SteinarN Skrevet 19. juni 2009 Del Skrevet 19. juni 2009 (endret) Jeg har AVG installert. I dag kom det opp melding om to infiserte EXE filer som jeg tydeligvis hadde lastet ned. Den ene så ut til å bli slettet av AVG, men den andre fant ikke AVG, jeg fant den heller ikke da jeg så etter den manuelt. Begge filene var en trojansk hest av et eller annet slag. Jeg lurer på om disse filene ble slettet eller om det kan ligge noe på maskinen fortsatt. Legger ved logg. Jeg har ikke restartet maskinen etter dette hendte hvis det skulle ha noen betydning. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:33:22, on 19.06.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\Programfiler\Analog Devices\Core\smax4pnp.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Programfiler\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Windows Live\Messenger\msnmsgr.exe C:\Programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe C:\Programfiler\Logitech\SetPoint\SetPoint.exe C:\Programfiler\WinZip\WZQKPICK.EXE C:\Programfiler\Fellesfiler\Logitech\KHAL\KHALMNPR.EXE C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Programfiler\WIDCOMM\Bluetooth-programvare\bin\btwdins.exe C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe C:\Programfiler\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Programfiler\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqsvc.exe C:\Programfiler\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\mqtgsvc.exe C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Windows Live\Contacts\wlcomm.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Programfiler\Malwarebytes' Anti-Malware\mbam.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programfiler\AVG\AVG8\avgtoolbar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programfiler\AVG\AVG8\avgtoolbar.dll O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [soundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: rncsys32.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programfiler\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553515000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Programfiler\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programfiler\WIDCOMM\Bluetooth-programvare\bin\btwdins.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programfiler\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe O23 - Service: MCT10 Service - Unknown owner - C:\Programfiler\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe -- End of file - 8983 bytes Endret 19. juni 2009 av SteinarN Lenke til kommentar
raWrz Skrevet 19. juni 2009 Del Skrevet 19. juni 2009 Hei kjør igjennom veiledningen som er linket øverst i signaturen min Lenke til kommentar
SteinarN Skrevet 19. juni 2009 Forfatter Del Skrevet 19. juni 2009 Det var lynkjapt svar. Jeg har lest veiledningen. Jeg har Malwarebyte men får den ikke oppdatert. Gammel versjon. Jeg har ikke combofix. Må jeg kjøre den eller er hijackthis også ok? Lenke til kommentar
raWrz Skrevet 19. juni 2009 Del Skrevet 19. juni 2009 Combofix dekker det meste av hva HijakThis finner + at vi får mye mer info og kan gjøre mye mer med Combofix Last ned Combofix (av sUBs), og legg det på Skrivebordet. Kjør combofix.exe, og følg veiledningen. Du vil under oppstart av combofix bli anbefalt å installere gjenopprettingskonsollen (om du ikke har den installert fra før). Det sier du ja til. Du må ikke klikke på vinduet mens programmet kjører. Dette kan føre til at programmet fryser. Hva gjør ComboFix: - ComboFix er et multifix-program som er laget for å fjerne en hel del kjente infeksjoner, samt lager en logg/rapport som viser filer/prosesser/registeroppføringer som ligger på PC-en. Loggen kan avgjøre om det fortsatt ligger noe på PC-en som skal fjernes. Det kreves da at noen med erfaring kan lese loggen og fortelle hvordan man skal gå videre. PS: Combofix vil blant ramse opp alle filer som har blitt opprettet den siste måneden, og kan i enkelte tilfeller også fortelle fullt navn og annen informasjon som kan betraktes som sensitiv. Av den grunn bør du gå gjennom loggen og se om du finner informasjon du ikke vil dele med alle, og sensurere det. Post loggfilen fra Combofix (c:\combofix.txt) Lenke til kommentar
SteinarN Skrevet 19. juni 2009 Forfatter Del Skrevet 19. juni 2009 Malwarebyte Malwarebytes' Anti-Malware 1.38 Databaseversjon: 2308 Windows 5.1.2600 Service Pack 2 19.06.2009 15:43:38 mbam-log-2009-06-19 (15-43-38).txt Skanntype: Rask Skann Objekter skannet: 81359 Tid tilbakelagt: 4 minute(s), 38 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 2 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: c:\WINDOWS\temp\wpv581243627542.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\Administrator\Programdata\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully. Combofix ComboFix 09-06-18.02 - Administrator 19.06.2009 16:01.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.47.1044.18.1015.474 [GMT 2:00] Kjører fra: c:\documents and settings\Administrator\Skrivebord\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Programdata\wiaserva.log c:\documents and settings\Administrator\Start-meny\Programmer\Oppstart\rncsys32.exe E:\Desktop.ini . ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-19 til 2009-06-19 ))))))))))))))))))))))))))))))))) . 2009-06-19 13:47 . 2009-06-19 13:47 2 ----a-w- c:\windows\010112010146118114.dat 2009-06-19 13:47 . 2009-06-19 13:47 14848 ---h--w- c:\windows\ld10.exe 2009-06-19 12:26 . 2009-06-19 13:36 3561743 ----a-w- c:\documents and settings\All Users\Programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-17 13:25 . 2009-06-17 13:25 -------- d-----w- c:\documents and settings\Administrator\Programdata\dvdcss . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-19 13:36 . 2009-01-08 16:30 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2009-06-17 19:38 . 2008-08-06 21:18 -------- d-----w- c:\documents and settings\Administrator\Programdata\OpenOffice.org2 2009-06-17 19:37 . 2008-08-06 21:19 1 ----a-w- c:\documents and settings\Administrator\Programdata\OpenOffice.org2\user\uno_packages\cache\stamp.sys 2009-06-17 09:27 . 2009-01-08 16:30 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 09:27 . 2009-01-08 16:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-17 08:20 . 2007-12-02 18:26 -------- d-----w- c:\documents and settings\Administrator\Programdata\LimeWire 2009-05-23 17:32 . 2007-04-18 20:14 28560 ----a-w- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2009-05-17 07:07 . 2008-08-13 19:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-17 07:07 . 2008-08-13 19:54 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-05-17 07:07 . 2008-08-13 19:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-17 07:07 . 2008-08-13 19:54 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-07 15:44 . 2004-08-04 08:00 344576 ----a-w- c:\windows\system32\localspl.dll 2009-05-03 07:30 . 2009-04-13 10:53 -------- d-----w- c:\programfiler\MachScreen 2009-05-02 17:51 . 2009-05-02 17:51 -------- d-----w- c:\programfiler\DeskEngrave 2009-04-29 04:50 . 2004-08-04 08:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:49 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-19 20:12 . 2004-08-04 08:00 1846656 ----a-w- c:\windows\system32\win32k.sys 2009-04-17 01:15 . 2004-09-20 06:16 63848 ----a-w- c:\windows\system32\perfc014.dat 2009-04-17 01:15 . 2004-09-20 06:16 395274 ----a-w- c:\windows\system32\perfh014.dat 2009-04-15 15:31 . 2004-08-04 08:00 583168 ----a-w- c:\windows\system32\rpcrt4.dll . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "MsnMsgr"="c:\programfiler\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885400] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\programfiler\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "SynTPEnh"="c:\programfiler\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "QlbCtrl"="c:\programfiler\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072] "Cpqset"="c:\programfiler\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912] "LVCOMS"="c:\programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-17 1947928] "Adobe Photo Downloader"="c:\programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2007-07-06 177152] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-30 88203] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-05-20 28160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ BTTray.lnk - c:\programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe [2006-1-18 581693] Logitech Desktop Messenger.lnk - c:\programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-11-24 169472] Logitech SetPoint.lnk - c:\programfiler\Logitech\SetPoint\SetPoint.exe [2007-3-28 450560] WinZip Quick Pick.lnk - c:\programfiler\WinZip\WZQKPICK.EXE [2009-1-14 525664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-17 07:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start-meny^Programmer^Oppstart^OpenOffice.org 2.4.lnk] path=c:\documents and settings\Administrator\Start-meny\Programmer\Oppstart\OpenOffice.org 2.4.lnk backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^DataDECT.lnk] path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\DataDECT.lnk backup=c:\windows\pss\DataDECT.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programfiler\\Messenger\\msmsgs.exe"= "c:\\Programfiler\\LimeWire\\LimeWire.exe"= "c:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "c:\\Programfiler\\AVG\\AVG8\\avgemc.exe"= "c:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Programfiler\\Java\\jre1.6.0_07\\bin\\javaws.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13.08.2008 21:54 325896] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13.08.2008 21:54 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [20.02.2009 09:44 908568] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [20.02.2009 09:44 298776] R2 MCT10 Service;MCT10 Service;c:\programfiler\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe [09.05.2008 00:23 192512] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [28.02.2006 19:05 87808] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21.10.2005 13:19 36352] S3 DFSTR2K;DATAFAB based USB Mass Storage Driver;c:\windows\system32\drivers\DfStor2K.sys [06.08.2008 16:48 37972] S3 PcCGoCls;PcCGoCls;c:\windows\system32\drivers\pccgocls.sys [26.10.2004 15:54 33510] . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2009-06-19 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-23 20:18] . . ------- Tilleggsskanning ------- . uStart Page = hxxp://www.startsiden.no/ uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ FF - ProfilePath - ---- FIREFOX POLICIES ---- c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-19 16:04 Windows 5.1.2600 Service Pack 2 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\programfiler\HPQ\Default Settings\cpqset.exe??????\????p?n??|?????? ??4B??????????????hB??????\? skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . Tidspunkt ferdig: 2009-06-19 16:05 ComboFix-quarantined-files.txt 2009-06-19 14:05 Pre-Run: 15 699 017 728 byte ledig Post-Run: 15 842 131 968 byte ledig 134 --- E O F --- 2009-06-11 01:03 Når jeg restartet maskinen etter kjørte Malwarebyte så fant AVG 5 infiserte filer. AVG greide bare å slette 3 av de. På neste oppstart får jeg ikke noe advarsel fra AVG. Kanskje alt er borte nå? Lenke til kommentar
raWrz Skrevet 19. juni 2009 Del Skrevet 19. juni 2009 Gå til http://virusscan.jotti.org , trykk på Browse, og last opp følgende fil til analyse: c:\windows\ld10.exe Deretter trykker du på Submit. Godta at filen blir scannet. Til slutt kopierer du resultatet, og limer det inn i din neste post, så jeg kan se på den, og vurdere hva som må gjøres videre. Lenke til kommentar
SteinarN Skrevet 19. juni 2009 Forfatter Del Skrevet 19. juni 2009 Fikk dette: [ArcaVir] 2009-06-19 Found nothing [F-Secure Anti-Virus] 2009-06-18 Found nothing [Emsisoft A-squared] 2009-06-19 Found nothing [ikarus] 2009-06-19 Worm.Win32.Koobface [Avast! antivirus] 2009-06-18 Win32:Koobface-L [Kaspersky Anti-Virus] 2009-06-19 Found nothing [Grisoft AVG Anti-Virus] 2009-06-19 Found nothing [ESET NOD32] 2009-06-19 Win32/Koobface.NBQ worm [Avira AntiVir] 2009-06-19 TR/Downloader.Gen [Norman Virus Control] 2009-06-03 Found nothing [softwin BitDefender] 2009-06-19 Found nothing [Panda Antivirus] 2009-06-19 Found nothing [ClamAV] 2009-06-19 Found nothing [Quick Heal] 2009-06-19 Win32.Backdoor.Phdet.gen!A.3 [CPsecure] 2009-06-19 Found nothing [sophos] 2009-06-19 W32/Koobfa-Gen [Dr.Web] 2009-06-19 Found nothing [VirusBlokAda VBA32] 2009-06-18 Found nothing [Frisk F-Prot Antivirus] 2009-06-19 Found nothing [VirusBuster] 2009-06-18 Found nothing Lenke til kommentar
