baosen Skrevet 23. juli 2010 Del Skrevet 23. juli 2010 (endret) Hjelp! Jeg har fått virus! Jeg fulgte bruksanvisningene på forumet. Her er loggene: MBAM: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Databaseversjon: 4340 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 23.07.2010 11:13:23 mbam-log-2010-07-23 (11-13-23).txt Skanntype: Full skann (C:\|) Objekter skannet: 233007 Tid tilbakelagt: 45 minutt(er), 51 sekund(er) Minneprosesser infisert: 3 Minnemoduler infisert: 1 Registernøkler infisert: 1 Registerverdier infisert: 4 Registerfiler infisert: 3 Mapper infisert: 1 Filer infisert 34 Minneprosesser infisert: C:\Documents and Settings\ltran\Lokale innstillinger\Temp\MSDERUN.EXE (Trojan.FakeAlert) -> Unloaded process successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd12A.tmp.exe (Trojan.FakeAlert) -> Unloaded process successfully. C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> Unloaded process successfully. Minnemoduler infisert: C:\Documents and Settings\ltran\Lokale innstillinger\Programdata\Windows Server\mttuqs.dll (Spyware.Passwords) -> Delete on reboot. Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully. Registerfiler infisert: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\HomePage (Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully. Mapper infisert: C:\Programfiler\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully. Filer infisert C:\Documents and Settings\ltran\Lokale innstillinger\Programdata\Windows Server\mttuqs.dll (Spyware.Passwords) -> Delete on reboot. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\MSDERUN.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd12A.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd126.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd127.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd128.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd129.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd12B.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd12D.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd12E.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\asd12F.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tbWYNrle.exe.part (Worm.KoobFace) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\TMP26042.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp3AD7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp44F9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp4FF6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp660E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp693A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp6EB9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp7F64.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp8417.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\tmp8DCB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\topwesitjh (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\ERDNT\ERDNTWIN.OVL (Trojan.Banker) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Skrivebord\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Skrivebord\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Skrivebord\spam001.exe (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Skrivebord\spam003.exe (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Skrivebord\troj000.exe (Malware.Trave) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Skrivebord\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Favoritter\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\7.exe (Worm.AutoRun) -> Quarantined and deleted successfully. C:\Documents and Settings\ltran\Lokale innstillinger\Temp\mschrt20ex.dll (Rogue.DefenseCenter) -> Delete on reboot. Combofix ComboFix 10-07-22.01 - LTran 23.07.2010 11:37:56.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.1014.439 [GMT 2:00] Kjører fra: c:\documents and settings\ltran\Skrivebord\ComboFix.exe AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Opprettet nytt gjenopprettingspunkt . ((((((((((((((((((((((((((((((((((((((( Andre slettinger ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\ltran\Lokale innstillinger\Programdata\Windows Server c:\documents and settings\ltran\Lokale innstillinger\Programdata\Windows Server\flags.ini c:\documents and settings\ltran\Lokale innstillinger\Programdata\Windows Server\uses32.dat c:\windows\xpsp1hfm.log ----- BITS: Mulige infiserte sider ----- hxxp://siosysop c:\windows\system32\kernel32.dll . . . er infisert!! . ((((((((((((((((((((((((((( Filer Opprettet Fra 2010-06-23 til 2010-07-23 ))))))))))))))))))))))))))))))))) . 2010-07-23 08:19 . 2010-07-23 08:19 -------- d-----w- c:\documents and settings\ltran\Programdata\Malwarebytes 2010-07-23 08:19 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-07-23 08:19 . 2010-07-23 08:19 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes 2010-07-23 08:19 . 2010-07-23 08:19 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2010-07-23 08:19 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-23 06:05 . 2007-05-30 17:33 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2010-06-06 12:43 . 2008-07-25 14:57 58640 ----a-w- c:\documents and settings\ltran\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2010-06-06 12:43 . 2010-06-06 12:42 -------- d-----w- c:\programfiler\Songr 2010-05-22 07:25 . 2010-05-22 07:25 503808 ----a-w- c:\documents and settings\ltran\Programdata\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5899a5b9-n\msvcp71.dll 2010-05-22 07:25 . 2010-05-22 07:25 499712 ----a-w- c:\documents and settings\ltran\Programdata\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5899a5b9-n\jmc.dll 2010-05-22 07:25 . 2010-05-22 07:25 348160 ----a-w- c:\documents and settings\ltran\Programdata\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5899a5b9-n\msvcr71.dll 2007-06-26 11:31 . 2007-06-26 11:31 318 ------w- c:\programfiler\Snarvei til Preload ©.lnk 2009-08-31 19:07 . 2009-03-29 08:36 23864 ------w- c:\programfiler\mozilla firefox\components\Scriptff.dll 2008-04-25 12:32 . 2008-04-25 12:32 5817064 ------w- c:\programfiler\mozilla firefox\plugins\ScorchPDFWrapper.dll . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-17 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896] "SynTPLpr"="c:\programfiler\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592] "SynTPEnh"="c:\programfiler\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568] "TPKMAPHELPER"="c:\programfiler\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 856064] "TpShocks"="TpShocks.exe" [2006-03-15 106496] "TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208] "TP4EX"="tp4ex.exe" [2005-10-16 65536] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 110592] "AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2005-11-14 487424] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSPM Startup"="c:\progra~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "AwaySch"="c:\programfiler\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632] "TVT Scheduler Proxy"="c:\programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-14 503808] "DiskeeperSystray"="c:\programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696] "ACWLIcon"="c:\programfiler\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-02-19 110592] "cssauth"="c:\programfiler\Lenovo\Client Security Solution\cssauth.exe" [2006-07-14 2341632] "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072] "USBKeypadMs"="c:\progra~1\USBKEY~1\USBKPad.EXE" [2004-02-23 65536] "USBKeypad USBKPDrv"="c:\progra~1\USBKEY~1\KPDRV4XP.EXE" [2001-10-25 32768] "SSBkgdUpdate"="c:\programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\programfiler\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-31 57393] "IndexSearch"="c:\programfiler\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-31 40960] "ControlCenter2.0"="c:\programfiler\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256] "Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SoundMAXPnP"="c:\programfiler\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "ShStatEXE"="c:\programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-08-31 124240] "QuickTime Task"="c:\programfiler\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\programfiler\iTunes\iTunesHelper.exe" [2009-07-13 292128] "McAfeeUpdaterUI"="c:\programfiler\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ BTTray.lnk - c:\programfiler\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-5-30 24576] VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2009-2-8 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "LogonType"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] 2006-08-16 17:07 49152 ------w- c:\programfiler\Lenovo\AwayTask\AwayNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-04-25 17:20 40448 ------w- c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau Notification Packages REG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programfiler\\Danware Data\\NetOp Remote Control\\HOST\\Nhstw32.exe"= "c:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "c:\\Programfiler\\iTunes\\iTunes.exe"= "c:\\Programfiler\\McAfee\\Common Framework\\FrameworkService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management R1 NHostNT1;NetOp Driver 1 ver. 8.00 (2005048);c:\windows\system32\drivers\NHOSTNT1.SYS [19.05.2008 10:26 65808] R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\programfiler\McAfee\SiteAdvisor Enterprise\McSACore.exe [06.08.2009 17:53 222528] R2 McAfeeEngineService;McAfee Engine Service;c:\programfiler\McAfee\VirusScan Enterprise\EngineServer.exe [31.08.2009 21:07 21256] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [29.03.2009 10:36 70728] R2 NetOp Host for NT Service;NetOp Helper ver. 8.00 (2005048);c:\programfiler\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [19.05.2008 10:26 1184016] R2 smi2;smi2;c:\programfiler\SMI2\smi2.sys [14.07.2006 15:55 3968] R2 smihlp;SMI helper driver;c:\programfiler\ThinkVantage Fingerprint Software\smihlp.sys [25.04.2006 19:00 3456] R2 USBKBFlt;Dritek USB Keypad Filter;c:\windows\system32\drivers\USBKBFLT.SYS [22.08.2001 08:58 31632] R3 NHOSTNT3;NetOp Driver 3 ver. 8.00 (2005048) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [19.05.2008 10:26 3216] R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [04.09.2008 21:53 33920] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [03.09.2008 20:50 10752] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [29.03.2009 10:36 65448] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25.02.2006 15:00 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2010-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2010-06-06 c:\windows\Tasks\OGADaily.job - c:\windows\system32\OGAVerify.exe [2008-12-31 15:04] 2010-07-23 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAVerify.exe [2008-12-31 15:04] 2010-07-23 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-05-30 16:13] . . ------- Tilleggsskanning ------- . uInternet Settings,ProxyOverride = *.local DPF: {0CDC8A43-059E-47CD-A3D0-FA46E01F6496} - hxxp://tellus.lawson.com/Tellus/Misc/TellusExportAx.CAB DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 DPF: {1C7CF466-F149-478F-B232-BC6F72638D28} - hxxp://tellus.lawson.com/Tellus/Misc/TellusList.CAB DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 DPF: {B8C681FD-D629-4CCE-90CD-89493F1F2799} - hxxp://wp2.sio-net.no/mwp/ieui/IEMod.cab DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://vpn.sio.no/vdesk/terminal/f5opswati.cab#Version=6500,2009,1118,1405 FF - ProfilePath - c:\documents and settings\ltran\Programdata\Mozilla\Firefox\Profiles\3g92zqwf.default\ FF - component: c:\programfiler\Mozilla Firefox\components\Scriptff.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); . - - - - TOMME PEKERE FJERNET - - - - Notify-ACNotify - ACNotify.dll Notify-NavLogon - (no file) AddRemove-Install AccountMatch 9.8 - g:\akaoek\bankavstemming\setup\setup.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-23 11:49 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- LÅSTE REGISTERNØKLER --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'winlogon.exe'(284) c:\windows\system32\CSGina.dll c:\windows\system32\vrlogon.dll c:\programfiler\ThinkPad\ConnectUtilities\ACNotify.dll c:\programfiler\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\programfiler\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\programfiler\ThinkPad\ConnectUtilities\ACHelper.dll c:\windows\system32\psqlpwd.dll c:\programfiler\ThinkVantage Fingerprint Software\infra.dll c:\programfiler\ThinkVantage Fingerprint Software\homefus2.dll c:\windows\system32\biologon.dll c:\programfiler\ThinkVantage Fingerprint Software\homepass.dll c:\programfiler\ThinkVantage Fingerprint Software\bio.dll c:\programfiler\ThinkVantage Fingerprint Software\remote.dll c:\windows\system32\tphklock.dll c:\programfiler\Lenovo\AwayTask\AwayNotify.dll - - - - - - - > 'lsass.exe'(340) c:\windows\system32\psqlpwd.dll c:\programfiler\ThinkVantage Fingerprint Software\infra.dll c:\programfiler\ThinkVantage Fingerprint Software\homefus2.dll - - - - - - - > 'explorer.exe'(5804) c:\windows\system32\PROCHLP.DLL c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andre Kjørende Prosesser ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\programfiler\Intel\Wireless\Bin\EvtEng.exe c:\programfiler\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\programfiler\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\programfiler\Bonjour\mDNSResponder.exe c:\programfiler\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\programfiler\Cisco Systems\VPN Client\cvpnd.exe c:\programfiler\Diskeeper Corporation\Diskeeper\DkService.exe c:\programfiler\McAfee\Common Framework\FrameworkService.exe c:\programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe c:\programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE c:\programfiler\Intel\Wireless\Bin\RegSrvc.exe c:\programfiler\McAfee\Common Framework\naPrdMgr.exe c:\programfiler\lenovo\system update\suservice.exe c:\programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe c:\windows\System32\TPHDEXLG.EXE c:\windows\system32\TpKmpSVC.exe c:\programfiler\Lenovo\Client Security Solution\tvttcsd.exe c:\programfiler\Lenovo\Rescue and Recovery\rrservice.exe c:\programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe c:\programfiler\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\programfiler\McAfee\VirusScan Enterprise\Mcshield.exe c:\programfiler\ThinkPad\ConnectUtilities\AcSvc.exe c:\programfiler\McAfee\VirusScan Enterprise\mfeann.exe c:\windows\system32\wbem\wmiapsrv.exe c:\programfiler\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\programfiler\Intel\Wireless\Bin\Dot1XCfg.exe c:\windows\system32\rundll32.exe c:\windows\system32\TpShocks.exe c:\programfiler\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe c:\programfiler\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe c:\windows\system32\ICO.EXE c:\windows\system32\igfxsrvc.exe c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE c:\programfiler\iPod\bin\iPodService.exe c:\programfiler\McAfee\Common Framework\McTray.exe . ************************************************************************** . Tidspunkt ferdig: 2010-07-23 11:55:22 - maskinen ble startet på nytt ComboFix-quarantined-files.txt 2010-07-23 09:55 Pre-Run: 38 092 062 720 byte ledig Post-Run: 38 627 147 776 byte ledig WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 14BE4804A711402C6AEDB4CAFEF73360 Takk for hjelpen ! mbam-log-2010-07-23 (11-13-23).txt ComboFix.txt Endret 23. juli 2010 av baosen Lenke til kommentar
snippsat Skrevet 23. juli 2010 Del Skrevet 23. juli 2010 c:\windows\system32\kernel32.dll Scann denne filen her virustotal. Søk etter kernel32.dll. Det kan hende du har en kopi her. C:\WINDOWS\SoftwareDistribution\Download\.... Viss du kernel32.dll i denne mappen scann også den virustotal. Lenke til kommentar
baosen Skrevet 23. juli 2010 Forfatter Del Skrevet 23. juli 2010 Det var bare kernel32.dll i system32-mappa. c:\windows\system32\kernel32.dll File kernel32.dll received on 2010.07.23 20:03:54 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/42 (0%) Loading server information... Your file is queued in position: 3. Estimated start time is between 61 and 87 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2010.07.23.01 2010.07.23 - AntiVir 8.2.4.26 2010.07.23 - Antiy-AVL 2.0.3.7 2010.07.23 - Authentium 5.2.0.5 2010.07.23 - Avast 4.8.1351.0 2010.07.23 - Avast5 5.0.332.0 2010.07.23 - AVG 9.0.0.851 2010.07.23 - BitDefender 7.2 2010.07.23 - CAT-QuickHeal 11.00 2010.07.23 - ClamAV 0.96.0.3-git 2010.07.23 - Comodo 5521 2010.07.23 - DrWeb 5.0.2.03300 2010.07.23 - Emsisoft 5.0.0.34 2010.07.23 - eSafe 7.0.17.0 2010.07.22 - eTrust-Vet 36.1.7732 2010.07.23 - F-Prot 4.6.1.107 2010.07.23 - F-Secure 9.0.15370.0 2010.07.23 - Fortinet 4.1.143.0 2010.07.23 - GData 21 2010.07.23 - Ikarus T3.1.1.84.0 2010.07.23 - Jiangmin 13.0.900 2010.07.23 - Kaspersky 7.0.0.125 2010.07.23 - McAfee 5.400.0.1158 2010.07.23 - McAfee-GW-Edition 2010.1 2010.07.23 - Microsoft 1.6004 2010.07.23 - NOD32 5306 2010.07.23 - Norman 6.05.11 2010.07.23 - nProtect 2010-07-23.02 2010.07.23 - Panda 10.0.2.7 2010.07.23 - PCTools 7.0.3.5 2010.07.23 - Prevx 3.0 2010.07.23 - Rising 22.57.03.08 2010.07.23 - Sophos 4.55.0 2010.07.23 - Sunbelt 6627 2010.07.23 - SUPERAntiSpyware 4.40.0.1006 2010.07.23 - Symantec 20101.1.1.7 2010.07.23 - TheHacker 6.5.2.1.324 2010.07.23 - TrendMicro 9.120.0.1004 2010.07.23 - TrendMicro-HouseCall 9.120.0.1004 2010.07.23 - VBA32 3.12.12.6 2010.07.23 - ViRobot 2010.7.23.3956 2010.07.23 - VirusBuster 5.0.27.0 2010.07.23 - Additional information File size: 990720 bytes MD5...: d023175566b0bcdc4935f3f6e5f70377 SHA1..: c52729de8e3b46d5e97284c5eca9649f9031c37c SHA256: e37c2898503f11774a4fc7380789f25837bca3b0a845340e62c8e70f4998f191 ssdeep: 12288:uwLw6PKp1IgSq1cNfxVNLww0I7OM4mQRQdlafOiS:OpWHfnNLxwaQRQfaf OR PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xb64e timedatestamp.....: 0x49c4f536 (Sat Mar 21 14:09:58 2009) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x831e9 0x83200 6.66 20e7d84df75e06dfbc481e20c3e7f8d2 .data 0x85000 0x4460 0x2600 0.59 dd0a1d702ba641dd9a3e4aa8d1896aec .rsrc 0x8a000 0x66268 0x66400 3.40 6134bd51301991f0281613a31e256536 .reloc 0xf1000 0x5c84 0x5e00 6.62 55b85ac969f28a4d4dff5820d55ffa12 ( 1 imports ) > ntdll.dll: _wcsnicmp, NtFsControlFile, NtCreateFile, RtlAllocateHeap, RtlFreeHeap, NtOpenFile, NtQueryInformationFile, NtQueryEaFile, RtlLengthSecurityDescriptor, NtQuerySecurityObject, NtSetEaFile, NtSetSecurityObject, NtSetInformationFile, CsrClientCallServer, NtDeviceIoControlFile, NtClose, RtlInitUnicodeString, wcscspn, RtlUnicodeToMultiByteSize, wcslen, _memicmp, memmove, NtQueryValueKey, NtOpenKey, NtFlushKey, NtSetValueKey, NtCreateKey, RtlNtStatusToDosError, RtlFreeUnicodeString, RtlDnsHostNameToComputerName, wcsncpy, RtlUnicodeStringToAnsiString, RtlxUnicodeStringToAnsiSize, NlsMbCodePageTag, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlCreateUnicodeStringFromAsciiz, wcschr, wcsstr, RtlPrefixString, _wcsicmp, RtlGetFullPathName_U, RtlGetCurrentDirectory_U, NtQueryInformationProcess, RtlUnicodeStringToOemString, RtlReleasePebLock, RtlEqualUnicodeString, RtlAcquirePebLock, RtlFreeAnsiString, RtlSetCurrentDirectory_U, RtlTimeToTimeFields, NtSetSystemTime, RtlTimeFieldsToTime, NtQuerySystemInformation, RtlSetTimeZoneInformation, NtSetSystemInformation, RtlCutoverTimeToSystemTime, _allmul, NtEnumerateKey, RtlOpenCurrentUser, RtlQueryRegistryValues, _itow, DbgBreakPoint, RtlFreeSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, RtlAllocateAndInitializeSid, DbgPrint, NtOpenProcess, CsrGetProcessId, DbgUiDebugActiveProcess, DbgUiConnectToDbg, DbgUiIssueRemoteBreakin, NtSetInformationDebugObject, DbgUiGetThreadDebugObject, NtQueryInformationThread, DbgUiConvertStateChangeStructure, DbgUiWaitStateChange, DbgUiContinue, DbgUiStopDebugging, RtlDosPathNameToNtPathName_U, RtlIsDosDeviceName_U, RtlCreateAtomTable, NtAddAtom, RtlAddAtomToAtomTable, NtFindAtom, RtlLookupAtomInAtomTable, NtDeleteAtom, RtlDeleteAtomFromAtomTable, NtQueryInformationAtom, RtlQueryAtomInAtomTable, RtlOemStringToUnicodeString, RtlMultiByteToUnicodeN, RtlUnicodeToMultiByteN, RtlMultiByteToUnicodeSize, RtlPrefixUnicodeString, RtlLeaveCriticalSection, RtlEnterCriticalSection, NtEnumerateValueKey, RtlIsTextUnicode, NtReadFile, NtAllocateVirtualMemory, NtUnlockFile, NtLockFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlCopyUnicodeString, NtFreeVirtualMemory, NtWriteFile, RtlCreateUnicodeString, RtlFormatCurrentUserKeyPath, RtlGetLongestNtPathLength, NtDuplicateObject, NtQueryKey, NtDeleteValueKey, RtlEqualString, CsrFreeCaptureBuffer, CsrCaptureMessageString, CsrAllocateCaptureBuffer, strncpy, RtlCharToInteger, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, CsrAllocateMessagePointer, NtQueryObject, wcscmp, RtlCompareMemory, NtQueryDirectoryObject, NtQuerySymbolicLinkObject, NtOpenSymbolicLinkObject, NtOpenDirectoryObject, NtCreateIoCompletion, NtSetIoCompletion, NtRemoveIoCompletion, NtSetInformationProcess, NtQueryDirectoryFile, RtlDeleteCriticalSection, NtNotifyChangeDirectoryFile, NtWaitForSingleObject, RtlInitializeCriticalSection, NtQueryVolumeInformationFile, NtFlushBuffersFile, RtlDeactivateActivationContextUnsafeFast, RtlActivateActivationContextUnsafeFast, NtCancelIoFile, NtReadFileScatter, NtWriteFileGather, wcscpy, NtOpenSection, NtMapViewOfSection, NtFlushVirtualMemory, RtlFlushSecureMemoryCache, NtUnmapViewOfSection, NtCreateSection, NtQueryFullAttributesFile, swprintf, NtQueryAttributesFile, RtlDetermineDosPathNameType_U, NtRaiseHardError, NtQuerySystemEnvironmentValueEx, RtlGUIDFromString, NtSetSystemEnvironmentValueEx, RtlInitString, RtlUnlockHeap, RtlSetUserValueHeap, RtlFreeHandle, RtlAllocateHandle, RtlLockHeap, RtlSizeHeap, RtlGetUserInfoHeap, RtlReAllocateHeap, RtlIsValidHandle, RtlCompactHeap, RtlImageNtHeader, NtProtectVirtualMemory, NtQueryVirtualMemory, NtLockVirtualMemory, NtUnlockVirtualMemory, NtFlushInstructionCache, NtAllocateUserPhysicalPages, NtFreeUserPhysicalPages, NtMapUserPhysicalPages, NtMapUserPhysicalPagesScatter, NtGetWriteWatch, NtResetWriteWatch, NtSetInformationObject, LdrQueryImageFileExecutionOptions, CsrNewThread, CsrClientConnectToServer, RtlCreateTagHeap, LdrSetDllManifestProber, RtlSetThreadPoolStartFunc, RtlEncodePointer, _stricmp, wcscat, RtlCreateHeap, RtlDestroyHeap, RtlExtendHeap, RtlQueryTagHeap, RtlUsageHeap, RtlValidateHeap, RtlGetProcessHeaps, RtlWalkHeap, RtlSetHeapInformation, RtlQueryHeapInformation, RtlInitializeHandleTable, RtlExtendedLargeIntegerDivide, NtCreateMailslotFile, RtlFormatMessage, RtlFindMessage, LdrUnloadDll, LdrUnloadAlternateResourceModule, LdrDisableThreadCalloutsForDll, strchr, LdrGetDllHandle, LdrUnlockLoaderLock, LdrAddRefDll, RtlComputePrivatizedDllName_U, RtlPcToFileHeader, LdrLockLoaderLock, RtlGetVersion, LdrEnumerateLoadedModules, RtlVerifyVersionInfo, RtlUnicodeStringToInteger, LdrLoadAlternateResourceModule, RtlDosApplyFileIsolationRedirection_Ustr, LdrLoadDll, LdrGetProcedureAddress, LdrFindResource_U, LdrAccessResource, LdrFindResourceDirectory_U, RtlImageDirectoryEntryToData, _strcmpi, NtSetInformationThread, NtOpenThreadToken, NtCreateNamedPipeFile, RtlDefaultNpAcl, RtlDosSearchPath_Ustr, RtlInitUnicodeStringEx, RtlQueryEnvironmentVariable_U, RtlAnsiCharToUnicodeChar, RtlIntegerToChar, NtSetVolumeInformationFile, RtlIsNameLegalDOS8Dot3, NtQueryPerformanceCounter, sprintf, NtPowerInformation, NtInitiatePowerAction, NtSetThreadExecutionState, NtRequestWakeupLatency, NtGetDevicePowerState, NtIsSystemResumeAutomatic, NtRequestDeviceWakeup, NtCancelDeviceWakeupRequest, NtWriteVirtualMemory, LdrShutdownProcess, NtTerminateProcess, RtlRaiseStatus, RtlSetEnvironmentVariable, RtlExpandEnvironmentStrings_U, NtReadVirtualMemory, RtlCompareUnicodeString, NtCreateJobSet, NtCreateJobObject, NtIsProcessInJob, RtlEqualSid, RtlSubAuthoritySid, RtlInitializeSid, NtQueryInformationToken, NtOpenProcessToken, NtResumeThread, NtAssignProcessToJobObject, CsrCaptureMessageMultiUnicodeStringsInPlace, NtCreateThread, NtCreateProcessEx, RtlDestroyEnvironment, NtQuerySection, NtQueryInformationJobObject, RtlGetNativeSystemInformation, RtlxAnsiStringToUnicodeSize, NtOpenEvent, NtQueryEvent, NtTerminateThread, wcsrchr, NlsMbOemCodePageTag, RtlxUnicodeStringToOemSize, NtAdjustPrivilegesToken, RtlImpersonateSelf, wcsncmp, RtlDestroyProcessParameters, RtlCreateProcessParameters, RtlInitializeCriticalSectionAndSpinCount, NtSetEvent, NtClearEvent, NtPulseEvent, NtCreateSemaphore, NtOpenSemaphore, NtReleaseSemaphore, NtCreateMutant, NtOpenMutant, NtReleaseMutant, NtSignalAndWaitForSingleObject, NtWaitForMultipleObjects, NtDelayExecution, NtCreateTimer, NtOpenTimer, NtSetTimer, NtCancelTimer, NtCreateEvent, RtlCopyLuid, strrchr, _vsnwprintf, RtlReleaseActivationContext, RtlActivateActivationContextEx, RtlQueryInformationActivationContext, NtOpenThread, LdrShutdownThread, RtlFreeThreadActivationContextStack, NtGetContextThread, NtSetContextThread, NtSuspendThread, RtlRaiseException, RtlDecodePointer, towlower, RtlClearBits, RtlFindClearBitsAndSet, RtlAreBitsSet, NtQueueApcThread, NtYieldExecution, RtlRegisterWait, RtlDeregisterWait, RtlDeregisterWaitEx, RtlQueueWorkItem, RtlSetIoCompletionCallback, RtlCreateTimerQueue, RtlCreateTimer, RtlUpdateTimer, RtlDeleteTimer, RtlDeleteTimerQueueEx, CsrIdentifyAlertableThread, RtlApplicationVerifierStop, _alloca_probe, RtlDestroyQueryDebugBuffer, RtlQueryProcessDebugInformation, RtlCreateQueryDebugBuffer, RtlCreateEnvironment, RtlFreeOemString, strstr, toupper, isdigit, atol, tolower, NtOpenJobObject, NtTerminateJobObject, NtSetInformationJobObject, RtlAddRefActivationContext, RtlZombifyActivationContext, RtlActivateActivationContext, RtlDeactivateActivationContext, RtlGetActiveActivationContext, DbgPrintEx, LdrDestroyOutOfProcessImage, LdrAccessOutOfProcessResource, LdrFindCreateProcessManifest, LdrCreateOutOfProcessImage, RtlNtStatusToDosErrorNoTeb, RtlpApplyLengthFunction, RtlGetLengthWithoutLastFullDosOrNtPathElement, RtlpEnsureBufferSize, RtlMultiAppendUnicodeStringBuffer, _snwprintf, RtlCreateActivationContext, RtlFindActivationContextSectionString, RtlFindActivationContextSectionGuid, _allshl, RtlNtPathNameToDosPathName, RtlUnhandledExceptionFilter, CsrCaptureMessageBuffer, NtQueryInstallUILanguage, NtQueryDefaultUILanguage, wcspbrk, RtlGetDaclSecurityDescriptor, NtCreateDirectoryObject, _wcslwr, _wtol, RtlIntegerToUnicodeString, NtQueryDefaultLocale, _strlwr, RtlUnwind ( 954 exports ) ActivateActCtx, AddAtomA, AddAtomW, AddConsoleAliasA, AddConsoleAliasW, AddLocalAlternateComputerNameA, AddLocalAlternateComputerNameW, AddRefActCtx, AddVectoredExceptionHandler, AllocConsole, AllocateUserPhysicalPages, AreFileApisANSI, AssignProcessToJobObject, AttachConsole, BackupRead, BackupSeek, BackupWrite, BaseCheckAppcompatCache, BaseCleanupAppcompatCache, BaseCleanupAppcompatCacheSupport, BaseDumpAppcompatCache, BaseFlushAppcompatCache, BaseInitAppcompatCache, BaseInitAppcompatCacheSupport, BaseProcessInitPostImport, BaseQueryModuleData, BaseUpdateAppcompatCache, BasepCheckWinSaferRestrictions, Beep, BeginUpdateResourceA, BeginUpdateResourceW, BindIoCompletionCallback, BuildCommDCBA, BuildCommDCBAndTimeoutsA, BuildCommDCBAndTimeoutsW, BuildCommDCBW, CallNamedPipeA, CallNamedPipeW, CancelDeviceWakeupRequest, CancelIo, CancelTimerQueueTimer, CancelWaitableTimer, ChangeTimerQueueTimer, CheckNameLegalDOS8Dot3A, CheckNameLegalDOS8Dot3W, CheckRemoteDebuggerPresent, ClearCommBreak, ClearCommError, CloseConsoleHandle, CloseHandle, CloseProfileUserMapping, CmdBatNotification, CommConfigDialogA, CommConfigDialogW, CompareFileTime, CompareStringA, CompareStringW, ConnectNamedPipe, ConsoleMenuControl, ContinueDebugEvent, ConvertDefaultLocale, ConvertFiberToThread, ConvertThreadToFiber, CopyFileA, CopyFileExA, CopyFileExW, CopyFileW, CopyLZFile, CreateActCtxA, CreateActCtxW, CreateConsoleScreenBuffer, CreateDirectoryA, CreateDirectoryExA, CreateDirectoryExW, CreateDirectoryW, CreateEventA, CreateEventW, CreateFiber, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateHardLinkA, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectA, CreateJobObjectW, CreateJobSet, CreateMailslotA, CreateMailslotW, CreateMemoryResourceNotification, CreateMutexA, CreateMutexW, CreateNamedPipeA, CreateNamedPipeW, CreateNlsSecurityDescriptor, CreatePipe, CreateProcessA, CreateProcessInternalA, CreateProcessInternalW, CreateProcessInternalWSecure, CreateProcessW, CreateRemoteThread, CreateSemaphoreA, CreateSemaphoreW, CreateSocketHandle, CreateTapePartition, CreateThread, CreateTimerQueue, CreateTimerQueueTimer, CreateToolhelp32Snapshot, CreateVirtualBuffer, CreateWaitableTimerA, CreateWaitableTimerW, DeactivateActCtx, DebugActiveProcess, DebugActiveProcessStop, DebugBreak, DebugBreakProcess, DebugSetProcessKillOnExit, DecodePointer, DecodeSystemPointer, DefineDosDeviceA, DefineDosDeviceW, DelayLoadFailureHook, DeleteAtom, DeleteCriticalSection, DeleteFiber, DeleteFileA, DeleteFileW, DeleteTimerQueue, DeleteTimerQueueEx, DeleteTimerQueueTimer, DeleteVolumeMountPointA, DeleteVolumeMountPointW, DeviceIoControl, DisableThreadLibraryCalls, DisconnectNamedPipe, DnsHostnameToComputerNameA, DnsHostnameToComputerNameW, DosDateTimeToFileTime, DosPathToSessionPathA, DosPathToSessionPathW, DuplicateConsoleHandle, DuplicateHandle, EncodePointer, EncodeSystemPointer, EndUpdateResourceA, EndUpdateResourceW, EnterCriticalSection, EnumCalendarInfoA, EnumCalendarInfoExA, EnumCalendarInfoExW, EnumCalendarInfoW, EnumDateFormatsA, EnumDateFormatsExA, EnumDateFormatsExW, EnumDateFormatsW, EnumLanguageGroupLocalesA, EnumLanguageGroupLocalesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceNamesA, EnumResourceNamesW, EnumResourceTypesA, EnumResourceTypesW, EnumSystemCodePagesA, EnumSystemCodePagesW, EnumSystemGeoID, EnumSystemLanguageGroupsA, EnumSystemLanguageGroupsW, EnumSystemLocalesA, EnumSystemLocalesW, EnumTimeFormatsA, EnumTimeFormatsW, EnumUILanguagesA, EnumUILanguagesW, EnumerateLocalComputerNamesA, EnumerateLocalComputerNamesW, EraseTape, EscapeCommFunction, ExitProcess, ExitThread, ExitVDM, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExpungeConsoleCommandHistoryA, ExpungeConsoleCommandHistoryW, ExtendVirtualBuffer, FatalAppExitA, FatalAppExitW, FatalExit, FileTimeToDosDateTime, FileTimeToLocalFileTime, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterA, FillConsoleOutputCharacterW, FindActCtxSectionGuid, FindActCtxSectionStringA, FindActCtxSectionStringW, FindAtomA, FindAtomW, FindClose, FindCloseChangeNotification, FindFirstChangeNotificationA, FindFirstChangeNotificationW, FindFirstFileA, FindFirstFileExA, FindFirstFileExW, FindFirstFileW, FindFirstVolumeA, FindFirstVolumeMountPointA, FindFirstVolumeMountPointW, FindFirstVolumeW, FindNextChangeNotification, FindNextFileA, FindNextFileW, FindNextVolumeA, FindNextVolumeMountPointA, FindNextVolumeMountPointW, FindNextVolumeW, FindResourceA, FindResourceExA, FindResourceExW, FindResourceW, FindVolumeClose, FindVolumeMountPointClose, FlushConsoleInputBuffer, FlushFileBuffers, FlushInstructionCache, FlushViewOfFile, FoldStringA, FoldStringW, FormatMessageA, FormatMessageW, FreeConsole, FreeEnvironmentStringsA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeResource, FreeUserPhysicalPages, FreeVirtualBuffer, GenerateConsoleCtrlEvent, GetACP, GetAtomNameA, GetAtomNameW, GetBinaryType, GetBinaryTypeA, GetBinaryTypeW, GetCPFileNameFromRegistry, GetCPInfo, GetCPInfoExA, GetCPInfoExW, GetCalendarInfoA, GetCalendarInfoW, GetComPlusPackageInstallStatus, GetCommConfig, GetCommMask, GetCommModemStatus, GetCommProperties, GetCommState, GetCommTimeouts, GetCommandLineA, GetCommandLineW, GetCompressedFileSizeA, GetCompressedFileSizeW, GetComputerNameA, GetComputerNameExA, GetComputerNameExW, GetComputerNameW, GetConsoleAliasA, GetConsoleAliasExesA, GetConsoleAliasExesLengthA, GetConsoleAliasExesLengthW, GetConsoleAliasExesW, GetConsoleAliasW, GetConsoleAliasesA, GetConsoleAliasesLengthA, GetConsoleAliasesLengthW, GetConsoleAliasesW, GetConsoleCP, GetConsoleCharType, GetConsoleCommandHistoryA, GetConsoleCommandHistoryLengthA, GetConsoleCommandHistoryLengthW, GetConsoleCommandHistoryW, GetConsoleCursorInfo, GetConsoleCursorMode, GetConsoleDisplayMode, GetConsoleFontInfo, GetConsoleFontSize, GetConsoleHardwareState, GetConsoleInputExeNameA, GetConsoleInputExeNameW, GetConsoleInputWaitHandle, GetConsoleKeyboardLayoutNameA, GetConsoleKeyboardLayoutNameW, GetConsoleMode, GetConsoleNlsMode, GetConsoleOutputCP, GetConsoleProcessList, GetConsoleScreenBufferInfo, GetConsoleSelectionInfo, GetConsoleTitleA, GetConsoleTitleW, GetConsoleWindow, GetCurrencyFormatA, GetCurrencyFormatW, GetCurrentActCtx, GetCurrentConsoleFont, GetCurrentDirectoryA, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatA, GetDateFormatW, GetDefaultCommConfigA, GetDefaultCommConfigW, GetDefaultSortkeySize, GetDevicePowerState, GetDiskFreeSpaceA, GetDiskFreeSpaceExA, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetDllDirectoryA, GetDllDirectoryW, GetDriveTypeA, GetDriveTypeW, GetEnvironmentStrings, GetEnvironmentStringsA, GetEnvironmentStringsW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetExitCodeProcess, GetExitCodeThread, GetExpandedNameA, GetExpandedNameW, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesExW, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFirmwareEnvironmentVariableA, GetFirmwareEnvironmentVariableW, GetFullPathNameA, GetFullPathNameW, GetGeoInfoA, GetGeoInfoW, GetHandleContext, GetHandleInformation, GetLargestConsoleWindowSize, GetLastError, GetLinguistLangSize, GetLocalTime, GetLocaleInfoA, GetLocaleInfoW, GetLogicalDriveStringsA, GetLogicalDriveStringsW, GetLogicalDrives, GetLogicalProcessorInformation, GetLongPathNameA, GetLongPathNameW, GetMailslotInfo, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetNamedPipeHandleStateA, GetNamedPipeHandleStateW, GetNamedPipeInfo, GetNativeSystemInfo, GetNextVDMCommand, GetNlsSectionName, GetNumaAvailableMemory, GetNumaAvailableMemoryNode, GetNumaHighestNodeNumber, GetNumaNodeProcessorMask, GetNumaProcessorMap, GetNumaProcessorNode, GetNumberFormatA, GetNumberFormatW, GetNumberOfConsoleFonts, GetNumberOfConsoleInputEvents, GetNumberOfConsoleMouseButtons, GetOEMCP, GetOverlappedResult, GetPriorityClass, GetPrivateProfileIntA, GetPrivateProfileIntW, GetPrivateProfileSectionA, GetPrivateProfileSectionNamesA, GetPrivateProfileSectionNamesW, GetPrivateProfileSectionW, GetPrivateProfileStringA, GetPrivateProfileStringW, GetPrivateProfileStructA, GetPrivateProfileStructW, GetProcAddress, GetProcessAffinityMask, GetProcessDEPPolicy, GetProcessHandleCount, GetProcessHeap, GetProcessHeaps, GetProcessId, GetProcessIoCounters, GetProcessPriorityBoost, GetProcessShutdownParameters, GetProcessTimes, GetProcessVersion, GetProcessWorkingSetSize, GetProfileIntA, GetProfileIntW, GetProfileSectionA, GetProfileSectionW, GetProfileStringA, GetProfileStringW, GetQueuedCompletionStatus, GetShortPathNameA, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetStringTypeA, GetStringTypeExA, GetStringTypeExW, GetStringTypeW, GetSystemDEPPolicy, GetSystemDefaultLCID, GetSystemDefaultLangID, GetSystemDefaultUILanguage, GetSystemDirectoryA, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemRegistryQuota, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetSystemTimes, GetSystemWindowsDirectoryA, GetSystemWindowsDirectoryW, GetSystemWow64DirectoryA, GetSystemWow64DirectoryW, GetTapeParameters, GetTapePosition, GetTapeStatus, GetTempFileNameA, GetTempFileNameW, GetTempPathA, GetTempPathW, GetThreadContext, GetThreadIOPendingFlag, GetThreadLocale, GetThreadPriority, GetThreadPriorityBoost, GetThreadSelectorEntry, GetThreadTimes, GetTickCount, GetTimeFormatA, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultUILanguage, GetUserGeoID, GetVDMCurrentDirectories, GetVersion, GetVersionExA, GetVersionExW, GetVolumeInformationA, GetVolumeInformationW, GetVolumeNameForVolumeMountPointA, GetVolumeNameForVolumeMountPointW, GetVolumePathNameA, GetVolumePathNameW, GetVolumePathNamesForVolumeNameA, GetVolumePathNamesForVolumeNameW, GetWindowsDirectoryA, GetWindowsDirectoryW, GetWriteWatch, GlobalAddAtomA, GlobalAddAtomW, GlobalAlloc, GlobalCompact, GlobalDeleteAtom, GlobalFindAtomA, GlobalFindAtomW, GlobalFix, GlobalFlags, GlobalFree, GlobalGetAtomNameA, GlobalGetAtomNameW, GlobalHandle, GlobalLock, GlobalMemoryStatus, GlobalMemoryStatusEx, GlobalReAlloc, GlobalSize, GlobalUnWire, GlobalUnfix, GlobalUnlock, GlobalWire, Heap32First, Heap32ListFirst, Heap32ListNext, Heap32Next, HeapAlloc, HeapCompact, HeapCreate, HeapCreateTagsW, HeapDestroy, HeapExtend, HeapFree, HeapLock, HeapQueryInformation, HeapQueryTagW, HeapReAlloc, HeapSetInformation, HeapSize, HeapSummary, HeapUnlock, HeapUsage, HeapValidate, HeapWalk, InitAtomTable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSListHead, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedFlushSList, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, InvalidateConsoleDIBits, IsBadCodePtr, IsBadHugeReadPtr, IsBadHugeWritePtr, IsBadReadPtr, IsBadStringPtrA, IsBadStringPtrW, IsBadWritePtr, IsDBCSLeadByte, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessInJob, IsProcessorFeaturePresent, IsSystemResumeAutomatic, IsValidCodePage, IsValidLanguageGroup, IsValidLocale, IsValidUILanguage, IsWow64Process, LCMapStringA, LCMapStringW, LZClose, LZCloseFile, LZCopy, LZCreateFileW, LZDone, LZInit, LZOpenFileA, LZOpenFileW, LZRead, LZSeek, LZStart, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LoadModule, LoadResource, LocalAlloc, LocalCompact, LocalFileTimeToFileTime, LocalFlags, LocalFree, LocalHandle, LocalLock, LocalReAlloc, LocalShrink, LocalSize, LocalUnlock, LockFile, LockFileEx, LockResource, MapUserPhysicalPages, MapUserPhysicalPagesScatter, MapViewOfFile, MapViewOfFileEx, Module32First, Module32FirstW, Module32Next, Module32NextW, MoveFileA, MoveFileExA, MoveFileExW, MoveFileW, MoveFileWithProgressA, MoveFileWithProgressW, MulDiv, MultiByteToWideChar, NlsConvertIntegerToString, NlsGetCacheUpdateCount, NlsResetProcessLocale, NumaVirtualQueryNode, OpenConsoleW, OpenDataFile, OpenEventA, OpenEventW, OpenFile, OpenFileMappingA, OpenFileMappingW, OpenJobObjectA, OpenJobObjectW, OpenMutexA, OpenMutexW, OpenProcess, OpenProfileUserMapping, OpenSemaphoreA, OpenSemaphoreW, OpenThread, OpenWaitableTimerA, OpenWaitableTimerW, OutputDebugStringA, OutputDebugStringW, PeekConsoleInputA, PeekConsoleInputW, PeekNamedPipe, PostQueuedCompletionStatus, PrepareTape, PrivCopyFileExW, PrivMoveFileIdentityW, Process32First, Process32FirstW, Process32Next, Process32NextW, ProcessIdToSessionId, PulseEvent, PurgeComm, QueryActCtxW, QueryDepthSList, QueryDosDeviceA, QueryDosDeviceW, QueryInformationJobObject, QueryMemoryResourceNotification, QueryPerformanceCounter, QueryPerformanceFrequency, QueryWin31IniFilesMappedToRegistry, QueueUserAPC, QueueUserWorkItem, RaiseException, ReadConsoleA, ReadConsoleInputA, ReadConsoleInputExA, ReadConsoleInputExW, ReadConsoleInputW, ReadConsoleOutputA, ReadConsoleOutputAttribute, ReadConsoleOutputCharacterA, ReadConsoleOutputCharacterW, ReadConsoleOutputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, ReadFileEx, ReadFileScatter, ReadProcessMemory, RegisterConsoleIME, RegisterConsoleOS2, RegisterConsoleVDM, RegisterWaitForInputIdle, RegisterWaitForSingleObject, RegisterWaitForSingleObjectEx, RegisterWowBaseHandlers, RegisterWowExec, ReleaseActCtx, ReleaseMutex, ReleaseSemaphore, RemoveDirectoryA, RemoveDirectoryW, RemoveLocalAlternateComputerNameA, RemoveLocalAlternateComputerNameW, RemoveVectoredExceptionHandler, ReplaceFile, ReplaceFileA, ReplaceFileW, RequestDeviceWakeup, RequestWakeupLatency, ResetEvent, ResetWriteWatch, RestoreLastError, ResumeThread, RtlCaptureContext, RtlCaptureStackBackTrace, RtlFillMemory, RtlMoveMemory, RtlUnwind, RtlZeroMemory, ScrollConsoleScreenBufferA, ScrollConsoleScreenBufferW, SearchPathA, SearchPathW, SetCPGlobal, SetCalendarInfoA, SetCalendarInfoW, SetClientTimeZoneInformation, SetComPlusPackageInstallStatus, SetCommBreak, SetCommConfig, SetCommMask, SetCommState, SetCommTimeouts, SetComputerNameA, SetComputerNameExA, SetComputerNameExW, SetComputerNameW, SetConsoleActiveScreenBuffer, SetConsoleCP, SetConsoleCommandHistoryMode, SetConsoleCtrlHandler, SetConsoleCursor, SetConsoleCursorInfo, SetConsoleCursorMode, SetConsoleCursorPosition, SetConsoleDisplayMode, SetConsoleFont, SetConsoleHardwareState, SetConsoleIcon, SetConsoleInputExeNameA, SetConsoleInputExeNameW, SetConsoleKeyShortcuts, SetConsoleLocalEUDC, SetConsoleMaximumWindowSize, SetConsoleMenuClose, SetConsoleMode, SetConsoleNlsMode, SetConsoleNumberOfCommandsA, SetConsoleNumberOfCommandsW, SetConsoleOS2OemFormat, SetConsoleOutputCP, SetConsolePalette, SetConsoleScreenBufferSize, SetConsoleTextAttribute, SetConsoleTitleA, SetConsoleTitleW, SetConsoleWindowInfo, SetCriticalSectionSpinCount, SetCurrentDirectoryA, SetCurrentDirectoryW, SetDefaultCommConfigA, SetDefaultCommConfigW, SetDllDirectoryA, SetDllDirectoryW, SetEndOfFile, SetEnvironmentVariableA, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileApisToANSI, SetFileApisToOEM, SetFileAttributesA, SetFileAttributesW, SetFilePointer, SetFilePointerEx, SetFileShortNameA, SetFileShortNameW, SetFileTime, SetFileValidData, SetFirmwareEnvironmentVariableA, SetFirmwareEnvironmentVariableW, SetHandleContext, SetHandleCount, SetHandleInformation, SetInformationJobObject, SetLastConsoleEventActive, SetLastError, SetLocalPrimaryComputerNameA, SetLocalPrimaryComputerNameW, SetLocalTime, SetLocaleInfoA, SetLocaleInfoW, SetMailslotInfo, SetMessageWaitingIndicator, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetProcessDEPPolicy, SetProcessPriorityBoost, SetProcessShutdownParameters, SetProcessWorkingSetSize, SetSearchPathMode, SetStdHandle, SetSystemPowerState, SetSystemTime, SetSystemTimeAdjustment, SetTapeParameters, SetTapePosition, SetTermsrvAppInstallMode, SetThreadAffinityMask, SetThreadContext, SetThreadExecutionState, SetThreadIdealProcessor, SetThreadLocale, SetThreadPriority, SetThreadPriorityBoost, SetThreadUILanguage, SetTimeZoneInformation, SetTimerQueueTimer, SetUnhandledExceptionFilter, SetUserGeoID, SetVDMCurrentDirectories, SetVolumeLabelA, SetVolumeLabelW, SetVolumeMountPointA, SetVolumeMountPointW, SetWaitableTimer, SetupComm, ShowConsoleCursor, SignalObjectAndWait, SizeofResource, Sleep, SleepEx, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateJobObject, TerminateProcess, TerminateThread, TermsrvAppInstallMode, Thread32First, Thread32Next, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, Toolhelp32ReadProcessMemory, TransactNamedPipe, TransmitCommChar, TrimVirtualBuffer, TryEnterCriticalSection, TzSpecificLocalTimeToSystemTime, UTRegister, UTUnRegister, UnhandledExceptionFilter, UnlockFile, UnlockFileEx, UnmapViewOfFile, UnregisterConsoleIME, UnregisterWait, UnregisterWaitEx, UpdateResourceA, UpdateResourceW, VDMConsoleOperation, VDMOperationStarted, ValidateLCType, ValidateLocale, VerLanguageNameA, VerLanguageNameW, VerSetConditionMask, VerifyConsoleIoHandle, VerifyVersionInfoA, VerifyVersionInfoW, VirtualAlloc, VirtualAllocEx, VirtualBufferExceptionHandler, VirtualFree, VirtualFreeEx, VirtualLock, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, VirtualUnlock, WTSGetActiveConsoleSessionId, WaitCommEvent, WaitForDebugEvent, WaitForMultipleObjects, WaitForMultipleObjectsEx, WaitForSingleObject, WaitForSingleObjectEx, WaitNamedPipeA, WaitNamedPipeW, WideCharToMultiByte, WinExec, WriteConsoleA, WriteConsoleInputA, WriteConsoleInputVDMA, WriteConsoleInputVDMW, WriteConsoleInputW, WriteConsoleOutputA, WriteConsoleOutputAttribute, WriteConsoleOutputCharacterA, WriteConsoleOutputCharacterW, WriteConsoleOutputW, WriteConsoleW, WriteFile, WriteFileEx, WriteFileGather, WritePrivateProfileSectionA, WritePrivateProfileSectionW, WritePrivateProfileStringA, WritePrivateProfileStringW, WritePrivateProfileStructA, WritePrivateProfileStructW, WriteProcessMemory, WriteProfileSectionA, WriteProfileSectionW, WriteProfileStringA, WriteProfileStringW, WriteTapemark, ZombifyActCtx, _hread, _hwrite, _lclose, _lcreat, _llseek, _lopen, _lread, _lwrite, lstrcat, lstrcatA, lstrcatW, lstrcmp, lstrcmpA, lstrcmpW, lstrcmpi, lstrcmpiA, lstrcmpiW, lstrcpy, lstrcpyA, lstrcpyW, lstrcpyn, lstrcpynA, lstrcpynW, lstrlen, lstrlenA, lstrlenW RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win64 Executable Generic (42.6%) Win32 EXE PECompact compressed (generic) (20.7%) Win32 Executable MS Visual C++ (generic) (18.8%) Win 9x/ME Control Panel applet (7.7%) Win32 Executable Generic (4.2%) sigcheck: publisher....: Microsoft Corporation copyright....: © Microsoft Corporation. Med enerett. product......: Operativsystemet Microsoft_ Windows_ description..: DLL-fil for Windows NT BASE API-klient original name: kernel32 internal name: kernel32 file version.: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Lenke til kommentar
snippsat Skrevet 24. juli 2010 Del Skrevet 24. juli 2010 Det var bare kernel32.dll i system32-mappa. Ja system32-mappa er det kun 1,søk på hele pcen etter kernel32.dll. kjør combofix på nytt og post loggen. Det kan være en falsk melding fra combofix,viss ikke må du replassere kernel32.dll med en ny fil. Lenke til kommentar
baosen Skrevet 1. august 2010 Forfatter Del Skrevet 1. august 2010 (endret) Beklager sen svar Jeg tok en combofix-scan igjen. Det dukket ikke opp noe logg nå Jeg tok virustotal-scan på alle kernel32.dll filene jeg fant. Ingen virus her heller. Datamaskinen fungerer ganske utmerket nå. Jeg har ikke merket noe tegn til virusinfeksjon. Alt ser ut som det er borte. Endret 1. august 2010 av baosen Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå