Poster utskilt fra veiledningestråden

10. mai 2007

Glem det

Endret 10. mai 2007 av medlem-105082

mona14 · 10. mai 2007

Logg fra ComboFix;

Klikk for å se/fjerne innholdet nedenfor

"monapona" - 2007-05-11 0:00:55 Service Pack 2

ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\monapona\Skrivebord\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\jkkjg.dll

C:\WINDOWS\system32\owwgnglr.dll

C:\WINDOWS\system32\gjkkj.ini

C:\WINDOWS\system32\ijllm.bak1

C:\WINDOWS\system32\ijllm.ini2

C:\WINDOWS\system32\ijllm.tmp

C:\WINDOWS\system32\rlgngwwo.ini

C:\WINDOWS\system32\mllji.dll

C:\WINDOWS\system32\ddcddaa.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 ))))))))))))))))))))))))))))))))))

2007-05-10 23:58 <DIR> dr-h----- C:\DOCUME~1\monapona\Siste

2007-05-10 23:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Yahoo! Companion

2007-05-10 23:41 <DIR> d-------- C:\Programfiler\Yahoo!

2007-05-10 23:41 <DIR> d-------- C:\Programfiler\CCleaner

2007-05-10 07:24 604,102 ---hs---- C:\WINDOWS\system32\klnmp.bak1

2007-05-09 19:15 598,077 ---hs---- C:\WINDOWS\system32\klnmp.ini2

2007-05-09 07:24 592,516 ---hs---- C:\WINDOWS\system32\klnmp.bak2

2007-05-08 21:49 595,074 ---hs---- C:\WINDOWS\system32\dgjlm.ini2

2007-05-08 21:00 596,530 ---hs---- C:\WINDOWS\system32\dgjlm.bak2

2007-05-07 21:00 591,723 ---hs---- C:\WINDOWS\system32\dgjlm.bak1

2007-05-07 01:48 592,977 ---hs---- C:\WINDOWS\system32\mlnmp.ini2

2007-05-07 00:40 212 --a------ C:\delete.bat

2007-05-07 00:10 593,625 ---hs---- C:\WINDOWS\system32\mlnmp.bak1

2007-05-06 23:29 586,586 ---hs---- C:\WINDOWS\system32\qqtwa.ini2

2007-05-06 22:50 587,976 ---hs---- C:\WINDOWS\system32\qqtwa.bak1

2007-05-06 22:41 22,313 --a------ C:\Programfiler\serial.dat

2007-05-05 15:48 31,277 --a------ C:\WINDOWS\dr.exe

2007-04-27 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com

2007-04-27 16:45 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2007-04-27 16:45 <DIR> d-------- C:\DOCUME~1\monapona\PROGRA~1\SUPERAntiSpyware.com

2007-04-27 16:43 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2007-04-27 00:09 <DIR> d-------- C:\NoLopBackups

2007-04-26 00:14 <DIR> d-------- C:\DOCUME~1\monapona\PROGRA~1\Opera

2007-04-26 00:11 <DIR> d-------- C:\Programfiler\Opera

2007-04-25 23:15 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-04-12 22:26 <DIR> d-------- C:\Programfiler\LimeWire

2007-04-11 22:52 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys

2007-04-11 22:52 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2007-04-11 22:52 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2007-04-11 22:52 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

2007-04-11 22:52 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2007-04-11 22:52 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2007-04-11 22:52 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2007-04-11 22:51 91,577 --a------ C:\WINDOWS\system32\drivers\P0620Vid.sys

2007-04-11 22:51 81,920 --a------ C:\WINDOWS\CtDrvIns.exe

2007-04-11 22:51 69,632 --a------ C:\WINDOWS\system32\p0620sti.dll

2007-04-11 22:51 65,536 --a------ C:\WINDOWS\system32\CtCamMgr.dll

2007-04-11 22:51 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll

2007-04-11 22:51 40,960 --a------ C:\WINDOWS\system32\P0620Hwx.dll

2007-04-11 22:51 32,768 --a------ C:\WINDOWS\system32\P0620Pin.dll

2007-04-11 22:51 20,480 --a------ C:\WINDOWS\system32\P0620Srv.exe

2007-04-11 22:51 20,480 --a------ C:\WINDOWS\P0620Cfg.exe

2007-04-11 22:51 126,976 --a------ C:\WINDOWS\system32\P0620Vfw.dll

2007-04-11 22:51 <DIR> d-------- C:\WCamInst

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-10 20:08:12 -------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2007-04-17 21:33:00 -------- d-----w C:\Programfiler\MSN Messenger

2007-04-10 15:16:15 -------- d-----w C:\Programfiler\Windows Media Connect 2

2007-04-10 15:14:38 -------- d-----w C:\Programfiler\Skype

2007-04-10 15:14:20 -------- d-----w C:\DOCUME~1\monapona\PROGRA~1\Skype

2007-04-10 08:47:40 -------- d-----w C:\DOCUME~1\monapona\PROGRA~1\Screenshot Sender

2007-04-07 23:11:28 -------- d-----w C:\Programfiler\Picasa2

2007-04-03 02:35:27 -------- d-----w C:\Programfiler\Norton Internet Security

2007-04-02 20:05:04 -------- d-----w C:\Programfiler\hopecreativesecond

2007-04-02 20:04:39 -------- d-----w C:\Programfiler\Messenger Plus! Live

2007-03-28 19:54:05 71,104 ----a-w C:\WINDOWS\system32\perfc014.dat

2007-03-28 19:54:05 405,492 ----a-w C:\WINDOWS\system32\perfh014.dat

2007-03-17 13:45:38 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-14 08:51:05 -------- d-----w C:\Programfiler\Dell_HostCD

2007-03-11 20:46:18 -------- d-----w C:\DOCUME~1\monapona\PROGRA~1\AdobeUM

2007-03-11 20:16:09 -------- d-----w C:\DOCUME~1\monapona\PROGRA~1\Starware349

2007-03-11 01:13:55 69,698 ----a-w C:\WINDOWS\distro_uPlayMe_stub_973387.exe

2007-03-11 00:17:28 -------- d-----w C:\Programfiler\Starware349

2007-03-08 15:39:11 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:39:11 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:39:11 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 15:38:06 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2007-03-07 02:01:05 -------- d-----w C:\Programfiler\MSXML 4.0

2007-03-06 23:24:29 -------- d-----w C:\DOCUME~1\monapona\PROGRA~1\Teleca

2007-03-06 23:16:58 -------- d-----w C:\Programfiler\Fellesfiler\Teleca Shared

2007-03-06 23:16:03 -------- d-----w C:\Programfiler\Sony Ericsson

2007-03-06 21:09:55 -------- d-----w C:\DOCUME~1\monapona\PROGRA~1\AdobeAUM

2007-02-05 20:19:38 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll"

"{1E8A6170-7264-4D0F-BEAE-D42A53123C75}"="C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.0\NppBho.dll"

"{2F85D76C-0569-466F-A488-493E6BD0E955}"="C:\Programfiler\Windows Desktop Search\dsWebAllow.dll"

"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll"

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll"

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\programfiler\google\googletoolbar3.dll"

"{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"="C:\Programfiler\MSN Toolbar Suite\msntb.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ATIPTA"="\"C:\\Programfiler\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""

"RTHDCPL"="RTHDCPL.EXE"

"SkyTel"="SkyTel.EXE"

"AGRSMMSG"="AGRSMMSG.exe"

"SynTPEnh"="C:\\Programfiler\\Synaptics\\SynTP\\SynTPEnh.exe"

"Toshiba Hotkey Utility"="\"C:\\Programfiler\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang NO"

"TPSMain"="TPSMain.exe"

"NDSTray.exe"="NDSTray.exe"

"SmoothView"="C:\\Programfiler\\TOSHIBA\\TOSHIBA zoom\\SmoothView.exe"

"PadTouch"="C:\\Programfiler\\TOSHIBA\\Touch and Launch\\PadExe.exe"

"DDWMon"="C:\\Programfiler\\TOSHIBA\\TOSHIBA Direct Disc Writer\\\\ddwmon.exe"

"ccApp"="\"C:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe\""

"osCheck"="\"C:\\Programfiler\\Norton Internet Security\\osCheck.exe\""

"SunJavaUpdateSched"="C:\\Programfiler\\Java\\jre1.5.0_07\\bin\\jusched.exe"

"Adobe Photo Downloader"="\"C:\\Programfiler\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

"Sony Ericsson PC Suite"="\"C:\\Programfiler\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"TOSCDSPD"="C:\\Programfiler\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"

"swg"="C:\\Programfiler\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

"SUPERAntiSpyware"="C:\\Programfiler\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

"msnmsgr"="\"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll"

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages msv1_0\0\0

Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter HTTPFilter\0\0

LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService DnsCache\0\0

DcomLaunch DcomLaunch\0TermService\0\0

rpcss RpcSs\0\0

imgsvc StiSvc\0\0

termsvcs TermService\0\0

WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\At1.job

C:\WINDOWS\tasks\At2.job

C:\WINDOWS\tasks\At3.job

C:\WINDOWS\tasks\At4.job

C:\WINDOWS\tasks\At5.job

C:\WINDOWS\tasks\At6.job

C:\WINDOWS\tasks\Norton Internet Security - Kj›r fullstendig systems›k - monapona.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-11 00:09:03

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

********************************************************************

Completion time: 2007-05-11 0:14:06 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-11 00:14

norbat · 11. mai 2007

mona14:

Hent VBG, legg det på skrivebordet.

Lukk alle andre programmer, dobbeltklikk på VirtumundoBeGone.exe på skrivebordet,

klikk på Continue, klikk på Start.

Klikk på Yes for at kjøre fixet.

Klikk så på 'Save log'.

Det kan skje at fixet avslutter med "BSOD"(blå skjerm og frosset PC). Ta bare å restart (bruk evt. av/på-knappen på pc'n).

På skrivebordet vil det komme en tekstfil som heter VBG.TXT

Kjør deretter på ny Combofix.

Post begge loggene.

mona14 · 11. mai 2007

VBG;

Klikk for å se/fjerne innholdet nedenfor

[05/11/2007, 22:37:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\monapona\Skrivebord\VirtumundoBeGone.exe" )

[05/11/2007, 22:37:35] - Detected System Information:

[05/11/2007, 22:37:35] - Windows Version: 5.1.2600, Service Pack 2

[05/11/2007, 22:37:36] - Current Username: monapona (Admin)

[05/11/2007, 22:37:36] - Windows is in NORMAL mode.

[05/11/2007, 22:37:36] - Searching for Browser Helper Objects:

[05/11/2007, 22:37:36] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)

[05/11/2007, 22:37:36] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)

[05/11/2007, 22:37:36] - BHO 3: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()