raWrz Skrevet 19. juni 2009 Del Skrevet 19. juni 2009 Trykk Start - Alle Programmer - Tilbehør - Notisblokk Kopier og Lim inn teksten i kodeboksen nedenfor, inn i Notisblokken: File:: c:\windows\ld10.exe Lagre det som CFScript på Skrivebordet Dra CFScript over ComboFix.exe som ligger på Skrivebordet, slik animasjonen nedenfor viser. Dette vil starte ComboFix igjen. Hvis maskinen ber om en omstart, lar du den gjøre det med én gang. Post innholdet til ComboFix.txt inn i ditt neste svar på forumet. Lenke til kommentar
SteinarN Skrevet 19. juni 2009 Forfatter Del Skrevet 19. juni 2009 Her er ny combofix. Jeg fikk ikke til å stoppe eller avinstallere AVG. Fikk advarsel om at AVG kjører når jeg kjørte combofix. ComboFix 09-06-18.02 - Administrator 19.06.2009 19:15.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.47.1044.18.1015.617 [GMT 2:00] Kjører fra: c:\documents and settings\Administrator\Skrivebord\ComboFix.exe Command switches brukt :: c:\documents and settings\Administrator\Skrivebord\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\windows\ld10.exe" . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\ld10.exe . ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-19 til 2009-06-19 ))))))))))))))))))))))))))))))))) . 2009-06-19 13:47 . 2009-06-19 13:47 2 ----a-w- c:\windows\010112010146118114.dat 2009-06-19 12:26 . 2009-06-19 13:36 3561743 ----a-w- c:\documents and settings\All Users\Programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-17 13:25 . 2009-06-17 13:25 -------- d-----w- c:\documents and settings\Administrator\Programdata\dvdcss . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-19 17:10 . 2008-08-13 19:54 -------- d-----w- c:\documents and settings\All Users\Programdata\avg8 2009-06-19 13:36 . 2009-01-08 16:30 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2009-06-17 19:38 . 2008-08-06 21:18 -------- d-----w- c:\documents and settings\Administrator\Programdata\OpenOffice.org2 2009-06-17 19:37 . 2008-08-06 21:19 1 ----a-w- c:\documents and settings\Administrator\Programdata\OpenOffice.org2\user\uno_packages\cache\stamp.sys 2009-06-17 09:27 . 2009-01-08 16:30 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 09:27 . 2009-01-08 16:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-17 08:20 . 2007-12-02 18:26 -------- d-----w- c:\documents and settings\Administrator\Programdata\LimeWire 2009-05-23 17:32 . 2007-04-18 20:14 28560 ----a-w- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2009-05-17 07:07 . 2008-08-13 19:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-17 07:07 . 2008-08-13 19:54 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-05-17 07:07 . 2008-08-13 19:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-17 07:07 . 2008-08-13 19:54 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-07 15:44 . 2004-08-04 08:00 344576 ----a-w- c:\windows\system32\localspl.dll 2009-05-03 07:30 . 2009-04-13 10:53 -------- d-----w- c:\programfiler\MachScreen 2009-05-02 17:51 . 2009-05-02 17:51 -------- d-----w- c:\programfiler\DeskEngrave 2009-04-29 04:50 . 2004-08-04 08:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:49 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-19 20:12 . 2004-08-04 08:00 1846656 ----a-w- c:\windows\system32\win32k.sys 2009-04-17 01:15 . 2004-09-20 06:16 63848 ----a-w- c:\windows\system32\perfc014.dat 2009-04-17 01:15 . 2004-09-20 06:16 395274 ----a-w- c:\windows\system32\perfh014.dat 2009-04-15 15:31 . 2004-08-04 08:00 583168 ----a-w- c:\windows\system32\rpcrt4.dll . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\programfiler\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "SynTPEnh"="c:\programfiler\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "QlbCtrl"="c:\programfiler\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072] "Cpqset"="c:\programfiler\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912] "LVCOMS"="c:\programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022] "MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2007-07-06 177152] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-05-20 28160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ BTTray.lnk - c:\programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe [2006-1-18 581693] Logitech Desktop Messenger.lnk - c:\programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-11-24 169472] Logitech SetPoint.lnk - c:\programfiler\Logitech\SetPoint\SetPoint.exe [2007-3-28 450560] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-17 07:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start-meny^Programmer^Oppstart^OpenOffice.org 2.4.lnk] path=c:\documents and settings\Administrator\Start-meny\Programmer\Oppstart\OpenOffice.org 2.4.lnk backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^DataDECT.lnk] path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\DataDECT.lnk backup=c:\windows\pss\DataDECT.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programfiler\\Messenger\\msmsgs.exe"= "c:\\Programfiler\\LimeWire\\LimeWire.exe"= "c:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Programfiler\\Java\\jre1.6.0_07\\bin\\javaws.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13.08.2008 21:54 325896] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13.08.2008 21:54 108552] R2 MCT10 Service;MCT10 Service;c:\programfiler\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe [09.05.2008 00:23 192512] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [28.02.2006 19:05 87808] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21.10.2005 13:19 36352] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?] S3 DFSTR2K;DATAFAB based USB Mass Storage Driver;c:\windows\system32\drivers\DfStor2K.sys [06.08.2008 16:48 37972] S3 PcCGoCls;PcCGoCls;c:\windows\system32\drivers\pccgocls.sys [26.10.2004 15:54 33510] . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2009-06-19 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-23 20:18] . . ------- Tilleggsskanning ------- . uStart Page = hxxp://www.startsiden.no/ uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ FF - ProfilePath - ---- FIREFOX POLICIES ---- c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-19 19:19 Windows 5.1.2600 Service Pack 2 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\programfiler\HPQ\Default Settings\cpqset.exe??????\????m?n??|?????? ??4B??????????????hB??????\? skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . Tidspunkt ferdig: 2009-06-19 19:20 ComboFix-quarantined-files.txt 2009-06-19 17:20 ComboFix2.txt 2009-06-19 14:05 Pre-Run: 15 841 255 424 byte ledig Post-Run: 15 829 716 992 byte ledig 132 --- E O F --- 2009-06-11 01:03 Lenke til kommentar
snippsat Skrevet 20. juni 2009 Del Skrevet 20. juni 2009 Ja hjelper til ser submbit offline. Combofix loggen ser bra ut. Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser "svar ja til og reparere" --> backup svar ja når du blir spørt. Kjør register-renser et par ganger til alle feil er borte. Oppdatere avg og ta en scann. Er bra gir du tilbakemelding og så avslutter vi. Lenke til kommentar
SteinarN Skrevet 21. juni 2009 Forfatter Del Skrevet 21. juni 2009 Takker tusen ganger for all hjelp! Har kjørt ccleaner. Fant 76 registeroppføringer som ble slettet. Venter nå på at AVG skal scanne ferdig. Lenke til kommentar
SteinarN Skrevet 21. juni 2009 Forfatter Del Skrevet 21. juni 2009 AVG fant 3 filer i :\System Volume Information\_restore, osv. Antar det er systemgjenopprettingsfiler. Alle var Trojan Horse SHeur2.AMIT. DE ble slettet. Ellers alt ok. Antar pc-en er frisk nå Lenke til kommentar
snippsat Skrevet 21. juni 2009 Del Skrevet 21. juni 2009 AVG fant 3 filer i :\System Volume Information\_restore systemgjenoppretting mapper resettes også når combofix fjernes. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Sjekk om software er oppdatert Secunia Surf trygt. Lenke til kommentar
SteinarN Skrevet 21. juni 2009 Forfatter Del Skrevet 21. juni 2009 Har ikke lyst å gjøre sånn at systemgjenopprettingsmappa blir slettet. Må combofix avinstalleres, eventuelt går det an å gjøre uten å slette systemgjenoppretingspunktene? Kjørte secunia. Så forsåvidt bra ut. Eneste var at jeg fikk opp noe sånt som 5 stk gamle versjoner av Sun Java. Kan jo ikke være mulig at det er en haug med aktive, eldre versjoner av dette? Eller? Har i allefall oppdatert til siste versjon iht link på secunia selv om jeg kanskje hadde den fra før. Etter dette får jeg fortsatt beskjed om 5 stk gamle, usikre versjoner. Lastet ned adobe flash player iht link på secunia. Får fortsatt beskjed om gammel, usikker versjon her også. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå