eirikJO Skrevet 30. juni 2009 Del Skrevet 30. juni 2009 Avast ga meg noen meldinger om en Win32:Trojan-gen {Other} i form av en rncsys32.exe fil i startup mappen. Fulgte Norbat sin "Veiledning: Hjelp til å få fjernet malware" Combofix: ComboFix 09-06-29.07 - User 30.06.2009 22:31.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.47.1033.18.2047.1603 [GMT 2:00] Kjører fra: c:\documents and settings\User\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090630-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !! . ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-28 til 2009-06-30 ))))))))))))))))))))))))))))))))) . 2009-06-30 20:08 . 2009-06-30 20:08 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2009-06-30 20:08 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-30 20:08 . 2009-06-30 20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-30 20:08 . 2009-06-30 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-30 20:08 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-30 12:04 . 2009-06-30 12:05 -------- d-----w- c:\program files\AlterWind Log Analyzer Professional 2009-06-30 08:28 . 2009-06-30 08:32 -------- d-----w- C:\winxp 2009-06-30 08:21 . 2009-06-30 08:22 -------- d-----w- C:\exchange2003 2009-06-29 20:16 . 2001-08-08 00:39 49152 ----a-r- c:\windows\system32\pscVSWIA.dll 2009-06-29 20:16 . 2000-12-15 03:27 40960 ----a-r- c:\windows\system32\pscN104U.exe 2009-06-29 20:16 . 2001-08-10 05:42 339968 ----a-r- c:\windows\system32\pscU104U.dll 2009-06-29 20:16 . 2001-08-03 05:43 94208 ----a-r- c:\windows\system32\PSCL104U.dll 2009-06-28 20:47 . 2009-06-28 20:47 -------- d-----w- c:\documents and settings\User\.GalleryRemote . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-30 20:25 . 2008-12-26 16:54 -------- d-----w- c:\documents and settings\User\Application Data\VMware 2009-06-30 20:25 . 2008-12-26 16:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware 2009-06-30 20:25 . 2008-12-26 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware 2009-06-30 18:26 . 2008-12-29 08:41 -------- d-----w- c:\documents and settings\User2\Application Data\VMware 2009-06-30 10:03 . 2008-12-19 11:50 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-06-28 18:41 . 2009-03-09 09:38 -------- d-----w- c:\program files\Notepad++ 2009-06-14 01:09 . 2008-12-19 14:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-06-13 01:04 . 2008-12-19 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-05-07 15:32 . 2008-04-14 03:41 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2008-04-14 03:42 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2008-04-14 03:41 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-20 15:38 . 2009-04-20 15:38 71632 ----a-w- c:\documents and settings\User2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-17 12:26 . 2008-04-13 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2008-04-14 03:42 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-01 21:41 . 2008-12-18 22:01 71632 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 72240] "VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 55856] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] Trusted 1fae [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2008 23:41 114768] R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [19.12.2008 11:38 8576] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2008 23:41 20560] R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [31.10.2008 23:22 33408] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [27.01.2009 13:48 10752] . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) . . ------- Tilleggsskanning ------- . uStart Page = hxxp://www.google.no/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} - hxxp://www.navigram.com/engine/v911/Navigram.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k7mnqzyf.default\ FF - prefs.js: browser.startup.homepage - hxxp://twohundredsitups.com/complete.html|http://www.finn.no/finn/job/object?finnkode=16732746 FF - plugin: c:\documents and settings\User\Local Settings\Application Data\myVRnpapi\npmyvr.dll FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-30 22:37 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'explorer.exe'(3060) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Tidspunkt ferdig: 2009-06-30 22:38 ComboFix-quarantined-files.txt 2009-06-30 20:38 Pre-Run: 198 505 766 912 bytes free Post-Run: 199 126 519 808 bytes free 136 --- E O F --- 2009-06-13 01:04 Malwarebytes logg: Malwarebytes' Anti-Malware 1.38 Database version: 2356 Windows 5.1.2600 Service Pack 3 30.06.2009 22:21:26 mbam-log-2009-06-30 (22-21-26).txt Scan type: Quick Scan Objects scanned: 119148 Time elapsed: 11 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\glaide32 (Rootkit.Rustok) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\User\local settings\temp\~TM662.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\wpv751243627542.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\User\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully. Har jeg fremdeles noe spyware på pcen min? På forhånd takk for hjelp. Lenke til kommentar
norbat Skrevet 30. juni 2009 Del Skrevet 30. juni 2009 Loggene ser greie ut. Får du fortsatt noen meldinge fra Avast? Hvis ikke, avinstallerer du combofix ved å skrive combofix /u i kjør-feltet (start->kjør) Lenke til kommentar
eirikJO Skrevet 1. juli 2009 Forfatter Del Skrevet 1. juli 2009 Får ingen flere meldinger fra Avast nei. Takk skal du ha Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå