casino virus trojan adware ?

poinnbrok · 11. februar 2009

Hei!

Takk for velkomsten og beklager feilpostingen.

Maskinen min holdt nesten på å dukke under her inntil jeg fulgte veiledningen til norbat - Virustotal, malware og combofix. Den har blitt mye bedre nå men mistenker at det fortsatt er en del grums igjen i systemet.

Legger ut logfilene fra disse :

Combofix :

ComboFix 09-02-10.01 - Wiggo 2009-02-10 20:11:23.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1023.681 [GMT 1:00]

Kjører fra: c:\documents and settings\Wiggo\Skrivebord\ComboFix.exe

* Opprettet nytt gjenopprettingspunkt

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\CMMGR32.EXE

c:\windows\system32\tdsspopup1.url

c:\windows\system32\tdsspopup2.url

c:\windows\system32\tdsspopup3.url

c:\windows\system32\windows_update.exe

.

((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV

-------\Service_TDSSserv

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-10 til 2009-02-10 )))))))))))))))))))))))))))))))))

.

2009-02-10 19:43 . 2009-02-10 19:43 61,440 --a------ c:\windows\system32\drivers\cxabhol.sys

2009-02-10 19:35 . 2009-02-10 19:35 <DIR> d-------- c:\programfiler\Malwarebytes' Anti-Malware

2009-02-10 19:35 . 2009-02-10 19:35 <DIR> d-------- c:\documents and settings\Wiggo\Programdata\Malwarebytes

2009-02-10 19:35 . 2009-02-10 19:35 <DIR> d-------- c:\documents and settings\All Users\Programdata\Malwarebytes

2009-02-10 19:35 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-10 19:35 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-08 17:42 . 2009-02-08 17:42 <DIR> dr-h----- c:\documents and settings\Wiggo\Siste

2009-01-24 19:39 . 2009-02-04 18:05 <DIR> dr-h----- c:\documents and settings\Stian Evensen\Siste

2009-01-22 14:12 . 2009-01-22 14:12 60,968 --a------ c:\documents and settings\Stian Evensen\GoToAssistDownloadHelper.exe

2009-01-21 19:08 . 2009-01-21 19:08 <DIR> d-------- c:\programfiler\Microsoft Silverlight

2009-01-18 17:18 . 2009-01-18 17:18 <DIR> d-------- c:\programfiler\Trend Micro

2009-01-15 21:28 . 2009-01-15 21:28 <DIR> d-------- c:\programfiler\Spotify

2009-01-15 21:28 . 2009-02-05 14:34 <DIR> d-------- c:\documents and settings\Stian Evensen\Programdata\Spotify

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

28977-01-30 03:25 --------- d-----w c:\programfiler\Windows Journal Viewer

28977-01-30 03:25 --------- d-----w c:\programfiler\microsoft frontpage

28977-01-30 03:25 --------- d-----w c:\programfiler\HighMAT CD Writing Wizard

28977-01-30 03:25 --------- d-----w c:\programfiler\Fellesfiler\Tjenester

2009-02-09 22:27 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\Skype

2009-02-04 17:06 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\Azureus

2009-01-28 12:07 --------- d-----w c:\documents and settings\Wiggo\Programdata\Winamp

2009-01-22 12:59 90,112 ----a-w c:\windows\DUMP6baa.tmp

2009-01-22 12:52 --------- d-----w c:\programfiler\Spybot - Search & Destroy

2009-01-22 12:52 --------- d-----w c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy

2009-01-22 12:51 --------- d-----w c:\programfiler\SUPERAntiSpyware

2009-01-22 12:51 --------- d-----w c:\programfiler\Fellesfiler\Wise Installation Wizard

2009-01-22 12:51 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\SUPERAntiSpyware.com

2009-01-22 12:50 --------- d-----w c:\programfiler\iTunes

2009-01-22 12:50 --------- d-----w c:\programfiler\iPod

2009-01-22 12:48 --------- d-----w c:\programfiler\Lavasoft

2009-01-21 16:36 --------- d-----w c:\programfiler\Safari

2009-01-16 13:53 --------- d-----w c:\programfiler\NCH Software

2009-01-16 13:53 --------- d-----w c:\documents and settings\All Users\Programdata\NCH Software

2009-01-07 19:46 17 -c--a-w c:\programfiler\stinger.opt

2009-01-07 18:06 --------- d-----w c:\programfiler\Mozilla Firefox 3 Beta 5

2009-01-07 18:05 --------- d-----w c:\programfiler\Bonjour

2008-12-31 15:50 --------- d-----w c:\programfiler\CCleaner

2008-12-31 15:44 --------- d-----w c:\programfiler\Fellesfiler\Adobe

2008-12-31 14:47 --------- d-----w c:\documents and settings\Wiggo\Programdata\vlc

2008-12-30 13:38 --------- d-----w c:\documents and settings\All Users\Programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-30 13:33 --------- d-----w c:\programfiler\QuickTime

2008-12-30 13:31 --------- d-----w c:\programfiler\Fellesfiler\Apple

2008-12-15 21:06 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\NCH Software

2008-12-15 20:45 --------- d-----w c:\programfiler\WinAVI Video Converter

2008-12-15 20:35 --------- d-----w c:\programfiler\AVI MPEG Video Converter

2008-12-11 20:30 --------- d-----w c:\programfiler\NCH Swift Sound

2008-12-11 20:30 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\NCH Swift Sound

2008-12-11 20:30 --------- d-----w c:\documents and settings\All Users\Programdata\NCH Swift Sound

2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys

2008-12-10 14:26 --------- d-----w c:\documents and settings\Wiggo\Programdata\Apple Computer

2008-12-09 18:25 133 ---ha-w c:\documents and settings\Stian Evensen\Programdata\lakerda1967.sys

2008-12-09 18:24 360,580 ----a-w c:\windows\eSellerateEngine.dll

2006-10-23 14:41 1,886 ----a-w c:\documents and settings\Stian Evensen\speed.exe

2006-06-26 22:12 17 -c--a-w c:\programfiler\stng260.opt

2006-04-19 10:23 1,144,839 -c--a-w c:\programfiler\stng260.exe

2005-03-01 21:47 53,760 ----a-w c:\programfiler\DRTCP021.exe

2005-01-31 12:30 980,487 -c--a-w c:\programfiler\stinger.exe

2004-08-18 11:27 509,440 ----a-w c:\programfiler\dt346.exe

2005-02-02 21:34 56 --sh--r c:\windows\system32\0E952814AF.sys

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="c:\programfiler\Messenger\MSMSGS.EXE" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools-1033"="c:\programfiler\D-Tools\daemon.exe" [2004-03-12 81920]

"StartupMonitor"="c:\programfiler\SNP Software\StartupMonitor\StartupMonitor.exe" [2005-11-09 181760]

"SunJavaUpdateSched"="c:\programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"PWRISOVM.EXE"="c:\programfiler\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"HP Software Update"="c:\programfiler\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"TkBellExe"="c:\programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-04-28 185896]

"AppleSyncNotifier"="c:\programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]

"Norman ZANDA"="c:\norman\NVC\BIN\ZLH.EXE" [2003-06-13 90112]

"QuickTime Task"="c:\programfiler\QuickTime\QTTask.exe" [2008-11-04 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="c:\progra~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\Stian Evensen\Start-meny\Programmer\Oppstart\

MagicDisc.lnk - c:\programfiler\MagicDisc\MagicDisc.exe [2008-01-11 557568]

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\

HP Digital Imaging Monitor.lnk - c:\programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

HP Photosmart Premier Hurtigstart.lnk - c:\programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]

Hurtigstart for Adobe Reader.lnk - c:\programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

"vidc.X264"= x264vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Exif Launcher.lnk]

path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\Exif Launcher.lnk

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^GStartup.lnk]

path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\GStartup.lnk

backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Hurtigstart for Adobe Reader.lnk]

path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\Hurtigstart for Adobe Reader.lnk

backup=c:\windows\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

--a------ 2005-08-12 14:43 45056 c:\programfiler\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

--a------ 2003-11-25 20:10 335872 c:\programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--------- 2004-08-04 09:03 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--------- 2005-04-12 10:15 1383936 c:\programfiler\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\programfiler\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]

--a------ 2002-02-04 21:32 53248 c:\programfiler\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

--a------ 2006-12-18 17:32 25365032 c:\programfiler\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2005-08-27 18:50 1249280 c:\programfiler\Valve\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2005-11-10 12:03 36975 c:\programfiler\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2008-04-28 21:47 185896 c:\programfiler\Fellesfiler\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-04-01 19:49 36352 c:\programfiler\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2004-02-26 14:53 65024 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"InCDsrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"c:\\Programfiler\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Documents and Settings\\Stian Evensen\\Lokale innstillinger\\Programdata\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Stian Evensen\\Lokale innstillinger\\Programdata\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Programfiler\\Vuze\\Azureus.exe"=

"c:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"c:\\Programfiler\\iTunes\\iTunes.exe"=

"c:\\Programfiler\\Spotify\\spotify.exe"=

"c:\\Programfiler\\Skype\\Phone\\Skype.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2004-08-18 156800]

R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2004-08-18 5248]

S2 WinDefend;Windows Defender;"c:\programfiler\Windows Defender\MsMpEng.exe" --> c:\programfiler\Windows Defender\MsMpEng.exe [?]

S3 FVNETusbXP;Belkin 11Mbps Wireless USB Network Adapter®;c:\windows\system32\DRIVERS\bkusbxp.sys --> c:\windows\system32\DRIVERS\bkusbxp.sys [?]

S3 jfdcd;jfdcd;\??\c:\docume~1\STIANE~1\LOKALE~1\Temp\jfdcd.sys --> c:\docume~1\STIANE~1\LOKALE~1\Temp\jfdcd.sys [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2007-11-16 30464]

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

2009-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4118616476-2326668858-2435834782-1007.job

- c:\documents and settings\Stian Evensen\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe [2008-11-17 18:26]

.

- - - - TOMME PEKERE FJERNET - - - -

MSConfigStartUp-AceGain LiveUpdate - c:\programfiler\AceGain\LiveUpdate\LiveUpdate.exe

MSConfigStartUp-iTunesHelper - c:\programfiler\iTunes\iTunesHelper.exe

MSConfigStartUp-Yahoo! Pager - c:\programfiler\Yahoo!\Messenger\ypager.exe

MSConfigStartUp-Cmaudio - cmicnfg.cpl

MSConfigStartUp-SSP - SSPSupport.exe

.

------- Tilleggsskanning -------

.

mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com

uInternet Settings,ProxyServer = 192.168.30.30:8080

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} - hxxp://www.euchannels.net/update/KooPlayer.ocx

FF - ProfilePath - c:\documents and settings\Wiggo\Programdata\Mozilla\Firefox\Profiles\xdu6pa4w.default\

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

FF - plugin: c:\programfiler\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\programfiler\Mozilla Firefox\plugins\NPAdbESD.dll

FF - plugin: c:\programfiler\Mozilla Firefox\plugins\nppopcaploader.dll

FF - plugin: c:\programfiler\Mozilla Firefox\plugins\npsabffx.dll

FF - plugin: c:\windows\system32\SuperAdBlocker.com\npsabffx.dll

---- FIREFOX POLICIES ----

c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-10 20:18:07

Windows 5.1.2600 Service Pack 2 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket

skjulte filer: 0

**************************************************************************

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\programfiler\Bonjour\mDNSResponder.exe

c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe

c:\norman\NVC\BIN\Zanda.exe

c:\windows\system32\rundll32.exe

c:\programfiler\HP\Digital Imaging\bin\hpqimzone.exe

.

**************************************************************************

.

Tidspunkt ferdig: 2009-02-10 20:21:59 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-02-10 19:21:57

ComboFix2.txt 2006-10-23 19:39:34

Pre-Run: 1 130 401 792 byte ledig

Post-Run: 1,610,457,088 byte ledig

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4

244 --- E O F --- 2009-01-19 18:17:25

Malware :

Malwarebytes' Anti-Malware 1.33

Databaseversjon: 1654

Windows 5.1.2600 Service Pack 2

10.02.2009 19:42:55

mbam-log-2009-02-10 (19-42-55).txt

Skanntype: Rask Skann

Objekter skannet: 52769

Tid tilbakelagt: 5 minute(s), 25 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 3

Registerverdier infisert: 0

Registerfiler infisert: 2

Mapper infisert: 0

Filer infisert: 13

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_CLASSES_ROOT\AppID\ToolbarInst.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: system32\ -> Quarantined and deleted successfully.

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\WINDOWS\system32\tdssadw.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\tdsslog.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\tdssmain.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\tdssserf.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\tdssserf1.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\ (Malware.Trace) -> Delete on reboot.

C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssl.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdsspopup.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssservers.dat (Trojan.TDSS) -> Delete on reboot.

Virus total :

Antivirus Version Last Update Result

a-squared - - Hoax.Win32.Agent.fu!A2

AhnLab-V3 - - Win-Trojan/Avenger.61440

AntiVir - - -

Authentium - - -

Avast - - -

AVG - - -

BitDefender - - -

CAT-QuickHeal - - -

ClamAV - - -

Comodo - - -

DrWeb - - -

eSafe - - Hoax.Win32.Agent.fu

eTrust-Vet - - -

F-Prot - - -

F-Secure - - -

Fortinet - - PossibleThreat

GData - - -

Ikarus - - -

K7AntiVirus - - Trojan.Win32.Malware.2

Kaspersky - - -

McAfee - - -

McAfee+Artemis - - -

Microsoft - - -

NOD32 - - -

Norman - - W32/Agent.HHSF

nProtect - - -

Panda - - -

PCTools - - Trojan-PWS.Bancos.PWN

Prevx1 - - Malicious Software

Rising - - -

SecureWeb-Gateway - - -

Sophos - - -

Sunbelt - - -

Symantec - - -

TheHacker - - -

TrendMicro - - -

VBA32 - - -

ViRobot - - Hoax..Agent.61440

VirusBuster - - -

norbat · 11. februar 2009

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

c:\windows\system32\drivers\cxabhol.sys

c:\windows\DUMP6baa.tmp

Driver::

jfdcd

Disse filene, kan du godt sjekke på Virustotal.

c:\documents and settings\ditt brukernavn\speed.exe

c:\programfiler\dt346.exe

c:\windows\system32\0E952814AF.sys

Post den ny combofix-loggen og gi tilbakemelding på om det ble funnet noe på de tre filene.

poinnbrok · 19. februar 2009

ny combofix logg :

ComboFix 09-02-18.01 - Stian Evensen 2009-02-19 18:35:15.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1023.570 [GMT 1:00]

Kjører fra: c:\documents and settings\Wiggo\Skrivebord\ComboFix.exe

* Opprettet nytt gjenopprettingspunkt

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\d3d8caps.dat

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-19 til 2009-02-19 )))))))))))))))))))))))))))))))))

.

2009-02-17 17:31 . 2009-02-17 17:31 <DIR> d-------- c:\documents and settings\All Users\Programdata\HP Product Assistant

2009-02-12 22:44 . 2009-02-12 23:23 <DIR> d-------- c:\documents and settings\Wiggo\Programdata\Spotify

2009-02-11 19:29 . 2009-02-11 19:29 <DIR> d-------- c:\documents and settings\Stian Evensen\Programdata\Malwarebytes

2009-02-10 22:02 . 2009-02-10 22:02 <DIR> d-------- c:\documents and settings\Wiggo\Programdata\AdobeUM

2009-02-10 20:48 . 2009-02-10 20:39 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-02-10 20:41 . 2009-02-10 20:39 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-02-10 20:39 . 2009-02-10 20:39 <DIR> d--h-c--- c:\documents and settings\All Users\Programdata\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-10 19:35 . 2009-02-10 19:35 <DIR> d-------- c:\programfiler\Malwarebytes' Anti-Malware

2009-02-10 19:35 . 2009-02-10 19:35 <DIR> d-------- c:\documents and settings\Wiggo\Programdata\Malwarebytes

2009-02-10 19:35 . 2009-02-10 19:35 <DIR> d-------- c:\documents and settings\All Users\Programdata\Malwarebytes

2009-02-10 19:35 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-10 19:35 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-08 17:42 . 2009-02-12 23:43 <DIR> dr-h----- c:\documents and settings\Wiggo\Siste

2009-01-24 19:39 . 2009-02-18 21:32 <DIR> dr-h----- c:\documents and settings\Stian Evensen\Siste

2009-01-22 14:12 . 2009-01-22 14:12 60,968 --a------ c:\documents and settings\Stian Evensen\GoToAssistDownloadHelper.exe

2009-01-21 19:08 . 2009-01-21 19:08 <DIR> d-------- c:\programfiler\Microsoft Silverlight

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

28977-01-30 03:25 --------- d-----w c:\programfiler\Windows Journal Viewer

28977-01-30 03:25 --------- d-----w c:\programfiler\microsoft frontpage

28977-01-30 03:25 --------- d-----w c:\programfiler\HighMAT CD Writing Wizard

28977-01-30 03:25 --------- d-----w c:\programfiler\Fellesfiler\Tjenester

2009-02-19 17:33 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\Skype

2009-02-18 21:33 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\Spotify

2009-02-10 19:38 --------- d-----w c:\programfiler\Lavasoft

2009-02-04 17:06 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\Azureus

2009-01-28 12:07 --------- d-----w c:\documents and settings\Wiggo\Programdata\Winamp

2009-01-22 12:52 --------- d-----w c:\programfiler\Spybot - Search & Destroy

2009-01-22 12:52 --------- d-----w c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy

2009-01-22 12:51 --------- d-----w c:\programfiler\SUPERAntiSpyware

2009-01-22 12:51 --------- d-----w c:\programfiler\Fellesfiler\Wise Installation Wizard

2009-01-22 12:51 --------- d-----w c:\documents and settings\Stian Evensen\Programdata\SUPERAntiSpyware.com

2009-01-22 12:50 --------- d-----w c:\programfiler\iTunes

2009-01-22 12:50 --------- d-----w c:\programfiler\iPod

2009-01-21 16:36 --------- d-----w c:\programfiler\Safari

2009-01-18 16:18 --------- d-----w c:\programfiler\Trend Micro

2009-01-16 13:53 --------- d-----w c:\programfiler\NCH Software

2009-01-16 13:53 --------- d-----w c:\documents and settings\All Users\Programdata\NCH Software

2009-01-15 20:28 --------- d-----w c:\programfiler\Spotify

2009-01-07 19:46 17 -c--a-w c:\programfiler\stinger.opt

2009-01-07 18:06 --------- d-----w c:\programfiler\Mozilla Firefox 3 Beta 5

2009-01-07 18:05 --------- d-----w c:\programfiler\Bonjour

2008-12-31 15:50 --------- d-----w c:\programfiler\CCleaner

2008-12-31 15:44 --------- d-----w c:\programfiler\Fellesfiler\Adobe

2008-12-31 14:47 --------- d-----w c:\documents and settings\Wiggo\Programdata\vlc

2008-12-30 13:38 --------- d-----w c:\documents and settings\All Users\Programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-30 13:33 --------- d-----w c:\programfiler\QuickTime

2008-12-30 13:31 --------- d-----w c:\programfiler\Fellesfiler\Apple

2008-12-15 20:50 86,016 ----a-w c:\windows\system32\OpenAL32.dll

2008-12-15 20:50 262,144 ----a-w c:\windows\system32\wrap_oal.dll

2008-12-12 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe

2008-12-12 10:11 61,440 ----a-w c:\windows\system32\dnssd.dll

2008-12-09 18:25 133 ---ha-w c:\documents and settings\Stian Evensen\Programdata\lakerda1967.sys

2008-12-09 18:24 360,580 ----a-w c:\windows\eSellerateEngine.dll

2006-10-23 14:41 1,886 ----a-w c:\documents and settings\Stian Evensen\speed.exe

2006-06-26 22:12 17 -c--a-w c:\programfiler\stng260.opt

2006-04-19 10:23 1,144,839 -c--a-w c:\programfiler\stng260.exe

2005-03-01 21:47 53,760 ----a-w c:\programfiler\DRTCP021.exe

2005-01-31 12:30 980,487 -c--a-w c:\programfiler\stinger.exe

2004-08-18 11:27 509,440 ----a-w c:\programfiler\dt346.exe

2005-02-02 21:34 56 --sh--r c:\windows\system32\0E952814AF.sys

.

((((((((((((((((((((((((((((( SnapShot_2009-02-11_21.13.39.15 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-11 20:05:26 4,132 ----a-w c:\windows\bthservsdp.dat

+ 2009-02-18 21:33:44 4,132 ----a-w c:\windows\bthservsdp.dat

+ 2009-02-17 16:31:58 10,134 ----a-r c:\windows\Installer\{36FDBE6E-6684-462B-AE98-9A39A1B200CC}\ARPPRODUCTICON.exe

- 2007-11-30 12:39:50 17,784 ------w c:\windows\system32\spmsg.dll

+ 2008-07-09 07:44:41 17,784 ------w c:\windows\system32\spmsg.dll

+ 2006-03-23 10:15:32 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_6e85597b\ATL80.dll

+ 2006-03-23 10:14:36 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcm80.dll

+ 2006-03-23 10:14:36 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcp80.dll

+ 2006-03-23 10:14:36 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcr80.dll

+ 2006-03-23 11:44:12 1,093,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\mfc80.dll

+ 2006-03-23 11:44:16 1,079,808 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\mfc80u.dll

+ 2006-03-23 11:44:20 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\mfcm80.dll

+ 2006-03-23 11:44:20 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\mfcm80u.dll

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\programfiler\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"Skype"="c:\programfiler\Skype\Phone\Skype.exe" [2006-12-18 25365032]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"updateMgr"="c:\programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Google Update"="c:\documents and settings\Stian Evensen\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe" [2008-11-17 133104]