Gresselsker Skrevet 9. juni 2009 Del Skrevet 9. juni 2009 Hei, har samme problem som dette emnet https://www.diskusjon.no/index.php?showtopic=1115650 Har endret passord + kjørt veiledning på denne tråden https://www.diskusjon.no/index.php?showtopic=691246 Trenger noen til å se loggene fra MBAM og ComboFix. MBAM Logg: Klikk for å se/fjerne innholdet nedenfor <Malwarebytes' Anti-Malware 1.37Databaseversjon: 2253 Windows 5.1.2600 Service Pack 3 09.06.2009 16:31:47 mbam-log-2009-06-09 (16-31-47).txt Skanntype: Rask Skann Objekter skannet: 100696 Tid tilbakelagt: 4 minute(s), 33 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 1 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0088ddc (Trojan.Vundo) -> Quarantined and deleted successfully. Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot. > Har reboota som det krevde. ComboFix Logg: Klikk for å se/fjerne innholdet nedenfor <ComboFix 09-06-08.05 - BE12129104 09.06.2009 16:49.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.894.378 [GMT 2:00] Kjører fra: c:\documents and settings\BE12129104\Skrivebord\ComboFix.exe AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {F66B188C-5BAE-4BE6-93E0-73C3C3AC661E} FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users.WINDOWS\Programdata\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users.WINDOWS\Programdata\Microsoft\Network\Downloader\qmgr1.dat ----- BITS: Mulige infiserte sider ----- hxxp://BFK-KOVS-SCCM01.SKOLE.BFK.NO:80 . ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-09 til 2009-06-09 ))))))))))))))))))))))))))))))))) . 2009-06-09 14:25 . 2009-06-09 14:25 -------- d-----w- c:\documents and settings\BE12129104\Programdata\Malwarebytes 2009-06-09 14:25 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-09 14:25 . 2009-06-09 14:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Programdata\Malwarebytes 2009-06-09 14:25 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-09 13:46 . 2009-06-09 14:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Programdata\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-08 08:13 . 2009-04-20 19:17 -------- d-----w- c:\documents and settings\BE12129104\Programdata\Spotify 2009-04-22 10:53 . 2007-09-11 06:52 118792 ----a-w- c:\documents and settings\BE12129104\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2009-04-17 23:00 . 2006-08-30 06:36 80438 ----a-w- c:\windows\system32\perfc014.dat 2009-04-17 23:00 . 2006-08-30 06:36 445536 ----a-w- c:\windows\system32\perfh014.dat 2009-03-31 15:58 . 2007-10-24 08:09 76688 ----a-w- c:\windows\system32\drivers\tmtdi.sys 2009-03-18 18:19 . 2009-03-18 18:19 561 ----a-w- c:\windows\eReg.dat 2009-01-01 13:12 . 2007-06-26 06:59 66408 ----a-w- c:\programfiler\mozilla firefox\components\jar50.dll 2009-01-01 13:12 . 2007-06-26 06:59 54112 ----a-w- c:\programfiler\mozilla firefox\components\jsd3250.dll 2009-01-01 13:12 . 2007-06-26 06:59 34688 ----a-w- c:\programfiler\mozilla firefox\components\myspell.dll 2009-01-01 13:12 . 2007-06-26 06:59 46456 ----a-w- c:\programfiler\mozilla firefox\components\spellchk.dll 2009-01-01 13:12 . 2007-06-26 06:59 171880 ----a-w- c:\programfiler\mozilla firefox\components\xpinstal.dll 2008-08-19 12:44 . 2008-08-18 16:58 56 --sh--r- c:\windows\system32\1C4E1210C2.sys 2008-08-19 16:04 . 2008-08-18 16:58 952 --sha-w- c:\windows\system32\KGyGaAvL.sys . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\programfiler\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408] "Rainlendar2"="d:\rainlendar2\Rainlendar2.exe" [2007-07-24 1298432] "QuickTime Task"="c:\programfiler\VistaCodecPack\QT\QTTask.exe" [2007-12-11 286720] "Google Update"="c:\documents and settings\BE12129104\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe" [2009-03-29 133104] "SpybotSD TeaTimer"="d:\spybot - search & destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-03-10 136600] "Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "imekrmig7.0"="c:\programfiler\Fellesfiler\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2007-04-19 25440] "IMSCMig"="c:\progra~1\FELLES~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-02 17248] "CJIMETIPSYNC"="c:\programfiler\Fellesfiler\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400] "PHIMETIPSYNC"="c:\programfiler\Fellesfiler\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656] "IMJPMIG9.0"="c:\progra~1\FELLES~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792] "NGClient"="c:\programfiler\Symantec\Ghost\ngctw32.exe" [2005-11-28 440000] "OfficeScanNT Monitor"="c:\programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-03-31 718120] "QuickTime Task"="c:\programfiler\VistaCodecPack\QT\QTTask.exe" [2007-12-11 286720] "iTunesHelper"="d:\mine dokumenter\Itunes\iTunesHelper.exe" [2007-12-11 267048] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "shv"="c:\program files\MicPhone\antit.exe" [2009-06-09 221184] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247] c:\documents and settings\All Users.WINDOWS\Start-meny\Programmer\Oppstart\ Microsoft Firewall Client Management.lnk - c:\programfiler\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-5-29 117592] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programfiler\\Symantec\\Ghost\\ngctw32.exe"= "d:\\Mine Dokumenter\\Itunes\\iTunes.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "d:\\spotify\\spotify.exe"= R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [28.11.2005 17:35 6560] R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [28.11.2005 17:36 199264] R2 FwcAgent;Firewall Client Agent;c:\programfiler\Microsoft Firewall Client 2004\FwcAgent.exe [29.05.2006 22:10 128856] R2 NGClient;Symantec Ghost Win32 Client Agent;c:\programfiler\Symantec\Ghost\ngctw32.exe [28.11.2005 18:26 440000] R2 TmFilter;Trend Micro Filter;c:\programfiler\Trend Micro\OfficeScan Client\TmXpflt.sys [24.10.2007 10:09 225296] R2 TmPreFilter;Trend Micro PreFilter;c:\programfiler\Trend Micro\OfficeScan Client\TmPreflt.sys [24.10.2007 10:09 36368] R2 wmcmgc;Windows Management Configuration;c:\windows\System32\svchost.exe -k netsvcs [30.08.2006 08:37 14336] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [24.10.2007 10:09 314896] R3 TmProxy;OfficeScan NT Proxy Service;c:\programfiler\Trend Micro\OfficeScan Client\TmProxy.exe [24.10.2007 10:09 652552] S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [28.11.2005 17:36 199264] S3 TmPfw;OfficeScan NT Firewall;c:\programfiler\Trend Micro\OfficeScan Client\TmPfw.exe [24.10.2007 10:09 488768] S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [13.12.2007 23:47 30464] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs wmcmgc . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2009-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57] 2009-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-261903793-725345543-95614.job - c:\documents and settings\BE12129104\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe [2009-03-29 14:56] . - - - - TOMME PEKERE FJERNET - - - - SafeBoot-procexp90.Sys . ------- Tilleggsskanning ------- . uStart Page = hxxp://www.vg.no/ uInternet Settings,ProxyOverride = <local> IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\programfiler\Microsoft Firewall Client 2004\FwcWsp.dll DPF: DirectEdit - hxxps://www.itslearning.com/file/DirectEdit.CAB FF - ProfilePath - c:\documents and settings\BE12129104\Programdata\Mozilla\Firefox\Profiles\0cgmgq2x.default\ FF - prefs.js: browser.startup.homepage - hxxp://no.msn.com FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=nb-no&FORM=MICYE2&q= FF - component: c:\programfiler\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-09 16:52 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'winlogon.exe'(1348) c:\windows\system32\Ati2evxx.dll c:\windows\system32\COMRes.dll . Tidspunkt ferdig: 2009-06-09 16:54 ComboFix-quarantined-files.txt 2009-06-09 14:54 Pre-Run: 1 684 676 608 byte ledig Post-Run: 2 393 407 488 byte ledig WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 146 --- E O F --- 2009-05-26 16:42 > Takker på forhånd for all hjelp! Lenke til kommentar
snippsat Skrevet 9. juni 2009 Del Skrevet 9. juni 2009 Ser bra ut. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Husk og bytte passord på MSN kontoen. MSN problemene som har vært i den siste tiden legger ikke inn noe som kjøre lokalt på offert pc. Ofte botnett som blir styrt fra irc. Skite passord løser som regel dette problemet. Lenke til kommentar
Gresselsker Skrevet 10. juni 2009 Forfatter Del Skrevet 10. juni 2009 Ok, har endret passord ja. Takk for hjelpen Har ikke sendt noen linker etter jeg kjørte tingene virker det som, var pålogga på MSN i hele natt. Så tror det er løst Igjen takk Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå