T.O.E Skrevet 19. september 2010 Del Skrevet 19. september 2010 Hei! Har 10 infiserte objekter som Malwarebytes ikke klarer å fjerne. Jeg har på følelsen av at de 10 er det som øderlegger for meg innimellom. Ville vært knall om noen kunne hjelpe meg. Loggen: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4507 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 19.09.2010 17:14:32 mbam-log-2010-09-19 (17-14-32).txt Scan type: Quick scan Objects scanned: 139555 Time elapsed: 5 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 9 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Delete on reboot. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer (Disable.MCProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\ConnectionsTab (Hijack.ConnectionControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Lenke til kommentar
PerB Skrevet 19. september 2010 Del Skrevet 19. september 2010 Hva er den eikke klarer å fjerne? Delete on reboot = denne fjernes ved restrat av PC. Quarantined and deleted successfully = Disse er satt i karantene og slettet. Lenke til kommentar
norbat Skrevet 19. september 2010 Del Skrevet 19. september 2010 Er dette en jobb/skole pc? Lenke til kommentar
T.O.E Skrevet 19. september 2010 Forfatter Del Skrevet 19. september 2010 (endret) Hva er den eikke klarer å fjerne?Delete on reboot = denne fjernes ved restrat av PC.Quarantined and deleted successfully = Disse er satt i karantene og slettet. Stussa på det før jeg posta. Jeg har scanna flere ganger og reboota, som det står at jeg skal gjøre. Men filene er der fremdeles når jeg scanner på nytt. Er dette en jobb/skole pc? Ja, dette er en skole pc. Men jeg har administratorrettigheter som regel. EDIT: Herligt... nå driver et falsk virusprogram som heter "Antivirus Support" å romsterer på pc'n min, og prøver å slette de andre antivirusprogrammen mine. Prøvde å legge til printscreen bilde, men viruset blokkerer meg fra å åpne paint tilogmed... Den har ihvertfall satt in flere linker til pornosider på skrivebordet mitt. Happening right now, så fint med kjapp hjelp Jeg blir omdirigert til farlige sider på nettet om jeg ikke gjør det rett. først i dag det er slik, så har ikke full oversikt over problemene, men jeg hadde problemer med å åpne noe som helst tidligere i dag. Endret 19. september 2010 av T.O.E Lenke til kommentar
T.O.E Skrevet 19. september 2010 Forfatter Del Skrevet 19. september 2010 Ny scann, nye virus. Logg: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Databaseversjon: 4507 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 9/19/2010 6:46:47 PM mbam-log-2010-09-19 (18-46-47).txt Skanntype: Hurtigsøk Objekter skannet: 188826 Tid tilbakelagt: 7 minutt(er), 12 sekund(er) Minneprosesser infisert: 2 Minnemoduler infisert: 1 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 1 Filer infisert 26 Minneprosesser infisert: C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\dfrgsnapnt.exe (Trojan.FakeAlert) -> Unloaded process successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\wscsvc32.exe (Trojan.FakeAlert) -> Unloaded process successfully. Minnemoduler infisert: C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\eapp32hst.dll (Trojan.FakeAV) -> Delete on reboot. Registernøkler infisert: (Ingen skadelige objekter funnet) Registerverdier infisert: (Ingen skadelige objekter funnet) Registerfiler infisert: (Ingen skadelige objekter funnet) Mapper infisert: C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi (Rogue.AntiVirus) -> Quarantined and deleted successfully. Filer infisert C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\eapp32hst.dll (Trojan.FakeAV) -> Delete on reboot. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\dfrgsnapnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\PRAGMAbf50.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\PRAGMAc914.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\tmp4F4F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\tmpE599.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\tmpE5E7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\topwesitjh (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\About.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\Activate.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\Antivirus Support.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\Buy.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\Scan.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\Settings.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Start-meny\Programmer\AnVi\Update.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Programdata\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\0.11031340768040454.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\0.3741187118227066.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\dhdhtrdhdrtr5y (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\1505hvmo\Lokale innstillinger\temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot. C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully. Lenke til kommentar
norbat Skrevet 19. september 2010 Del Skrevet 19. september 2010 Post en combofix-logg eller dds-logg (se veiledningen) Lenke til kommentar
T.O.E Skrevet 19. september 2010 Forfatter Del Skrevet 19. september 2010 (endret) Får denne feilmeldingen når jeg kjører Combofix: "Prøvde du å kjøre CFScript? Navnet CFScript ser ut til å være stavet feil" Edit: Det går ann å extracte Combofix filen, om det overhode kan hjelpe... Endret 19. september 2010 av T.O.E Lenke til kommentar
T.O.E Skrevet 19. september 2010 Forfatter Del Skrevet 19. september 2010 DDS logg: DDS (Ver_10-03-17.01) - NTFSx86 Run by 1505hvmo at 19:31:12,60 on 19.09.2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.1976.1314 [GMT 2:00] AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {C24317C3-EF42-4BD3-B9F6-926FE54E7D8D} AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {2045E3EF-E5E7-488B-AC43-2B179BB14050} FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} ============== Running Processes =============== svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Programfiler\Fellesfiler\LightScribe\LightScribeControlPanel.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\DataStudio\PASPortal.exe svchost.exe svchost.exe svchost.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Programfiler\Mozilla Firefox\plugin-container.exe C:\Documents and Settings\1505hvmo\Skrivebord\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/calendar/render?gsessionid=B78NsKokGpoQtiMDF4UFsA uWindow Title = Windows Internet Explorer provided by IKT avd. ved Sandefjord VGS uDefault_Page_URL = hxxp://svgs.vfk.no mStart Page = hxxp://svgs.vfk.no uInternet Settings,ProxyOverride = <local> mWinlogon: System=c:\programfiler\novell\zenworks\bin\preboot\ZISWIN.exe BHO: lsk_WebBlk Class: {1935e690-1ac1-4aa5-ba23-3d9d0ceb3a00} - c:\windows\system32\Lsk_iBlk.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\programfiler\microsoft office\office12\GrooveShellExtensions.dll BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programfiler\fellesfiler\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\programfiler\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programfiler\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: ClueIEAddin: {c14aa221-bae1-45f6-b0b3-90c23f2daa7d} - c:\programfiler\clue\adxloader.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programfiler\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programfiler\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [LightScribe Control Panel] c:\programfiler\fellesfiler\lightscribe\LightScribeControlPanel.exe -hidden uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [msnmsgr] "e:\windows live\messenger\msnmsgr.exe" /background uRun: [skype] "c:\documents and settings\1505hvmo\lokale innstillinger\programdata\skype\\phone\Skype.exe" /nosplash /minimized uRun: [QuickTime Task] "c:\programfiler\quicktime\QTTask.exe" -atboottime uRun: [MSMSGS] "c:\programfiler\messenger\msmsgs.exe" /background uRun: [ASH24SXZ9S] c:\docume~1\1505hvmo\lokale~1\temp\Eqx.exe uRun: [Wgaruy] rundll32.exe "c:\documents and settings\1505hvmo\lokale innstillinger\programdata\wsxMPr.dll",Startup uRun: [dfrgsnapnt.exe] c:\docume~1\1505hvmo\lokale~1\temp\dfrgsnapnt.exe uRun: [Antivirus] "c:\documents and settings\1505hvmo\programdata\anvi\avt.exe" -noscan mRun: [OfficeScanNT Monitor] "c:\programfiler\trend micro\officescan client\pccntmon.exe" -HideWindow mRun: [WatchDog] c:\programfiler\intervideo\dvd check\DVDCheck.exe mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programfiler\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\dvdche~1.lnk - c:\programfiler\intervideo\dvd check\DVDCheck.exe StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\paspor~1.lnk - c:\windows\installer\{7ac82557-3e93-4896-83e0-6bcc1a869f98}\NewShortcut1.exe uPolicies-explorer: NoToolbarCustomize = 1 (0x1) uPolicies-explorer: NoBandCustomize = 1 (0x1) uPolicies-explorer: NoNetConnectDisconnect = 1 (0x1) uPolicies-explorer: NoSimpleStartMenu = 1 (0x1) uPolicies-explorer: NoSMBalloonTip = 1 (0x1) uPolicies-explorer: NoWindowsUpdate = 1 (0x1) uPolicies-explorer: NoRun = 1 (0x1) uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1) uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1) uPolicies-explorer: NoChangeStartMenu = 1 (0x1) uPolicies-explorer: NoSetTaskbar = 1 (0x1) uPolicies-explorer: NoTaskGrouping = 1 (0x1) uPolicies-explorer: NoToolbarsOnTaskbar = 1 (0x1) uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: ForceActiveDesktopOn = 1 (0x1) uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1) uPolicies-explorer: NoPropertiesMyComputer = 1 (0x1) uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) uPolicies-explorer: DisablePersonalDirChange = 1 (0x1) uPolicies-explorer: NoCloseDragDropBands = 1 (0x1) uPolicies-explorer: NoMovingBands = 1 (0x1) uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) uPolicies-explorer: ForceClassicControlPanel = 1 (0x1) uPolicies-explorer: NoPublishingWizard = 1 (0x1) uPolicies-explorer: NoWebServices = 1 (0x1) uPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1) uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) uPolicies-explorer: RestrictCpl = 1 (0x1) uPolicies-system: NoDispBackgroundPage = 1 (0x1) uPolicies-system: NoDispAppearancePage = 1 (0x1) uPolicies-system: Wallpaper = c:\windows\svgsbakgrunn.bmp uPolicies-system: WallpaperStyle = 2 uPolicies-system: DisableRegistryTools = 1 (0x1) mPolicies-system: CompatibleRUPSecurity = 1 (0x1) IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programfiler\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programfiler\skype\toolbars\internet explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: DirectEdit - hxxps://vfk.itslearning.com/file/DirectEdit.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263469359906 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263469353156 DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\programfiler\microsoft office\office12\GrooveSystemServices.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programfiler\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\docume~1\1505hvmo\lokale~1\progra~1\skype\shared\SKYPE4~1.DLL Notify: ackpbsc - c:\windows\system32\ackpbsc.dll Notify: acunlock - c:\programfiler\actividentity\activclient\acunlock.dll Notify: igfxcui - igfxdev.dll Notify: LCredMgr - c:\programfiler\novell\casa\bin\lcredmgr.dll Notify: nzrNotifier - nzrNotifier.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\programfiler\microsoft office\office12\GrooveShellExtensions.dll SEH: ZENworks Adaptive Agent: {763370c4-268e-4308-a60c-d8da0342be32} - c:\programfiler\novell\zenworks\bin\NalShell.dll mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programfiler\fellesfiler\lightscribe\LSRunOnce.exe" ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\1505hvmo\progra~1\mozilla\firefox\profiles\lztw8yf6.default\ FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\programfiler\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\programfiler\google\google updater\2.4.1601.7122\npCIDetect13.dll FF - plugin: c:\programfiler\google\update\1.2.183.29\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\programfiler\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\programfiler\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\programfiler\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\programfiler\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\programfiler\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\programfiler\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\programfiler\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\programfiler\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\programfiler\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\programfiler\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\programfiler\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\programfiler\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\programfiler\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\programfiler\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\programfiler\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\programfiler\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\programfiler\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\programfiler\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\programfiler\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-8-18 24064] R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-8-3 10880] R2 accoca;ActivClient Middleware Service;c:\programfiler\actividentity\activclient\accoca.exe [2007-5-15 182576] R2 LanSchoolStudent;LanSchool Student Service;c:\programfiler\lanschool\student.exe [2010-7-6 1054000] R2 Novell Identity Store;Novell Identity Store;c:\programfiler\novell\casa\bin\micasad.exe [2009-6-24 245760] R2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;c:\programfiler\novell\zenworks\bin\ZenworksWindowsService.exe [2009-11-26 28672] R2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\programfiler\novell\zenworks\bin\nzrwinvnc.exe -service --> c:\programfiler\novell\zenworks\bin\nzrWinVNC.exe -service [?] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-8-17 50192] R2 TmFilter;Trend Micro Filter;c:\programfiler\trend micro\officescan client\TmXPFlt.sys [2009-5-22 225296] R2 TmPreFilter;Trend Micro PreFilter;c:\programfiler\trend micro\officescan client\tmpreflt.sys [2009-5-22 36368] R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-8-13 9176] R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-4-7 31896] R3 tmcfw;tmcfw;c:\windows\system32\drivers\TM_CFW.sys [2009-2-23 338960] R3 TmPfw;OfficeScan NT Firewall;c:\programfiler\trend micro\officescan client\TmPfw.exe [2009-2-23 488768] S2 gupdate1c9ec307e332d60;Googles oppdateringstjeneste (gupdate1c9ec307e332d60);c:\programfiler\google\update\GoogleUpdate.exe [2009-6-13 133104] S3 Com4QLBEx;Com4QLBEx;c:\programfiler\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-8-18 193840] S3 RoxMediaDB10;RoxMediaDB10;c:\programfiler\fellesfiler\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-8 1112560] S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2007-6-21 56448] S3 TmProxy;OfficeScan NT Proxy Service;c:\programfiler\trend micro\officescan client\TmProxy.exe [2009-2-23 652552] S3 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [2009-8-13 188416] =============== Created Last 30 ================ 2010-09-19 17:16:02 77312 ----a-w- c:\windows\MBR.exe 2010-09-19 17:16:00 256512 ----a-w- c:\windows\PEV.exe 2010-09-19 17:16:00 161792 ----a-w- c:\windows\SWREG.exe 2010-09-19 17:15:59 98816 ----a-w- c:\windows\sed.exe 2010-09-19 16:22:30 0 d-----w- c:\docume~1\1505hvmo\progra~1\AnVi 2010-09-19 13:09:25 664576 ----a-w- c:\docume~1\1505hvmo\progra~1\hotfix.exe 2010-09-05 16:28:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf 2010-09-05 16:28:02 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf 2010-08-25 11:51:55 0 d-----w- c:\docume~1\1505hvmo\progra~1\Malwarebytes 2010-08-21 22:34:43 0 d-----w- c:\windows\system32\Fonts 2010-08-21 17:39:17 0 d-sha-r- C:\cmdcons 2010-08-21 13:26:26 0 d-----w- c:\docume~1\alluse~1\progra~1\Spybot - Search & Destroy 2010-08-21 08:08:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-21 08:07:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-21 08:07:59 0 d-----w- c:\docume~1\alluse~1\progra~1\Malwarebytes 2010-08-21 08:07:58 0 d-----w- c:\programfiler\Malwarebytes' Anti-Malware 2010-08-20 21:54:09 175 ----a-w- c:\documents and settings\1505hvmo\.com.zerog.registry.xml 2010-08-20 21:53:38 0 d--h--w- c:\documents and settings\1505hvmo\InstallAnywhere 2010-08-20 21:50:17 0 d-----w- c:\docume~1\1505hvmo\progra~1\BitTorrent 2010-08-20 19:52:08 0 d-----w- c:\windows\system32\wbem\Repository 2010-08-20 19:28:02 5 ----a-w- C:\zrpt.xml ==================== Find3M ==================== 2010-09-15 20:14:24 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2010-08-20 19:27:52 210816 ----a-w- c:\windows\system32\drivers\ndis.sys 2010-07-27 11:04:58 84518 ----a-w- c:\windows\system32\perfc014.dat 2010-07-27 11:04:58 457746 ----a-w- c:\windows\system32\perfh014.dat 2010-07-06 09:04:14 61232 ----a-w- c:\windows\system32\lskhook64.dll 2010-07-06 09:04:12 75056 ----a-w- c:\windows\system32\lskhook.dll 2009-06-01 17:19:08 6253 ----a-w- c:\programfiler\eula.rtf ============= FINISH: 19:31:33,53 =============== La til den andre loggen, som det anbefaltes å gjøre. Attach.txt Lenke til kommentar
norbat Skrevet 19. september 2010 Del Skrevet 19. september 2010 Oppdater mbam og kjør en ny rask skann. Se om du får kjørt combofix etterpå. Lenke til kommentar
T.O.E Skrevet 19. september 2010 Forfatter Del Skrevet 19. september 2010 (endret) Fikk oppdatert mbam, men combofix gir samme beskjed. Jeg får ikke kjørt det i sikkerhetsmodus heller, siden denne brukeren ikke lar seg logge på i sikkerhetsmodus. Dette er loggen rett etter reboot. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4652 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 19.09.2010 21:03:42 mbam-log-2010-09-19 (21-03-42).txt Scan type: Quick scan Objects scanned: 142602 Time elapsed: 6 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 6 Registry Data Items Infected: 9 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\ASH24SXZ9S (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ash24sxz9s (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfrgsnapnt.exe (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer (Disable.MCProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\ConnectionsTab (Hijack.ConnectionControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\1505hvmo\Programdata\AnVi\avt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. EDIT: legger til nye dds logger, just in case. DDS.txt Attach.txt Endret 19. september 2010 av T.O.E Lenke til kommentar
norbat Skrevet 19. september 2010 Del Skrevet 19. september 2010 Sjekk disse filene på virscan.org: c:\documents and settings\1505hvmo\lokale innstillinger\programdata\wsxMPr.dll c:\windows\system32\drivers\sptd.sys c:\windows\system32\drivers\ndis.sys --- Sjekk om mappa AnVi er tom. Hvis, slett den. Hvis ikke, fortell hvilke filer som ligger der. Du kan slette zrpt.xml også. c:\docume~1\1505hvmo\progra~1\AnVi C:\zrpt.xml En del av oppføringene som mbam finner, er knyttet til policies og er mest sannsynlig satt av it-avdelingen på skolen. Tror disse skal få være i fred uPolicies-explorer: NoToolbarCustomize = 1 (0x1) uPolicies-explorer: NoBandCustomize = 1 (0x1) uPolicies-explorer: NoNetConnectDisconnect = 1 (0x1) uPolicies-explorer: NoSimpleStartMenu = 1 (0x1) uPolicies-explorer: NoSMBalloonTip = 1 (0x1) uPolicies-explorer: NoWindowsUpdate = 1 (0x1) uPolicies-explorer: NoRun = 1 (0x1) uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1) uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1) uPolicies-explorer: NoChangeStartMenu = 1 (0x1) uPolicies-explorer: NoSetTaskbar = 1 (0x1) uPolicies-explorer: NoTaskGrouping = 1 (0x1) uPolicies-explorer: NoToolbarsOnTaskbar = 1 (0x1) uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: ForceActiveDesktopOn = 1 (0x1) uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1) uPolicies-explorer: NoPropertiesMyComputer = 1 (0x1) uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) uPolicies-explorer: DisablePersonalDirChange = 1 (0x1) uPolicies-explorer: NoCloseDragDropBands = 1 (0x1) uPolicies-explorer: NoMovingBands = 1 (0x1) uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) uPolicies-explorer: ForceClassicControlPanel = 1 (0x1) uPolicies-explorer: NoPublishingWizard = 1 (0x1) uPolicies-explorer: NoWebServices = 1 (0x1) uPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1) uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) uPolicies-explorer: RestrictCpl = 1 (0x1) uPolicies-system: NoDispBackgroundPage = 1 (0x1) uPolicies-system: NoDispAppearancePage = 1 (0x1) uPolicies-system: Wallpaper = c:\windows\svgsbakgrunn.bmp uPolicies-system: WallpaperStyle = 2 uPolicies-system: DisableRegistryTools = 1 (0x1) mPolicies-system: CompatibleRUPSecurity = 1 (0x1) Lenke til kommentar
T.O.E Skrevet 19. september 2010 Forfatter Del Skrevet 19. september 2010 c:\documents and settings\1505hvmo\lokale innstillinger\programdata\wsxMPr.dll Det stedet eksisterer ikke. Det nærmeste jeg kommer er: C:\Documents and Settings\1505hvmo Eller C:\Documents and Settings\Dau469642-1885\Lokale Innstillinger\Programdata C:\Documents and Settings\Dau321909-4634\Lokale Innstillinger\Programdata C:\Documents and Settings\Dau507276-9541\Lokale Innstillinger\Programdata Men videre etter programdata, så finnes det ingen filer, ender bare opp i tomme mapper som f.eks: C:\Documents and Settings\Dau469642-1885\Lokale Innstillinger\Programdata\Microsoft\Office\Groove\System c:\docume~1\1505hvmo\progra~1\AnVi eksisterer heller ikke. Filen; c:\windows\system32\drivers\sptd.sys hadde ingen malware ifølge virscan. Filen; c:\windows\system32\drivers\ndis.sys kunne de ikke finne. Hehe, lite å gå utifra her... Lenke til kommentar
norbat Skrevet 19. september 2010 Del Skrevet 19. september 2010 Kanskje de dukker opp hvis du setter på "Hvis skjulte filer og mapper" samt viser beskyttede operativsystemfiler? Kjør en online skann Lenke til kommentar
T.O.E Skrevet 19. september 2010 Forfatter Del Skrevet 19. september 2010 Kanskje de dukker opp hvis du setter på "Hvis skjulte filer og mapper" samt viser beskyttede operativsystemfiler? Vet ikke hvordan jeg gjør noen av delene? Kjør en online skann Hadde noen steder hvor det sto "Could not access", men dette er ihvertfall loggen: QuickScan Beta 32-bit v0.9.9.38 ------------------------------- Scan date: Sun Sep 19 22:23:30 2010 Machine ID: 9474383F C:\Programfiler\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe - could not be accessed Found 2 infected files! ----------------------- C:\WINDOWS\explorer.exe --> Win32.Loader.O --> HKCR\folder\shell\open\command\(default) --> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" --> Process explorer.exe (2016) C:\WINDOWS\system32\drivers\NDIS.sys --> Rootkit.Kobcka.Patched.Gen --> HKLM\System\ControlSet001\services\NDIS Processes --------- Firefox 2896 C:\Programfiler\Mozilla Firefox\firefox.exe Firefox 4460 C:\Programfiler\Mozilla Firefox\plugin-container.exe LightScribe 4204 C:\Programfiler\Fellesfiler\LightScribe\LightScribeControlPanel.exe Microsoft® Windows® Operating System 2592 C:\WINDOWS\system32\ctfmon.exe Operativsystemet Microsoft® Windows® 2016 C:\WINDOWS\explorer.exe PASPortal 4952 C:\Programfiler\DataStudio\PASPortal.exe Skype 4712 C:\Documents and Settings\1505hvmo\Lokale innstillinger\Programdata\Skype\Phone\Skype.exe Skype Extras Manager 5584 C:\Documents and Settings\1505hvmo\Lokale innstillinger\Programdata\Skype\Plugin Manager\skypePM.exe Spotify 5636 C:\Documents and Settings\1505hvmo\Skrivebord\Spotify\spotify.exe Synaptics Pointing Device Driver 2288 C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe Trend Micro OfficeScan 2636 C:\Programfiler\Trend Micro\OfficeScan Client\PccNTMon.exe Network activity ---------------- Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.79.99 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.79.99 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.95.102 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.95.102 Process firefox.exe (2896) connected on port 80 (HTTP) --> 69.63.180.44 Process firefox.exe (2896) connected on port 80 (HTTP) --> 92.123.64.72 Process firefox.exe (2896) connected on port 80 (HTTP) --> 92.123.64.72 Process firefox.exe (2896) connected on port 80 (HTTP) --> 66.235.142.58 Process firefox.exe (2896) connected on port 80 (HTTP) --> 217.144.231.232 Process firefox.exe (2896) connected on port 80 (HTTP) --> 193.213.121.88 Process firefox.exe (2896) connected on port 80 (HTTP) --> 92.123.64.72 Process firefox.exe (2896) connected on port 80 (HTTP) --> 95.100.5.115 Process firefox.exe (2896) connected on port 80 (HTTP) --> 193.213.121.88 Process firefox.exe (2896) connected on port 80 (HTTP) --> 92.123.64.72 Process firefox.exe (2896) connected on port 80 (HTTP) --> 193.213.121.88 Process firefox.exe (2896) connected on port 80 (HTTP) --> 92.123.64.72 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.77.101 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.79.99 Process firefox.exe (2896) connected on port 80 (HTTP) --> 69.63.190.18 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.77.101 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.79.99 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.79.99 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.79.99 Process firefox.exe (2896) connected on port 80 (HTTP) --> 74.125.79.99 Process firefox.exe (2896) connected on port 80 (HTTP) --> 92.123.64.72 Process Skype.exe (4712) connected on port 50319 --> 85.196.68.25 Process spotify.exe (5636) connected on port 19933 --> 83.233.151.157 Process spotify.exe (5636) connected on port 15263 --> 80.212.138.235 Process spotify.exe (5636) connected on port 61404 --> 83.233.46.154 Process spotify.exe (5636) connected on port 53390 --> 85.230.123.47 Process spotify.exe (5636) connected on port 26303 --> 87.249.167.223 Process spotify.exe (5636) connected on port 49543 --> 78.70.47.240 Process spotify.exe (5636) connected on port 55703 --> 89.160.76.45 Process spotify.exe (5636) connected on port 41077 --> 90.142.188.82 Process spotify.exe (5636) connected on port 39301 --> 81.251.90.241 Process spotify.exe (5636) connected on port 41096 --> 87.249.165.193 Process spotify.exe (5636) connected on port 37281 --> 90.229.203.23 Process spotify.exe (5636) connected on port 41939 --> 78.69.157.228 Process spotify.exe (5636) connected on port 4070 --> 78.31.8.18 Process spotify.exe (5636) connected on port 55827 --> 88.88.15.63 Process spotify.exe (5636) connected on port 59277 --> 130.243.191.165 Process spotify.exe (5636) connected on port 48696 --> 109.58.54.42 Process spotify.exe (5636) connected on port 62433 --> 178.30.132.96 Process spotify.exe (5636) connected on port 14766 --> 81.227.48.68 Process spotify.exe (5636) connected on port 22064 --> 85.229.10.165 Process spotify.exe (5636) connected on port 28210 --> 85.225.144.190 Process spotify.exe (5636) connected on port 32757 --> 81.191.3.109 Process spotify.exe (5636) connected on port 30606 --> 85.229.71.226 Process spotify.exe (5636) connected on port 53332 --> 85.224.194.3 Process spotify.exe (5636) connected on port 12385 --> 79.133.9.65 Process spotify.exe (5636) connected on port 47920 --> 85.224.24.86 Process Skype.exe (4712) listens on ports: 80 (HTTP), 443 (HTTP over SSL), 7430 Process spotify.exe (5636) listens on ports: 54373 Autoruns and critical files --------------------------- ActivClient C:\Programfiler\ActivIdentity\ActivClient\acunlock.dll ActivClient Services C:\WINDOWS\system32\ackpbsc.dll DVDCheck Application C:\Programfiler\InterVideo\DVD Check\DVDCheck.exe GrooveShellExtensions Module C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll lcredmgr.dll C:\Programfiler\Novell\CASA\bin\lcredmgr.dll LightScribe C:\Programfiler\Fellesfiler\LightScribe\LightScribeControlPanel.exe Malwarebytes' Anti-Malware C:\Programfiler\Malwarebytes' Anti-Malware\mbam.exe Messenger C:\Programfiler\Messenger\msmsgs.exe Microsoft Synkroniseringsbehandling C:\WINDOWS\system32\mobsync.exe Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\browseui.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\crypt32.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\cscdll.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\logonui.exe Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\sclgntfy.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\shell32.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\stobject.dll Operativsystemet Microsoft® Windows® c:\windows\system32\userinit.exe Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\wlnotify.dll QuickTime C:\Programfiler\QuickTime\QTTask.exe Skype C:\Documents and Settings\1505hvmo\Lokale innstillinger\Programdata\Skype\\Phone\Skype.exe Synaptics Pointing Device Driver C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe Trend Micro OfficeScan C:\Programfiler\Trend Micro\OfficeScan Client\PccNTMon.exe Windows Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll ZENworks C:\Programfiler\Novell\ZENworks\bin\NalShell.dll ZENworks 10 Configuration Management C:\WINDOWS\system32\nzrNotifier.dll Browser plugins --------------- Add-in Express .NET c:\programfiler\clue\adxloader.dll BitDefender QuickScan C:\Documents and Settings\1505hvmo\Programdata\Mozilla\Firefox\Profiles\lztw8yf6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll BitDefender QuickScan C:\Documents and Settings\1505hvmo\Programdata\Mozilla\Firefox\Profiles\lztw8yf6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll DirectEdit.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\DirectEdit.dll DirectEdit.dll C:\WINDOWS\Downloaded Program Files\DirectEdit.dll Google Earth Plugin C:\Programfiler\Google\Google Earth\plugin\npgeplugin.dll Google Update C:\Programfiler\Google\Update\1.2.183.29\npGoogleOneClick8.dll Google Updater C:\Programfiler\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll GoogleToolbarNotifier c:\programfiler\google\googletoolbarnotifier\5.1.1309.3572\swg.dll GrooveShellExtensions Module C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll Java Platform SE 6 U18 c:\programfiler\java\jre6\bin\jp2ssv.dll Java Platform SE 6 U18 c:\programfiler\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll LanSchool C:\WINDOWS\system32\lsk_iblk.dll Messenger C:\Programfiler\Messenger\msmsgs.exe Microsoft® Windows Live Login Helper c:\programfiler\fellesfiler\microsoft shared\windows live\windowslivelogin.dll Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll Mozilla Default Plug-in C:\Programfiler\Mozilla Firefox\plugins\npnul32.dll NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\system32\mswsock.dll Operativsystemet Microsoft® Windows® C:\WINDOWS\System32\nwprovau.dll Shockwave for Director C:\WINDOWS\system32\Adobe\Director\np32dsw.dll Silverlight Plug-In c:\Programfiler\Microsoft Silverlight\4.0.50524.0\npctrl.dll Skype Toolbars c:\programfiler\skype\toolbars\internet explorer\skypeieplugin.dll Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll Missing files ------------- File not found: C:\ComboFix\catchme.sys --> HKLM\System\ControlSet001\services\catchme\"ImagePath" File not found: C:\Documents and Settings\1505hvmo\Lokale innstillinger\Programdata\wsxMPr.dll --> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Wgaruy" File not found: E:\Windows Live\Messenger\msnmsgr.exe --> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"msnmsgr" Scan ---- The following file(s) must be uploaded for server-side scanning: C:\WINDOWS\explorer.exe C:\WINDOWS\system32\mobsync.dll C:\Programfiler\DataStudio\Languages\nor\PASPortal_nor.dll Upload started - 3 file(s) explorer.exe (1033728) PASPortal_nor.dll (94208) mobsync.dll (207360) Upload speed - 75 KB/s Upload finished - 3 uploaded, 0 failed Scan finished - communication took 18 sec Total traffic - 1.34 MB sent, 1.98 KB recvd Scanned 847 files and modules - 46 seconds ============================================================================== Lenke til kommentar
norbat Skrevet 19. september 2010 Del Skrevet 19. september 2010 Har du denne mappa: c:\windows\ServicePackFiles\i386 Du har et par filer som må erstattes med rene kopier. Lenke til kommentar
T.O.E Skrevet 20. september 2010 Forfatter Del Skrevet 20. september 2010 hmm, nei. ikke når jeg søkte i C: mappa heller Lenke til kommentar
T.O.E Skrevet 21. september 2010 Forfatter Del Skrevet 21. september 2010 Viruset heirer fremdeles. Jeg får ikke alltid brukt browseren ordentlig, siden det bytter til pornosider eller noe når jeg bytter nettside. De 10 virusene som jeg postet i første logg er der fremdeles. Lenke til kommentar
norbat Skrevet 26. september 2010 Del Skrevet 26. september 2010 Last ned ny combofix, lagre det på skrivebordet som combo-fix.exe. Se om du får kjørt prog. Lenke til kommentar
cocopara Skrevet 29. september 2010 Del Skrevet 29. september 2010 Norbat du kan visst ingen ting om IT sikkerhet. Falske Antivirus programmer er lette og fjerne i bun nog grunn, last ned Hitmanpro.nl (den er engelsk da ), denne vil fjerne hva som helst av rogues, den er som MBAM men den bruker 5-6 forskjellige anti malware motorer, deriblant G-data og Eset + et par andre, Ikarus inkludert tror jeg. Forresten, bruk Task manager til og ende prossessen til rougen om den ikke har blokkert Task manager. Ikke gjør for kompliserte oppgaver som disse "proffene" anbefaler deg. Det tar mye lenger tid en det jeg anbefaler som gjør en like god jobb. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå