[Løst] Rusk og loggsjekk

[Programvare]

 

Hei!

Det ser ut til at jeg har pådratt meg noe rusk på laptopen på en eller annen måte. Har drevet med antivirus og fjerning før, men har tapt meg litt merker jeg. Prøvde å oppdatere og kjøre mbam flere ganger, men skiten kommer bare straks tilbake etter rebooten. Combofix er ikke bra for windows 7 har jeg hørt så har ikke tørt å bruke det. I tillegg prøvde jeg å boote i safemode og fjerne rusket som automatisk starta opp i autoruns, til ingen nytte.

Når jeg kikker litt i prosessene ser jeg noen som ofte går igjen. bqqk.exe, w.exe, wuaucldt.exe og en registerverdi kalt syncman og en kalt vaxvsj.

Jeg kjører windows 7 x86

 

Logg for mbam

 

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

 

Databaseversjon: 4043

 

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

 

28.04.2010 02:00:52

mbam-log-2010-04-28 (02-00-52).txt

 

Skanntype: Hurtigsøk

Objekter skannet: 104875

Tid tilbakelagt: 9 minutt(er), 24 sekund(er)

 

Minneprosesser infisert: 3

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 3

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert 4

 

Minneprosesser infisert:

C:\Windows\Temp\bqqk.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Windows\Temp\bqqk.exe (Backdoor.Bot) -> Unloaded process successfully.

c:\Windows\System32\wuaucldt.exe (Trojan.Agent) -> Unloaded process successfully.

 

Minnemoduler infisert:

(Ingen skadelige objekter funnet)

 

Registernøkler infisert:

(Ingen skadelige objekter funnet)

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncman (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhnn (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncman (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen skadelige objekter funnet)

 

Mapper infisert:

(Ingen skadelige objekter funnet)

 

Filer infisert

c:\Windows\System32\wuaucldt.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\Windows\Temp\bqqk.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Windows\Temp\VRT13AE.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\wuaucldt.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

 

HJT-logg

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 23:46:42, on 28.04.2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\MDM.EXE

C:\Program Files\Pidgin\pidgin.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files\Opera\opera.exe

C:\Users\Chris\AppData\Local\Opera\Opera\temporary_downloads\HiJackThis.exe

C:\Windows\system32\msconfig.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ClueIEAddin - {c14aa221-bae1-45f6-b0b3-90c23f2daa7d} - C:\Clue\adxloader.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HotkeyService] AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotkeyService.exe

O4 - HKLM\..\Run: [HotKeyMon] AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe

O4 - HKLM\..\Run: [synAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe

O4 - HKLM\..\Run: [sgtvzy] RUNDLL32.EXE C:\Windows\system32\mskwivhb.dll,w

O4 - HKLM\..\Run: [bqfjns] RUNDLL32.EXE C:\Windows\system32\msghfrmi.dll,w

O4 - HKLM\..\Policies\Explorer\Run: [u5gl] C:\Windows\TEMP\rfki.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O23 - Service: Asus Launcher Service (AsusService) - Unknown owner - C:\Windows\System32\AsusService.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

 

--

End of file - 3453 bytes

[

 

 

DDS-logg

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by Chris at 23:53:58,18 on 28.04.2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.1015.433 [GMT 2:00]

 

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Windows\System32\AsusService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k iissvcs

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe

C:\Program Files\EeePC\HotkeyService\HotkeyService.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\MDM.EXE

C:\Windows\TEMP\rfki.exe

C:\Windows\TEMP\rfki.exe

C:\Windows\system32\Rundll32.exe

C:\Windows\system32\Rundll32.exe

C:\Program Files\Pidgin\pidgin.exe

C:\Program Files\Opera\opera.exe

C:\Windows\system32\AUDIODG.EXE

C:\Users\Chris\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: ClueIEAddin: {c14aa221-bae1-45f6-b0b3-90c23f2daa7d} - c:\clue\adxloader.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe

mRun: [HotKeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe

mRun: [synAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

 

============= SERVICES / DRIVERS ===============

 

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [2010-3-28 227840]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-26 303952]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-26 20824]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-6-10 50688]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-4-20 27192]

 

=============== Created Last 30 ================

 

2010-04-28 13:44:41 36865 ----a-w- c:\windows\system32\msghfrmi.dll

2010-04-28 13:43:50 36865 ----a-w- c:\windows\system32\mskwivhb.dll

2010-04-28 13:43:39 83968 ----a-w- c:\windows\system32\w.exe

2010-04-28 13:43:39 44544 ----a-w- c:\windows\system32\ms.bin

2010-04-28 13:43:39 36864 ----a-w- c:\windows\system32\d.bin

2010-04-28 13:43:39 34304 ----a-w- c:\windows\system32\so.bin

2010-04-28 09:26:52 0 d-----w- c:\users\chris\appdata\roaming\Clue

2010-04-28 09:26:52 0 d-----w- C:\Clue

2010-04-28 08:39:06 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-04-28 08:39:06 49472 ----a-w- c:\windows\system32\netfxperf.dll

2010-04-28 08:39:06 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2010-04-28 08:39:04 297808 ----a-w- c:\windows\system32\mscoree.dll

2010-04-28 08:39:04 1130824 ----a-w- c:\windows\system32\dfshim.dll

2010-04-28 08:19:51 0 d-----w- c:\windows\system32\DotNetFx35ClientSetup

2010-04-27 23:38:48 36865 ----a-w- c:\windows\system32\msfwbiul.dll

2010-04-27 23:05:21 670072 ----a-w- C:\autoruns.exe

2010-04-27 22:49:30 0 d-----w- c:\program files\CCleaner

2010-04-27 12:33:04 0 d-sh--w- c:\windows\system32\%APPDATA%

2010-04-26 21:25:42 0 d-----w- c:\users\chris\appdata\roaming\Malwarebytes

2010-04-26 21:25:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-26 21:25:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 21:25:27 0 d-----w- c:\programdata\Malwarebytes

2010-04-26 21:25:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-26 20:52:25 0 d-----w- c:\programdata\FLEXnet

2010-04-26 20:51:49 0 d-----w- c:\users\chris\AdobeLicensingFilesBackup

2010-04-26 18:27:17 218 ----a-w- c:\users\chris\.recently-used.xbel

2010-04-20 09:02:55 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-04-20 09:02:50 0 d-----w- c:\program files\VS Revo Group

2010-04-18 15:53:03 0 d-----w- c:\program files\Microsoft

2010-04-18 15:52:22 0 d-----w- c:\windows\PCHEALTH

2010-04-18 15:49:49 0 d-----w- c:\program files\common files\Windows Live

2010-04-16 06:20:01 0 d-----w- C:\PFiles

2010-04-15 14:01:27 0 d-----w- C:\lol

2010-04-14 10:25:26 0 d-----w- c:\programdata\Ultralingua7

2010-04-14 10:24:59 0 d-----w- c:\program files\Ultralingua

2010-04-13 11:11:52 0 d-----w- c:\windows\system32\BestPractices

2010-04-13 10:18:20 0 d-----w- c:\program files\Snapshot Viewer

2010-04-13 10:17:01 0 d-----w- c:\program files\Fellesfiler

2010-04-13 10:17:00 0 d-----w- c:\users\chris\Programdata

2010-04-13 10:17:00 0 d-----w- c:\users\chris\Lokale innstillinger

2010-04-13 10:16:42 0 d-----w- c:\programdata\Symantec

2010-04-12 21:55:36 65536 --sha-w- c:\users\chris\ntuser.dat{1e4c32b7-467b-11df-a761-8435334c7734}.TM.blf

2010-04-12 21:55:36 524288 --sha-w- c:\users\chris\ntuser.dat{1e4c32b7-467b-11df-a761-8435334c7734}.TMContainer00000000000000000002.regtrans-ms

2010-04-12 21:55:36 524288 --sha-w- c:\users\chris\ntuser.dat{1e4c32b7-467b-11df-a761-8435334c7734}.TMContainer00000000000000000001.regtrans-ms

2010-04-11 10:24:36 0 d-----w- c:\program files\Age Of Empires 2 & The Conquerors Expansion - Full Game

2010-04-08 07:59:52 0 d-----w- c:\programdata\Adobe

2010-04-08 07:50:56 0 d-----w- c:\program files\common files\Macrovision Shared

2010-04-06 09:19:43 0 d-----w- C:\inetpub

2010-04-03 01:36:07 53248 ----a-w- c:\windows\system32\vp7dec_settings.cpl

2010-04-03 01:36:06 630784 ----a-w- c:\windows\system32\vp7vfw.dll

2010-04-03 01:36:06 237568 ----a-w- c:\windows\system32\vp7dec.ax

 

==================== Find3M ====================

 

2010-04-28 08:50:11 527564 ----a-w- c:\windows\system32\perfh014.dat

2010-04-28 08:50:11 103294 ----a-w- c:\windows\system32\perfc014.dat

2010-03-28 20:21:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf

2010-03-28 19:55:34 36156 ----a-w- c:\windows\system32\perfd014.dat

2010-03-28 19:55:34 36156 ----a-w- c:\windows\inf\perflib\0414\perfd.dat

2010-03-28 19:55:34 36156 ----a-w- c:\windows\inf\perflib\0414\perfc.dat

2010-03-28 19:55:34 298300 ----a-w- c:\windows\system32\perfi014.dat

2010-03-28 19:55:34 298300 ----a-w- c:\windows\inf\perflib\0414\perfi.dat

2010-03-28 19:55:34 298300 ----a-w- c:\windows\inf\perflib\0414\perfh.dat

2010-03-28 19:35:51 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-28 19:15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf

2010-03-18 14:47:22 17760 ----a-w- c:\windows\system32\aspnet_counters.dll

2010-03-18 11:16:28 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

 

============= FINISH: 23:55:19,99 ===============

 

 

I følge DDS skulle jeg legge til attach.txt som et vedlegg til posten min, så jeg umm, bare gjorde det her. Attach.txt

 

Takk og takk

 

 

 

Jeg tror jeg greide å få vasket vekk alt etter mange runder med diverse antimalware, anti-rootkit osv. Brukte forøvrig MSE som jeg var veldig skeptisk til, men som greide å rense stort sett alt. Jeg markerer tråden som løst, da jeg fant ut av det.

Endret 29. april 2010 av Programvare

[Gavekort]

Kan du legge med HiJackThis?