Gå til innhold

Hjelp til logger Combofix og mbam

Lambern

Av Lambern
i IKT-drift og sikkerhet

Anbefalte innlegg

Lambern

Lambern

Skrevet
Skrevet

Prøver å hjelpe en venn med å fikse datamaskinen sin.

Den har fått mange varsler om trojanere og jeg har skannet med malwarebytes og combofix.

 

Datamaskinen kjørte f-secure antivirus og windows defender. f-secure fant ingenting, men malwarebytes fant ca 8 trojanere som jeg slettet. Har nå innstalert Avira antivir personal, som fant enda en trojaner, slettet den også.

 

Jeg er usikker på om maskinen nå er ren for malware og trenger hjelp til å tyde loggene fra combofix og mbam. Har forøvrig også kjørt full skan med malwarebytes...tok ca.20 timer

 

Har i tillegg kjørt ccleaner, hvis det har noe å si...

 

Setter pris på all hjelp :)

 

 

combofix logg:

 

ComboFix 10-03-03.07 - Siv Gina 05.03.2010 21:15:34.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.47.1044.18.2038.847 [GMT 1:00]

Kjører fra: c:\users\Siv Gina\Downloads\ComboFix.exe

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: AntiVir Desktop *enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2010-02-05 til 2010-03-05 )))))))))))))))))))))))))))))))))

.

 

2010-03-05 20:22 . 2010-03-05 20:22 -------- d-----w- c:\users\Siv Gina\AppData\Local\temp

2010-03-05 20:22 . 2010-03-05 20:22 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-03-05 20:22 . 2010-03-05 20:22 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-05 19:59 . 2010-03-05 19:59 -------- d-----w- c:\program files\CCleaner

2010-03-05 18:08 . 2010-03-05 18:09 -------- d-----w- c:\windows\system32\ca-ES

2010-03-05 18:08 . 2010-03-05 18:09 -------- d-----w- c:\windows\system32\eu-ES

2010-03-05 18:08 . 2010-03-05 18:09 -------- d-----w- c:\windows\system32\vi-VN

2010-03-05 17:52 . 2010-03-05 17:52 -------- d-----w- c:\windows\system32\EventProviders

2010-03-05 17:35 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll

2010-03-05 17:35 . 2009-04-11 06:28 1081344 ----a-w- c:\windows\system32\SLCExt.dll

2010-03-05 17:35 . 2009-04-11 06:27 3408896 ----a-w- c:\windows\system32\SLsvc.exe

2010-03-05 17:35 . 2009-04-11 06:28 2134528 ----a-w- c:\windows\system32\FunctionDiscoveryFolder.dll

2010-03-05 17:35 . 2009-04-11 06:27 65536 ----a-w- c:\windows\system32\DevicePairingWizard.exe

2010-03-05 17:35 . 2009-04-11 05:03 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll

2010-03-05 17:33 . 2009-04-11 06:28 747008 ----a-w- c:\windows\system32\WsmSvc.dll

2010-03-05 17:32 . 2009-04-11 06:28 16384 ----a-w- c:\windows\system32\msisip.dll

2010-03-05 17:31 . 2009-04-11 06:28 705536 ----a-w- c:\windows\system32\SmiEngine.dll

2010-03-05 17:31 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll

2010-03-05 17:31 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe

2010-03-05 17:30 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll

2010-03-05 16:54 . 2010-03-05 16:54 -------- d-----w- c:\users\Siv Gina\AppData\Local\Opera

2010-03-05 16:31 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin

2010-03-05 16:05 . 2010-03-05 16:05 -------- d-----w- C:\PerfLogs

2010-03-05 15:32 . 2010-03-05 15:32 -------- d-----w- c:\program files\Opera

2010-03-05 15:24 . 2010-03-05 15:24 -------- d-----w- c:\programdata\Office Genuine Advantage

2010-03-05 15:13 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-03-05 15:13 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-03-05 15:12 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll

2010-03-05 15:11 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll

2010-03-05 15:11 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll

2010-03-05 15:11 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe

2010-03-05 15:11 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe

2010-03-05 15:11 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2010-03-05 15:11 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2010-03-05 15:11 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

2010-03-05 15:11 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll

2010-03-05 15:11 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll

2010-03-05 13:50 . 2010-03-05 19:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-05 13:50 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-03-05 13:49 . 2010-03-05 13:49 -------- d-----w- c:\programdata\Avira

2010-03-05 13:49 . 2010-03-05 13:49 -------- d-----w- c:\program files\Avira

2010-03-04 15:06 . 2010-03-04 15:06 -------- d-----w- c:\users\Siv Gina\AppData\Roaming\Malwarebytes

2010-03-04 15:06 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-04 15:06 . 2010-03-04 15:06 -------- d-----w- c:\programdata\Malwarebytes

2010-03-04 15:06 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-04 15:06 . 2010-03-04 15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-13 20:47 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll

2010-02-13 20:47 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll

2010-02-13 20:46 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-02-13 20:46 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys

2010-02-13 20:46 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-02-13 20:46 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

2010-02-13 20:40 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll

2010-02-13 20:40 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll

2010-02-13 20:40 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll

2010-02-13 20:40 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll

2010-02-13 20:40 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll

2010-02-13 20:40 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2010-02-13 20:40 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll

2010-02-13 20:39 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll

2010-02-13 20:39 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll

2010-02-13 20:39 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-13 20:39 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-05 19:54 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration

2010-03-05 18:21 . 2006-11-21 05:16 76478 ----a-w- c:\windows\system32\perfc014.dat

2010-03-05 18:21 . 2006-11-21 05:16 452334 ----a-w- c:\windows\system32\perfh014.dat

2010-03-05 18:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar

2010-03-05 18:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-03-05 18:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar

2010-03-05 18:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery

2010-03-05 18:09 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender

2010-03-05 18:08 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat

2010-03-05 18:07 . 2010-03-05 18:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

2010-03-05 18:06 . 2010-03-05 18:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

2010-03-05 15:51 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll

2010-03-05 15:50 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll

2010-03-05 15:24 . 2008-01-22 16:43 83288 ----a-w- c:\users\Siv Gina\AppData\Local\GDIPFONTCACHEV1.DAT

2010-03-05 13:44 . 2008-01-22 17:34 -------- d-----w- c:\program files\F-Secure

2010-03-05 13:40 . 2008-01-22 17:35 -------- d-----w- c:\programdata\F-Secure

2010-02-24 08:16 . 2009-10-03 16:07 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-13 20:23 . 2009-09-13 16:19 -------- d-----w- c:\users\Siv Gina\AppData\Roaming\Spotify

2010-01-02 06:38 . 2010-03-05 17:07 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32 . 2010-03-05 17:07 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-01-02 06:32 . 2010-03-05 17:07 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-01-02 04:57 . 2010-03-05 17:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2009-12-20 09:53 . 2009-12-20 09:53 234016 ----a-w- c:\windows\system32\drivers\Rtlh86.sys

2009-12-19 04:08 . 2009-12-19 04:08 614136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2009-12-17 14:56 . 2008-12-22 01:06 680 ----a-w- c:\users\Siv Gina\AppData\Local\d3d9caps.dat

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]

"RtHDVCpl"="RtHDVCpl.exe" [2007-05-18 4472832]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]

"NDSTray.exe"="NDSTray.exe" [bU]

"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 577536]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]

"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-05-23 509496]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-26 538744]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-27 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-27 154392]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-27 133912]

"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696]

"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]

"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-03-13 33048]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Skytel"="Skytel.exe" [2007-05-25 1826816]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(b):49,42,ae,f9,8f,bc,ca,01

 

R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\System32\drivers\iaNvStor.sys [01.06.2007 12:51 210432]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [05.03.2010 14:50 108289]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17.11.2008 15:40 3668480]

R3 QIOMem;Generic IO & Memory Access;c:\windows\System32\drivers\QIOMem.sys [09.04.2007 15:13 8192]

S3 cmusbser;%CMUSBSER%;c:\windows\System32\drivers\cmusbser.sys [03.01.2009 17:47 87040]

 

--- Andre tjenester/drivere lastet i minnet ---

 

*NewlyCreated* - EMDMGMT

*NewlyCreated* - WERSVC

*NewlyCreated* - WSEARCH

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

 

2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{8064116C-6F54-4844-A713-C8001FD73C21}.job

- c:\windows\system32\msfeedssync.exe [2010-03-05 04:56]

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.google.no/

uInternet Settings,ProxyOverride = *.local

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url2.pl?NO

IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home

.

- - - - TOMME PEKERE FJERNET - - - -

 

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-05 21:22

Windows 6.0.6002 Service Pack 2 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Tidspunkt ferdig: 2010-03-05 21:25:48

ComboFix-quarantined-files.txt 2010-03-05 20:25

ComboFix2.txt 2010-03-05 13:14

 

Pre-Run: 24 529 629 184 byte ledig

Post-Run: 24 409 563 136 byte ledig

 

- - End Of File - - C4A669D5836E237DD3E86C48A75B689D

 

 

 

mbam logg:

 

 

Malwarebytes' Anti-Malware 1.44

Databaseversjon: 3824

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

 

05.03.2010 21:38:29

mbam-log-2010-03-05 (21-38-29).txt

 

Skanntype: Rask Skann

Objekter skannet: 103899

Tid tilbakelagt: 6 minute(s), 16 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

Lenke til kommentar

Videoannonse

Videoannonse
Annonse

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste

  • Hvem er aktive   0 medlemmer

    • Ingen innloggede medlemmer aktive
×
×
  • Opprett ny...