Beges Skrevet 10. desember 2009 Del Skrevet 10. desember 2009 (endret) Har kjørt igjennom med MBAM, fant 10 filer som jeg slettet. csrss.exe kjører fortsatt i prosessene. Logg: Malwarebytes' Anti-Malware 1.42 Databaseversjon: 3340 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 10.12.2009 20:52:35 mbam-log-2009-12-10 (20-52-32).txt Skanntype: Rask Skann Objekter skannet: 123261 Tid tilbakelagt: 5 minute(s), 28 second(s) Minneprosesser infisert: 1 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 1 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 8 Minneprosesser infisert: C:\Users\Andreas\.COMMgr\complmgr.exe (Trojan.Scar) -> No action taken. Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Scar) -> No action taken. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\Users\Andreas\.COMMgr\complmgr.exe (Trojan.Scar) -> No action taken. C:\Users\Andreas\AppData\Local\Temp\mwosnrcaxe.exe (Trojan.Scar) -> No action taken. C:\Users\Andreas\AppData\Local\Temp\oewmsnrxac.exe (Trojan.FakeAlert) -> No action taken. C:\Users\Andreas\AppData\Local\Temp\tmp_1443271443.exe (Trojan.Scar) -> No action taken. C:\Users\Andreas\AppData\Local\Temp\tmp_148986792.exe (Trojan.Scar) -> No action taken. C:\Users\Andreas\AppData\Local\Temp\tmp_938566154.exe (Trojan.Scar) -> No action taken. C:\Users\Andreas\AppData\Local\Temp\cxrmaensow.exe (Trojan.Dropper) -> No action taken. C:\Users\Andreas\AppData\Local\Temp\Setup.tmp (Adware.Agent) -> No action taken. Har ikke kjørt ComboFix ennå. Får opp denne meldingen når jeg starter programmet: Bør jeg likevel kjøre programmet? Har i tillegg 7 filer som står i karantene i NOD32 - bør jeg la disse være, eller sletta dem fra karantenen? Håper noen hyggelige der ute kan hjelpe meg nok en gang! Endret 10. desember 2009 av Beges Lenke til kommentar
norbat Skrevet 10. desember 2009 Del Skrevet 10. desember 2009 (endret) Bruk dds.scr istenden for combofix Endret 10. desember 2009 av norbat Lenke til kommentar
Beges Skrevet 10. desember 2009 Forfatter Del Skrevet 10. desember 2009 Takk for hjelp. DDS-logg: DDS (Ver_09-12-01.01) - NTFSx86 Run by Andreas at 21:46:15,14 on 10.12.2009 Internet Explorer: 8.0.7600.16385 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.2046.1049 [GMT 1:00] SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\atiesrxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\atieclxx.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Sidebar\sidebar.exe D:\Program Files\DAEMON Tools Lite\DTLite.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\taskhost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\Andreas\Downloads\dds.scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll uRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [steam] "d:\program files\steam\steam.exe" -silent uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [CTHelper] CTHELPER.EXE mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [snpstd] c:\windows\vsnpstd.exe mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe" mRun: [<NO NAME>] mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1 mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\andreas\appdata\roaming\mozilla\firefox\profiles\d0bjnm54.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.erepublik.com/en/region/Trondelag FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128] R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-14 176128] R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-11 735960] R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-9-11 95896] R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-22 1153368] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888] S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-11-8 23288] =============== Created Last 30 ================ 2009-12-10 19:43:13 0 d-----w- c:\users\andreas\appdata\roaming\Malwarebytes 2009-12-10 19:43:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-10 19:43:06 0 d-----w- c:\programdata\Malwarebytes 2009-12-10 19:43:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-10 19:43:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-09 01:15:27 0 d-sh--w- c:\users\andreas\.COMMgr 2009-12-08 00:14:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-12-08 00:14:00 0 d-----w- c:\users\andreas\appdata\roaming\DAEMON Tools Lite 2009-12-08 00:13:57 0 d-----w- c:\programdata\DAEMON Tools Lite 2009-12-07 22:52:32 0 d--h--w- c:\program files\Zero G Registry 2009-12-07 22:52:29 0 d--h--w- c:\users\andreas\InstallAnywhere 2009-11-25 19:01:24 2048 ----a-w- c:\windows\system32\tzres.dll 2009-11-20 20:58:11 178176 ----a-w- c:\windows\system32\unrar.dll 2009-11-20 14:41:48 453456 ----a-w- c:\windows\system32\d3dx10_42.dll 2009-11-20 14:41:48 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2009-11-20 07:46:43 336704 ----a-w- c:\windows\system32\perfi019.dat 2009-11-20 07:46:42 675698 ----a-w- c:\windows\system32\perfh019.dat 2009-11-20 07:46:42 39446 ----a-w- c:\windows\system32\perfd019.dat 2009-11-20 07:46:42 133474 ----a-w- c:\windows\system32\perfc019.dat 2009-11-20 07:45:57 0 d-----w- c:\windows\system32\drivers\ru-RU 2009-11-20 07:45:53 0 d-----w- c:\windows\system32\ru 2009-11-20 07:45:52 0 d-----w- c:\windows\system32\wbem\ru-RU 2009-11-20 07:45:37 0 d-----w- c:\windows\ru-RU ==================== Find3M ==================== 2009-12-10 11:44:06 78250 ----a-w- c:\windows\system32\perfc014.dat 2009-12-10 11:44:06 456276 ----a-w- c:\windows\system32\perfh014.dat 2009-11-20 07:45:28 39446 ----a-w- c:\windows\inf\perflib419\perfd.dat 2009-11-20 07:45:28 39446 ----a-w- c:\windows\inf\perflib419\perfc.dat 2009-11-20 07:45:28 336704 ----a-w- c:\windows\inf\perflib419\perfi.dat 2009-11-20 07:45:28 336704 ----a-w- c:\windows\inf\perflib419\perfh.dat 2009-11-09 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2009-11-08 15:43:57 2892 ----a-w- c:\windows\system32\audcon.sys 2009-11-06 09:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll 2009-11-06 09:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll 2009-11-02 19:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-11-02 17:05:36 167064 ----a-w- c:\windows\system32\xliveinstall.dll 2009-11-02 17:05:34 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe 2009-10-23 17:18:30 107888 ----a-w- c:\windows\system32\CmdLineExt.dll 2009-10-22 23:15:47 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2009-10-22 15:51:08 409600 ----a-w- c:\windows\system32\wrap_oal.dll 2009-10-22 15:51:08 114688 ----a-w- c:\windows\system32\OpenAL32.dll 2009-10-22 14:40:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf 2009-10-22 05:58:03 36156 ----a-w- c:\windows\system32\perfd014.dat 2009-10-22 05:58:03 36156 ----a-w- c:\windows\inf\perflib414\perfd.dat 2009-10-22 05:58:03 36156 ----a-w- c:\windows\inf\perflib414\perfc.dat 2009-10-22 05:58:03 298300 ----a-w- c:\windows\system32\perfi014.dat 2009-10-22 05:58:03 298300 ----a-w- c:\windows\inf\perflib414\perfi.dat 2009-10-22 05:58:03 298300 ----a-w- c:\windows\inf\perflib414\perfh.dat 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib409\perfd.dat 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib409\perfc.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib409\perfi.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib409\perfh.dat 2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib000\perfi.dat 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib000\perfh.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib000\perfd.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib000\perfc.dat 2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat 2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe ============= FINISH: 21:46:43,77 =============== Lenke til kommentar
norbat Skrevet 10. desember 2009 Del Skrevet 10. desember 2009 (endret) Slett mappa: c:\users\andreas\.COMMgr (Det er ei skjult mappe, så slå på funksjonen for å se skjulte filer og mapper). Ut over dette er det ikke så mye å sette fingeren på i loggen. Endret 10. desember 2009 av norbat Lenke til kommentar
Beges Skrevet 10. desember 2009 Forfatter Del Skrevet 10. desember 2009 (endret) csrss.exe skal fortsette å kjøre i prosessene, altså? EDIT: Ser ikke mappa c:\users\andreas\.COMMgr, selv om jeg viser skjulte mapper og filer... Har du noen tips? Endret 10. desember 2009 av Beges Lenke til kommentar
norbat Skrevet 10. desember 2009 Del Skrevet 10. desember 2009 csrss.exe er en windowsfil, så den skal du la være i fred Ang. den skjulte mappa: sørg for at du også ser beskyttede operativsystemfiler. Lenke til kommentar
Beges Skrevet 10. desember 2009 Forfatter Del Skrevet 10. desember 2009 Supert! Tusen takk for hjelpen Veldig snilt! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå