint er det bare og slette dem etter en stund. Lenke til kommentar
Tosha0007 Skrevet 17. oktober 2008 Forfatter Del Skrevet 17. oktober 2008 (endret) her kjeme ein stikkprøve av noken av filene. Alt ser heilt bra ut. File nijy.dl.bak received on 10.17.2008 15:36:28 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/36 (0%) File idelewe._dl.bak received on 10.17.2008 15:39:28 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/36 (0%) File iwazatyn.inf.bak received on 10.17.2008 15:42:26 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/36 (0%) File seqawu.lib.bak received on 10.17.2008 15:45:55 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/36 (0%) då slette eg dei i kveld når eg har betre tid Endret 17. oktober 2008 av tosha0007 Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå