objeCt Skrevet 8. desember 2008 Del Skrevet 8. desember 2008 (endret) Her er min rapport fra Malmwarebytes. ser det greit ut? Malwarebytes' Anti-Malware 1.31 Databaseversjon: 1475 Windows 5.1.2600 Service Pack 3 08.12.2008 20:14:11 mbam-log-2008-12-08 (20-14-11).txt Skanntype: Rask Skann Objekter skannet: 41734 Tid tilbakelagt: 2 minute(s), 9 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 1 Registerverdier infisert: 0 Registerfiler infisert: 2 Mapper infisert: 1 Filer infisert: 2 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: C:\WINDOWS\system32\prio.dll (Spyware.OnlineGames) -> Delete on reboot. Registernøkler infisert: HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. Filer infisert: C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\system32\prio.dll (Spyware.OnlineGames) -> Delete on reboot. Her er combofix rapporten: d:\resycled\boot.com . ((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 ))))))))))))))))))))))))))))))) . 2008-12-08 20:09 . 2008-12-08 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-08 20:09 . 2008-12-08 20:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-12-08 20:09 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-08 20:09 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-08 19:59 . 2008-11-13 16:20 203,540 --a------ c:\windows\system32\nvapps.nvb 2008-12-08 19:55 . 2008-07-29 13:33 446,464 --a------ c:\windows\system32\nvunrm.exe 2008-12-08 19:55 . 2008-07-29 13:30 6,045 --a------ c:\windows\system32\nvnrm.nvu 2008-12-08 19:24 . 2008-12-08 19:24 <DIR> d-------- c:\program files\ffdshow 2008-12-08 19:24 . 2007-11-29 12:52 60,273 --a------ c:\windows\system32\pthreadGC2.dll 2008-12-08 19:24 . 2007-12-24 13:47 7,680 --a------ c:\windows\system32\ff_vfw.dll 2008-12-08 19:24 . 2007-11-29 12:52 547 --a------ c:\windows\system32\ff_vfw.dll.manifest 2008-12-08 19:23 . 2008-12-08 19:24 <DIR> d-------- c:\program files\TVersity Codec Pack 2008-12-08 19:22 . 2008-12-08 19:22 <DIR> d-------- c:\program files\TVersity 2008-12-08 18:33 . 2008-12-08 18:54 202,040 --a------ c:\windows\system32\PnkBstrB.exe 2008-12-08 18:33 . 2008-12-08 18:54 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys 2008-12-08 18:32 . 2008-12-08 18:32 66,872 --a------ c:\windows\system32\PnkBstrA.exe 2008-12-08 18:22 . 2008-12-08 18:22 <DIR> d-------- c:\program files\VideoLAN 2008-12-08 18:05 . 2007-07-30 19:19 1,712,984 --a------ c:\windows\system32\wuaueng.dll 2008-12-08 18:05 . 2007-07-30 19:19 549,720 --a------ c:\windows\system32\wuapi.dll 2008-12-08 18:05 . 2007-07-30 19:19 325,976 --a------ c:\windows\system32\wucltui.dll 2008-12-08 18:05 . 2007-07-30 19:19 216,408 --a------ c:\windows\system32\wuaucpl.cpl 2008-12-08 18:05 . 2007-07-30 19:19 203,096 --a------ c:\windows\system32\wuweb.dll 2008-12-08 18:05 . 2007-07-30 19:19 92,504 --a------ c:\windows\system32\cdm.dll 2008-12-08 18:05 . 2007-07-30 19:19 53,080 --a------ c:\windows\system32\wuauclt.exe 2008-12-08 18:05 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll 2008-12-08 18:05 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll 2008-12-08 18:03 . 2006-09-11 17:27 356,352 --------- c:\windows\system32\nvuide.exe 2008-12-08 18:03 . 2008-07-10 04:07 7,143 --a------ c:\windows\system32\nvide.nvu 2008-12-08 18:02 . 2008-08-20 18:35 453,152 --a------ c:\windows\system32\nvusmb.exe 2008-12-08 18:02 . 2008-08-19 11:41 2,344 --a------ c:\windows\system32\nvsmb.nvu 2008-12-08 18:01 . 2008-12-08 18:01 <DIR> d-------- c:\program files\Common Files\InstallShield 2008-12-08 18:01 . 2008-12-08 17:39 <DIR> d-------- C:\NVIDIA 2008-12-08 18:01 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-08 20:01 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-08 20:01 --------- d-----w c:\program files\NVIDIA Corporation 2008-12-08 19:42 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent 2008-12-08 18:28 --------- d-----w c:\documents and settings\Administrator\Application Data\Ventrilo 2008-12-08 17:52 --------- d-----w c:\program files\Windows Live 2008-12-08 17:51 --------- d-----w c:\program files\Windows Media Connect 2 2008-12-08 17:51 --------- d-----w c:\program files\Microsoft 2008-12-08 17:49 62,633 ----a-w c:\windows\prio197uninstall.exe 2008-12-08 17:49 --------- d-----w c:\program files\uTorrent 2008-12-08 17:47 --------- d-----w c:\program files\Common Files\Windows Live 2008-12-08 17:43 315,392 ----a-w c:\windows\HideWin.exe 2008-12-08 17:43 --------- d-----w c:\program files\Realtek 2008-12-08 17:34 --------- d-----w c:\program files\Xfire 2008-12-08 17:34 --------- d-----w c:\documents and settings\Administrator\Application Data\Xfire 2008-12-08 17:33 --------- d-----w c:\program files\Ventrilo 2008-12-08 17:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-08 17:29 --------- d-----w c:\program files\AGEIA Technologies 2008-12-08 17:28 --------- d-----w c:\program files\Opera 2008-12-08 17:15 --------- d-----w c:\program files\Alwil Software 2008-11-20 20:45 42,320 ----a-w c:\windows\system32\xfcodec.dll 2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-09-09 00:03 51,712 ----a-w c:\windows\system32\sirenacm.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-05-03 15360] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016] "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-01-31 c:\windows\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2007-08-13 c:\windows\system32\advpack.dll] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "MemCheckBoxInRunDlg"= 1 (0x1) "StartMenuFavorites"= 0 (0x0) "Start_ShowMyComputer"= 1 (0x1) "Start_ShowMyDocs"= 1 (0x1) "Start_ShowMyMusic"= 0 (0x0) "Start_ShowRun"= 1 (0x1) "Start_ShowSearch"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=prio.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "e:\\Spill\\Call Of Duty 4\\iw3mp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/8/2008 5:15:10 PM 111184] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [12/8/2008 5:15:10 PM 20560] R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [12/8/2008 8:09:55 PM 38496] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\AutorunPlayer.exe RightAutorunPro.dat *Newly Created Service* - CATCHME *Newly Created Service* - MBAMSWISSARMY *Newly Created Service* - PROCEXP90 *Newly Created Service* - SR *Newly Created Service* - SRSERVICE . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\43uyhxff.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-08 20:22:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-12-08 20:23:02 ComboFix-quarantined-files.txt 2008-12-08 20:22:53 Pre-Run: 37 318 930 432 bytes free Post-Run: 37,355,167,744 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 165 her er Trend Micro greia: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:26:53, on 08.12.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\All Users\Desktop\New Folder\halla.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: prio.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 3402 bytes Hvordan ser dette ut? Takk for fin guide Nobat Endret 8. desember 2008 av objeCt Lenke til kommentar
raWrz Skrevet 9. desember 2008 Del Skrevet 9. desember 2008 Gå til http://virusscan.jotti.org , trykk på Browse, og last opp følgende fil til analyse: C:\Documents and Settings\All Users\Desktop\New Folder\halla.exe Deretter trykker du på Submit. Godta at filen blir scannet. Til slutt kopierer du resultatet, og limer det inn i din neste post, så jeg kan se på den, og vurdere hva som må gjøres videre. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå