Enya Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 (endret) Ja, jeg har sagt meg villig til å hjelpe naboen med den ene maskinen hans. Mitt førsteinntrykk er at den er full av snusk. Jeg har bra greie på data, men er ikke en ekspert på dette emnet da jeg sjelden har hatt probelemer med virus, trojaner etc. Så her er loggene mine fra MBAM, Combofix og HijackThis. MBAM Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.30 Database versjon: 1310 Windows 5.1.2600 Service Pack 2 23.10.2008 20:18:06 mbam-log-2008-10-23 (20-18-06).txt Skanntype: Rask Skann Objekter skannet: 43510 Tid tilbakelagt: 4 minute(s), 9 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 1 Registerverdier infisert: 4 Registerfiler infisert: 2 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registerfiler infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) Combofix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-10-23.01 - Olav 2008-10-23 20:26:13.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.259 [GMT 2:00] Running from: E:\Documents and Settings\Olav\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SYSREST.SYS -------\Service_sysrest.sys ((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 ))))))))))))))))))))))))))))))) . 2008-10-23 20:12 . 2008-10-23 20:12 <DIR> d-------- E:\Programfiler\Malwarebytes' Anti-Malware 2008-10-23 20:12 . 2008-10-23 20:12 <DIR> d-------- E:\Documents and Settings\Olav\Programdata\Malwarebytes 2008-10-23 20:12 . 2008-10-23 20:12 <DIR> d-------- E:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-23 20:12 . 2008-10-22 16:10 38,496 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-23 20:12 . 2008-10-22 16:10 15,504 --a------ E:\WINDOWS\system32\drivers\mbam.sys 2008-10-23 20:06 . 2008-10-23 20:18 <DIR> dr-h----- E:\Documents and Settings\Olav\Siste 2008-10-23 20:03 . 2008-10-23 20:03 <DIR> d-------- E:\Programfiler\CCleaner . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-02 19:43 97,928 ----a-w E:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-19 19:23 10,520 ----a-w E:\WINDOWS\system32\avgrsstx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128] "HPHUPD05"="E:\Programfiler\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152] "HP Component Manager"="E:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HP Software Update"="E:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152] "HPHmon05"="E:\WINDOWS\system32\hphmon05.exe" [2005-07-08 491520] "DAEMON Tools-1033"="E:\Programfiler\D-Tools\daemon.exe" [2004-08-22 81920] "Adobe Reader Speed Launcher"="E:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SunJavaUpdateSched"="E:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "AVG8_TRAY"="E:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712] "SoundMan"="SOUNDMAN.EXE" [2002-10-16 E:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] E:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ AutoCAD Startup Accelerator.lnk - E:\Programfiler\Fellesfiler\Autodesk Shared\acstart16.exe [2004-02-25 10872] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "E:\\Programfiler\\Messenger\\msmsgs.exe"= "E:\\Programfiler\\AVG\\AVG8\\avgemc.exe"= "E:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;E:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-02 97928] R2 avg8emc;AVG Free8 E-mail Scanner;E:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-02 875288] R2 avg8wd;AVG Free8 WatchDog;E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-02 231704] R2 AvgTdiX;AVG Free8 Network Redirector;E:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-19 76040] . Contents of the 'Scheduled Tasks' folder 2008-10-12 E:\WINDOWS\Tasks\HP Usg Daily.job - E:\Programfiler\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-08 06:55] . . ------- Supplementary Scan ------- . FireFox -: Profile - E:\Documents and Settings\Olav\Programdata\Mozilla\Firefox\Profiles\wc5npi0g.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - startsiden.no . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-23 20:30:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . E:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE E:\Programfiler\AVG\AVG8\avgrsx.exe E:\Programfiler\AVG\AVG8\avgtray.exe E:\WINDOWS\system32\HPZipm12.exe E:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-10-23 20:31:58 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-23 18:31:46 Pre-Run: 244 450 398 208 byte ledig Post-Run: 244,490,002,432 byte ledig 99 HijackThis Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:36:43, on 23.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe E:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE E:\PROGRA~1\AVG\AVG8\avgrsx.exe E:\PROGRA~1\AVG\AVG8\avgemc.exe E:\WINDOWS\system32\wuauclt.exe E:\WINDOWS\SOUNDMAN.EXE E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe E:\Programfiler\HP\hpcoretech\hpcmpmgr.exe E:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe E:\WINDOWS\system32\hphmon05.exe E:\Programfiler\D-Tools\daemon.exe E:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe E:\PROGRA~1\AVG\AVG8\avgtray.exe E:\WINDOWS\system32\ctfmon.exe E:\WINDOWS\system32\HPZipm12.exe E:\WINDOWS\explorer.exe E:\WINDOWS\system32\wscntfy.exe E:\Programfiler\internet explorer\iexplore.exe E:\Programfiler\Java\jre1.6.0_03\bin\jucheck.exe E:\Programfiler\Trend Micro\HijackThis\test.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Programfiler\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] E:\Programfiler\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "E:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "E:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HPHmon05] E:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programfiler\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "E:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AutoCAD Startup Accelerator.lnk = E:\Programfiler\Fellesfiler\Autodesk Shared\acstart16.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programfiler\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Programfiler\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - E:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe -- End of file - 4835 bytes Jeg vet at det kan ta tid å analysere logger, men håper at noen har lyst til å bruke tiden sin til å hjelpe meg Enya Endret 23. oktober 2008 av Enya Lenke til kommentar
norbat Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 Loggene ser grei ut. Er det noe som gjør at du har mistanke om malware? Lenke til kommentar
Enya Skrevet 23. oktober 2008 Forfatter Del Skrevet 23. oktober 2008 Var merkelig. Før jeg begynte med mine ferdigheter var symptomet att den kom opp noe som lignet på en "falsk" bluescreen med nedtelling fra 30sec til maskinen restartet. Trykte jeg enter gikk maskinen tilbake til normalt igjen. Denne "bluescreenen" poppet opp regelmissig. Jeg prøvde å kjøre en scan med AVG free for å løse problemet. Den fant noen trojaner som jeg slettet. (Husker ikke hva de heter). Etter dette sluttet bluscreenen å komme opp. Jeg trodde jeg hadde fått fjernet alt snusk, men maskinen kjører tregt med tanke på hva hardwaren i den er. Så jeg kjørte en scan til med AVG, da finner den denne trojaneren som den ikke får til å slette "Trojan horse KillAV.IL" Det popper også regelmessig opp vindu fra AVG med beskjed om at den er infisert av en trojaner som den ikke får til å fikse. Enya Lenke til kommentar
norbat Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 Hvor sier AVG at denne trojaneren ligger? Lenke til kommentar
Enya Skrevet 23. oktober 2008 Forfatter Del Skrevet 23. oktober 2008 Den sier at den ligger i c:\windows\system32\sysrest.sys Lenke til kommentar
norbat Skrevet 23. oktober 2008 Del Skrevet 23. oktober 2008 sysrest.sys er en trojaner som kjører som en tjeneste. Denne tjenesten fjernet Combofix. AVG har da kanskje lagt selve fila i karantene? Combofix viser ingen slik fil på systemet ditt nå. Lenke til kommentar
Enya Skrevet 23. oktober 2008 Forfatter Del Skrevet 23. oktober 2008 (endret) Det er mulig combofix fjernet den. Kjører en ny scan med AVG nå for å ser hva den finner. Burde jo selvfølgelig scannet med AVG etter at jeg gikk gjennom den lille guiden her, før jeg postet en tråd. Edit: Da var AVG scannen ferdig, og den fant ingenting nå. Takk for rask hjelp norbat. Enya Endret 23. oktober 2008 av Enya Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå