Security Center - er alle spor borte?

[zonko]

Maskina til min bror og foreldre har hatt besøk av styggedommen Security Center. Mente jeg fikk slettet det sist, men de hadde visst fått noen popups senere likevel. Her er logger, er alle spor borte?

 

mbam:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.34

Databaseversjon: 1802

Windows 5.1.2600 Service Pack 3

 

20.03.2009 20:40:37

mbam-log-2009-03-20 (20-40-37).txt

 

Skanntype: Rask Skann

Objekter skannet: 68263

Tid tilbakelagt: 7 minute(s), 33 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 1

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\WINDOWS\system32\i41onkFc.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

 

ComboFix:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 09-03-19.02 - martin 2009-03-20 20:48:06.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.1022.591 [GMT 1:00]

Kjører fra: c:\documents and settings\martin\Skrivebord\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Opprettet nytt gjenopprettingspunkt

 

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\drivers\ss.sys

 

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-02-20 til 2009-03-20 )))))))))))))))))))))))))))))))))

.

 

2009-03-20 20:22 . 2009-03-20 20:22 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-16 09:24 . 2009-03-20 20:33 1,374 --a------ c:\windows\imsins.BAK

2009-03-08 18:37 . 2009-03-16 09:24 <DIR> dr-h----- c:\documents and settings\martin\Siste

2009-02-25 20:10 . 2009-02-25 20:10 <DIR> d-------- c:\programfiler\Malwarebytes' Anti-Malware

2009-02-25 20:10 . 2009-02-25 20:10 <DIR> d-------- c:\documents and settings\martin\Programdata\Malwarebytes

2009-02-25 20:10 . 2009-02-25 20:10 <DIR> d-------- c:\documents and settings\All Users\Programdata\Malwarebytes

2009-02-25 20:10 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-25 20:10 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-25 19:49 . 2009-02-25 19:49 <DIR> d-------- c:\documents and settings\All Users\Programdata\SUPERAntiSpyware.com

2009-02-25 19:48 . 2009-02-25 19:48 <DIR> d-------- c:\programfiler\SUPERAntiSpyware

2009-02-25 19:48 . 2009-02-25 19:48 <DIR> d-------- c:\documents and settings\martin\Programdata\SUPERAntiSpyware.com

2009-02-25 19:00 . 2009-02-25 19:00 <DIR> dr------- c:\documents and settings\NetworkService\Favoritter

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-20 19:21 --------- d-----w c:\programfiler\Java

2009-03-01 16:18 --------- d-----w c:\documents and settings\All Users\Programdata\CanonIJPLM

2009-02-25 18:47 --------- d-----w c:\programfiler\Fellesfiler\Wise Installation Wizard

2009-02-16 17:04 --------- d-----w c:\programfiler\Microsoft CAPICOM 2.1.0.2

2009-02-15 18:24 --------- d-----w c:\programfiler\Windows Live

2009-02-15 18:21 --------- d-----w c:\programfiler\CCleaner

2009-02-15 17:41 --------- d-----w c:\programfiler\Microsoft

2009-02-15 17:40 --------- d-----w c:\programfiler\Windows Live SkyDrive

2009-02-15 17:29 --------- d-----w c:\programfiler\Fellesfiler\Windows Live

2009-02-15 17:10 --------- d-----w c:\documents and settings\martin\Programdata\Thunderbird

2009-02-09 14:08 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-09 14:08 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-06 17:52 49,504 ----a-w c:\windows\system32\sirenacm.dll

2009-02-02 17:10 --------- d-----w c:\programfiler\LimeWire

2009-01-31 14:03 --------- d-----w c:\programfiler\Avira

2009-01-31 14:03 --------- d-----w c:\documents and settings\All Users\Programdata\Avira

2009-01-31 14:02 --------- d-----w c:\programfiler\F-Secure

2009-01-31 14:01 --------- d-----w c:\documents and settings\All Users\Programdata\F-Secure

2009-01-31 13:48 --------- d-----w c:\documents and settings\martin\Programdata\Canon

2009-01-31 13:48 --------- d-----w c:\documents and settings\All Users\Programdata\CanonIJ

2009-01-31 13:47 --------- d--h--w c:\documents and settings\All Users\Programdata\CanonIJMyPrinter

2009-01-31 13:47 --------- d-----w c:\programfiler\Canon

2009-01-31 12:25 --------- d-----w c:\programfiler\Fellesfiler\CANON

2009-01-31 12:24 --------- d--h--w c:\documents and settings\All Users\Programdata\CanonBJ

2009-01-31 12:23 --------- d--h--w c:\programfiler\CanonBJ

2009-01-31 12:09 --------- d-----w c:\programfiler\Opera

2009-01-30 20:00 --------- d-----w c:\programfiler\NOS

2009-01-30 20:00 --------- d-----w c:\documents and settings\All Users\Programdata\NOS

2009-01-30 19:06 --------- d-----w c:\programfiler\Fellesfiler\Adobe

2009-01-30 18:53 --------- d-----w c:\programfiler\Microsoft.NET

2009-01-16 20:31 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-31 16:04 691,560 ----a-w c:\windows\system32\OGACheckControl.dll

2008-12-31 16:04 528,744 ----a-w c:\windows\system32\OGAVerify.exe

2008-12-31 16:04 502,120 ----a-w c:\windows\system32\OGAAddin.dll

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SUPERAntiSpyware"="c:\programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-03-20 136600]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"CTSysVol"="c:\programfiler\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"avgnt"="c:\programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=WIKI.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-06-12 02:38 34672 c:\programfiler\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

--a------ 2008-03-17 17:06 1848648 c:\programfiler\Canon\MyPrinter\BJMYPRT.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

--------- 2005-02-23 17:19 53248 c:\programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D9050]

--a------ 2006-07-20 06:55 1617920 c:\programfiler\Belkin\F5D9050\Belkinwcui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility]

--a------ 2007-05-21 00:37 124512 c:\programfiler\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 21:12 221184 c:\programfiler\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 17:23 1695232 c:\programfiler\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2009-02-06 18:52 3885400 c:\programfiler\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programfiler\\Microsoft Games\\Rise of Nations\\rise.exe"=

"c:\\Programfiler\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Programfiler\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Programfiler\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R1 SASDIFSV;SASDIFSV;c:\programfiler\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;c:\programfiler\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2008-12-23 476416]

R3 SASENUM;SASENUM;c:\programfiler\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

 

2009-02-25 c:\windows\Tasks\At1.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At10.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At11.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At12.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At13.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At14.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At15.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At16.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At17.job

- c:\windows\system32\i41onkFc.exe []

 

2009-03-20 c:\windows\Tasks\At18.job

- c:\windows\system32\i41onkFc.exe []

 

2009-03-20 c:\windows\Tasks\At19.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At2.job

- c:\windows\system32\i41onkFc.exe []

 

2009-03-19 c:\windows\Tasks\At20.job

- c:\windows\system32\i41onkFc.exe []

 

2009-03-04 c:\windows\Tasks\At21.job

- c:\windows\system32\i41onkFc.exe []

 

2009-03-15 c:\windows\Tasks\At22.job

- c:\windows\system32\i41onkFc.exe []

 

2009-03-02 c:\windows\Tasks\At23.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At24.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At3.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At4.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At5.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At6.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At7.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At8.job

- c:\windows\system32\i41onkFc.exe []

 

2009-02-25 c:\windows\Tasks\At9.job

- c:\windows\system32\i41onkFc.exe []

.

- - - - TOMME PEKERE FJERNET - - - -

 

MSConfigStartUp-ATIPTA - c:\programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

MSConfigStartUp-DMXLauncher - c:\programfiler\Dell\Media Experience\DMXLauncher.exe

 

 

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.startsiden.no/

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

TCP: {54C0FF26-4D4C-469A-9859-0CED4524C9F7} = 10.0.0.138

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-20 20:50:17

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

@=""

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(680)

c:\programfiler\SUPERAntiSpyware\SASWINLO.dll

.

Tidspunkt ferdig: 2009-03-20 20:51:40

ComboFix-quarantined-files.txt 2009-03-20 19:51:38

 

Pre-Run: 117 579 845 632 byte ledig

Post-Run: 117,615,198,208 byte ledig

 

219 --- E O F --- 2009-03-20 19:39:03

[norbat]

Gå til følgende mappa: c:\windows\Tasks og slett alle At*.job oppføringene

 

Ta et søk etter fila wiki.dll og last den opp på Virustotal for sjekk (hvis du finner den)

 

Oppdater Malwarebytes og ta en ny rask skann. Post loggen OM den finner noe.

[zonko]

Rent og pent Takker og bukker norbat, hva hadde dette forumet vært uten ressurser som deg.

[r2d290]

Så du har slettet alle .job-oppføringene, sjekket wiki.dll med resultatet at den er ren, og fått 0 infiserte filer med MBAM? Så fint

 

Combofix må avinstalleres.

 

Gå til Start > Kjør

Skriv følgende i boksen:

• ComboFix /u
  

PS: legg merke til mellomrommet mellom X og /u

 

Du skal nå ha noe som tilsvarer bildet nedenfor:

 

Trykk Enter.

 

Denne kommandoen vil:

• Fjerne følgende:
  • ComboFix og dets tilhørende filer og mapper.
    VundoFix backups, hvis de eksisterer.
    Mappen C:\Deckard, hvis den eksisterer
    Mappen C:\OtMoveIt, hvis den eksisterer
    

  [*] Nullstille klokke-instillingene.

   

  [*] Skjule filetternavn hvis det er nødvendig.

   

  [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig.

   

  [*] Nullstille systemgjennoprettingspunkter.

 

Sørg forøvrig for at Java, Flash player og Adobe reader er oppdatert, i tillegg til Windows.

 

-Surf trygt-