[Løst]Mbam og MSE fant trojaner og spyware på pcen

[matematikern]

Jeg kjørte en full scan med Microsoft Security Essentials i går og da fant den en trojaner. Kjørte Malwarebytes i dag og den fant noe spyware.

 

Noen som vet noe om disse filene? Ser at trojaneren lå i to bakgrunnsbilder jeg har lastet ned fra: www.ewallpapers.eu/ for lenge siden. Er denne siden tydeligvis usikker eller er det bare falsk alarm fra MSE? Mbam fant noe som muligens har kommet fra et nettspill eller noe?

 

Bør jeg kjøre gjennom combofix for å være sikker på at det ikke er noe igjen?

 

 

Malwarebytes' Anti-Malware 1.41

Databaseversjon: 3159

Windows 6.1.7600

 

13.11.2009 14:28:55

mbam-log-2009-11-13 (14-28-55).txt

 

Skanntype: Full Skann (C:\|E:\|)

Objekter skannet: 307069

Tid tilbakelagt: 1 hour(s), 9 minute(s), 43 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Users\*****\AppData\Local\myVRmfcax\htmlayout.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

 

 

 

[norbat]

F-secure detekterer bildefilene som trojanere også, men jeg mistenker at dette er falske positiver. Skal høre med F-secure.

 

Du trenger ikke å kjøre combofix om du ikke ønsker. En 'enklere' scan som lager en grei logg er dds.scr.

[matematikern]

Mistenker false-positive jeg også. Legger ved loggen hvis du vil se gjennom den. Takk for seriøst svar! Noen idé om hva det var malwarebytes fant?

 

 

 

 

DDS (Ver_09-10-26.01) - NTFSx86

Run by ****** at 15:59:31,48 on 13.11.2009

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Professional 6.1.7600.0.1252.47.1044.18.2047.1345 [GMT 1:00]

 

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Opera\opera.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\Mathias\AppData\Local\Opera\Opera\temporary_downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

uInternet Settings,ProxyOverride = *.local

BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

 

============= SERVICES / DRIVERS ===============

 

R1 vpcnfltr;Virtual PC Network Filter Driver;c:\windows\system32\drivers\vpcnfltr.sys [2009-10-5 55040]

R1 vpcvmm;Overvåking for virtuell maskin for Virtual PC;c:\windows\system32\drivers\vpcvmm.sys [2009-10-5 293904]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-4-25 32256]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

R3 vpcbus;Busstjeneste for Virtual PC-vert;c:\windows\system32\drivers\vpchbus.sys [2009-10-5 165376]

R3 vpcusb;Koblingstjeneste for USB-virtualisering;c:\windows\system32\drivers\vpcusb.sys [2009-10-5 78336]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 StorSvc;Oppbevaringstjeneste;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]

 

=============== Created Last 30 ================

 

2009-11-04 23:27:50 0 d-----w- c:\windows\pss

2009-11-04 19:31:16 0 d-----w- c:\programdata\TVU Networks

2009-11-04 19:31:01 0 d-----w- c:\program files\TVUPlayer

2009-11-03 20:38:43 0 d-----w- c:\program files\iPod

2009-11-03 20:38:42 0 d-----w- c:\program files\iTunes

2009-11-02 19:54:50 0 d-----w- C:\286f85e057330c3332

2009-10-28 00:47:50 0 d-----w- c:\program files\Microsoft Security Essentials

2009-10-17 15:35:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf

2009-10-17 15:34:16 0 d-----w- c:\programdata\PC Suite

2009-10-17 15:33:49 0 d-----w- c:\program files\common files\PCSuite

2009-10-17 15:33:46 0 d-----w- c:\program files\common files\Nokia

2009-10-17 15:33:31 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys

2009-10-17 15:33:14 0 d-----w- c:\program files\PC Connectivity Solution

2009-10-17 15:32:54 91136 ----a-w- c:\windows\system32\nmwcdcls.dll

2009-10-17 15:32:54 0 d-----w- c:\program files\Nokia

2009-10-17 15:31:54 0 d-----w- c:\programdata\Installations

2009-10-16 21:49:37 0 d-----w- c:\program files\SystemRequirementsLab

2009-10-15 21:21:09 257024 ----a-w- c:\windows\system32\msv1_0.dll

2009-10-15 21:17:59 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2009-10-15 21:17:59 71168 ----a-w- c:\windows\system32\fontsub.dll

2009-10-15 21:17:59 507568 ----a-w- c:\windows\system32\winload.exe

2009-10-15 21:17:59 442920 ----a-w- c:\windows\system32\winresume.exe

2009-10-15 21:17:59 293888 ----a-w- c:\windows\system32\atmfd.dll

2009-10-15 21:17:59 2613248 ----a-w- c:\windows\explorer.exe

2009-10-15 21:17:59 1320960 ----a-w- c:\windows\system32\CertEnroll.dll

2009-10-15 21:17:59 108544 ----a-w- c:\windows\system32\t2embed.dll

2009-10-15 21:17:58 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2009-10-15 21:17:56 34816 ----a-w- c:\windows\system32\msasn1.dll

 

==================== Find3M ====================

 

2009-11-05 18:07:06 74722 ----a-w- c:\windows\system32\perfc014.dat

2009-11-05 18:07:06 449756 ----a-w- c:\windows\system32\perfh014.dat

2009-11-02 19:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-05 17:37:32 36156 ----a-w- c:\windows\system32\perfd014.dat

2009-10-05 17:37:32 36156 ----a-w- c:\windows\inf\perflib414\perfd.dat

2009-10-05 17:37:32 36156 ----a-w- c:\windows\inf\perflib414\perfc.dat

2009-10-05 17:37:32 298300 ----a-w- c:\windows\system32\perfi014.dat

2009-10-05 17:37:32 298300 ----a-w- c:\windows\inf\perflib414\perfi.dat

2009-10-05 17:37:32 298300 ----a-w- c:\windows\inf\perflib414\perfh.dat

2009-10-05 14:31:50 1221632 ----a-w- c:\windows\system32\drivers\athr.sys

2009-10-02 09:56:14 31232 ----a-w- c:\windows\system32\maplec.dll

2009-10-02 09:56:14 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll

2009-10-02 09:56:14 20480 ----a-w- c:\windows\system32\maplecompat.dll

2009-09-30 19:37:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf

2009-09-26 21:34:36 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-26 09:34:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-08-21 11:17:52 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-08-19 13:24:50 1194528 ----a-w- c:\windows\system32\nvcplui.exe

2009-08-19 13:24:18 143360 ----a-w- c:\windows\system32\nvshext.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

 

============= FINISH: 16:00:19,60 ===============

 

 

[norbat]

Det malwarebytes fant var antakelig noe helt ufarlig. Fila htmlayout.dll kan finnes i en del adware/rogueware. I ditt tilfelle kan det være Sesam Kart 3D ActiveX Viewer, hvis du har benyttet dette.

[matematikern]

I ditt tilfelle kan det være Sesam Kart 3D ActiveX Viewer, hvis du har benyttet dette.

 

Jeg har brukt det ja.

[norbat]

Da tror jeg pc'n skulle være ren.

 

Surf trygt!

[norbat]

Har fått bekreftet at bildefilene ikke inneholder noen form for malware. De inneholder riktignok en 'iframe'-tag (noe som er vanlig i infiserte filer av samme type), og som er grunnen til at filene blir detektert som infisert. Du kan gjerne melde fra til MSE at det er falsk positiv slik at de kan fixe en oppdatering slik at disse filene ikke blir detektert som malware.

[matematikern]

Du kan gjerne melde fra til MSE at det er falsk positiv slik at de kan fixe en oppdatering slik at disse filene ikke blir detektert som malware.

 

Hvordan gjør jeg det?

[norbat]

Gå til denne siden: https://www.microsoft.com/security/portal/S...ion/Submit.aspx

 

Legg ved fila (hvis den er slettet fra pc'n din, kan du laste ned ny).

Sett også merke framfor "This submission is being incorrectly detected as malware".

 

Hvis du ikke orker å styre med det, kan jeg gjøre det

[Black Star]

Slettet et villedende innlegg som enten var spam, trolling, eller skrevet av et barn. Slettet også to svar på innlegget.