Trenger hjelp til å bli kvitt malware på maskinen, se logg

[komodovaran]

Setter stor pris på om noen kan veilede meg til å bli kvitt malware på min maskin.

Logg fra mbam og dds ligger vedlagt. Jeg har fulgt prosedyren som er forklart flere steder på disse nettsidene.

Jeg har kjørt mbam og lagt filene i karantene. Men om jeg ble kvitt alt vet jeg ikke.

Etter en restart av pc-en var plutselig http blokkert. Jeg kom meg heldigvis inn på diskusjon.no via https, men da uten mulighet for å logge meg inn.

Jeg fant ut at jeg var koblet til en proxy under LAN-settings i windows 7 (64bit), så jeg fikk slått den av og har nå http-tilgang igjen. Proxyen var forresten 127.0.0.1 via port 50370 hvis det er til hjelp.

 

 

Her er logg fra mbam:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Databaseversjon: 4872

 

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

 

18.10.2010 17:39:30

mbam-log-2010-10-18 (17-39-30).txt

 

Skanntype: Hurtigsøk

Objekter skannet: 151489

Tid tilbakelagt: 3 minutt(er), 24 sekund(er)

 

Minneprosesser infisert: 2

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 2

Registerfiler infisert: 2

Mapper infisert: 0

Filer infisert 6

 

Minneprosesser infisert:

C:\Users\Mats\AppData\Roaming\Microsoft\svchost.exe (Trojan.Agent) -> No action taken.

C:\Users\Mats\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> No action taken.

 

Minnemoduler infisert:

(Ingen skadelige objekter funnet)

 

Registernøkler infisert:

(Ingen skadelige objekter funnet)

 

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken.

 

Registerfiler infisert:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Users\Mats\AppData\Roaming\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> No action taken.

 

Mapper infisert:

(Ingen skadelige objekter funnet)

 

Filer infisert

C:\Users\Mats\AppData\Roaming\Microsoft\svchost.exe (Trojan.Agent) -> No action taken.

C:\Users\Mats\AppData\Local\Temp\0.9209774918282296.exe (Trojan.Agent) -> No action taken.

C:\Windows\fileextract.exe (Worm.Palevo) -> No action taken.

C:\Windows\run_setup.exe (Adware.Agent) -> No action taken.

C:\Users\Mats\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> No action taken.

C:\Users\Mats\AppData\Local\Temp\0.48505556644572023.exe (Trojan.Dropper) -> No action taken.

 

 

DDS-logg:

DDS (Ver_10-10-10.03) - NTFS_AMD64

Run by Mats at 17:55:21,27 on 18.10.2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Professional 6.1.7600.0.1252.47.1033.18.3071.1864 [GMT 2:00]

 

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Voddler\service\voddler.exe

C:\Program Files (x86)\Xobni\XobniService.exe

C:\Windows\system32\taskhost.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe

C:\Users\Mats\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Users\Mats\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLiteShellHlp.exe

C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Program Files\Zune\ZuneNss.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Users\Mats\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

M:\Trommer\Downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:50370

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll

uRun: [Google Update] "C:\Users\Mats\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

StartupFolder: C:\Users\Mats\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Mats\AppData\Roaming\Dropbox\bin\Dropbox.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: HideFastUserSwitching = 1 (0x1)

IE: E&ksporter til Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll

 

============= SERVICES / DRIVERS ===============

 

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-11-16 202752]

R2 PenCommService;Livescribe Pulse Smartpen Service;C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2009-11-17 265728]

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]

R2 VoddlerNet;VoddlerNet;C:\Program Files (x86)\Voddler\service\voddler.exe [2010-4-29 870096]

R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-18 497856]

R2 XobniService;XobniService;C:\Program Files (x86)\Xobni\XobniService.exe [2010-3-16 55016]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-20 239616]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-16 135664]

S3 DrvAgent64;DrvAgent64;C:\Windows\SysWOW64\drivers\DrvAgent64.SYS [2010-4-26 21712]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;C:\Windows\System32\drivers\PulseUsb.sys [2009-11-17 24576]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-8 1255736]

 

=============== Created Last 30 ================

 

2010-10-18 15:29:01 -------- d-----w- C:\Users\Mats\AppData\Roaming\Malwarebytes

2010-10-18 15:28:55 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2010-10-18 15:28:54 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys

2010-10-18 15:28:54 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2010-10-18 15:28:54 -------- d-----w- C:\PROGRA~3\Malwarebytes

2010-10-15 12:58:55 7935824 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{BC837D1E-10AE-4C98-BAA8-BDEE41859443}\mpengine.dll

2010-10-14 03:37:10 148992 ----a-w- C:\Windows\System32\t2embed.dll

2010-10-14 03:37:10 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll

2010-10-14 03:37:09 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe

2010-10-14 03:37:09 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe

2010-10-14 03:37:09 2085376 ----a-w- C:\Windows\System32\ole32.dll

2010-10-14 03:37:09 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll

2010-10-14 03:36:55 483840 ----a-w- C:\Windows\System32\StructuredQuery.dll

2010-10-14 03:36:55 363520 ----a-w- C:\Windows\SysWow64\StructuredQuery.dll

2010-10-14 03:34:05 340992 ----a-w- C:\Windows\System32\schannel.dll

2010-10-14 03:34:05 224256 ----a-w- C:\Windows\SysWow64\schannel.dll

2010-10-14 03:34:03 633856 ----a-w- C:\Windows\System32\comctl32.dll

2010-10-14 03:34:03 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll

2010-10-14 03:33:02 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll

2010-10-14 03:33:02 1024512 ----a-w- C:\Windows\System32\wmpmde.dll

2010-10-14 03:31:25 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll

2010-10-14 03:31:25 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll

2010-10-14 03:29:59 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe

2010-10-14 03:29:59 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe

2010-10-14 03:29:59 12625920 ----a-w- C:\Windows\System32\wmploc.DLL

2010-10-14 03:29:59 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL

2010-10-14 03:29:27 9728 ----a-w- C:\Windows\SysWow64\sscore.dll

2010-10-14 03:29:27 463360 ----a-w- C:\Windows\System32\drivers\srv.sys

2010-10-14 03:29:27 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys

2010-10-14 03:29:27 236032 ----a-w- C:\Windows\System32\srvsvc.dll

2010-10-14 03:29:27 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2010-10-14 03:29:18 3123712 ----a-w- C:\Windows\System32\win32k.sys

2010-10-06 16:41:47 -------- d-----w- C:\Program Files\Defraggler

2010-10-06 16:38:40 -------- d-----w- C:\Windows\pss

2010-10-06 16:34:13 -------- d-----w- C:\Program Files (x86)\CCleaner

2010-10-06 16:27:22 -------- d-----w- C:\Program Files\Speccy

2010-09-30 01:00:29 243712 ----a-w- C:\Windows\System32\drivers\ks.sys

2010-09-29 11:31:50 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2010-09-29 11:31:50 2048 ----a-w- C:\Windows\System32\tzres.dll

2010-09-29 11:31:47 13312 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2010-09-29 11:31:47 13312 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

2010-09-27 00:52:54 9216 ----a-w- C:\Windows\System32\RdCi1027.dll

2010-09-27 00:52:54 81920 ----a-w- C:\Windows\System32\drivers\Rdwm1027.sys

2010-09-27 00:52:54 56832 ----a-w- C:\Windows\System32\RDCP1027.CPL

2010-09-27 00:52:54 410624 ----a-w- C:\Windows\System32\RDDP1027.DAT

2010-09-27 00:52:54 -------- d-----w- C:\Program Files\RdDrv001

2010-09-25 20:46:16 -------- d-----w- C:\Windows\WindowsMobile

2010-09-22 21:27:33 -------- d--h--w- C:\CanoScan

2010-09-18 23:15:54 -------- d-----r- C:\Users\Mats\Podcasts

2010-09-18 22:53:24 -------- d-----w- C:\Windows\System32\drivers\UMDF\it-IT

2010-09-18 22:53:23 -------- d-----w- C:\Windows\System32\drivers\UMDF\de-DE

2010-09-18 22:53:22 -------- d-----w- C:\Windows\System32\drivers\UMDF\fr-FR

2010-09-18 22:53:21 -------- d-----w- C:\Windows\System32\drivers\UMDF\es-ES

2010-09-18 22:51:49 758272 ----a-w- C:\Windows\System32\PortableDeviceApi.dll

2010-09-18 22:51:49 547840 ----a-w- C:\Windows\SysWow64\PortableDeviceApi.dll

 

==================== Find3M ====================

 

2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll

2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec

2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec

2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2010-08-21 06:29:47 558592 ----a-w- C:\Windows\System32\spoolsv.exe

2010-07-29 06:30:34 82944 ----a-w- C:\Windows\SysWow64\iccvid.dll

 

============= FINISH: 17:55:51,56 ===============

 

[norbat]

Det er ikke uvanlig at slik malware setter proxy.

 

dds-loggen ser grei ut. Ikke noe malware, men gjør allikevel følgende:

 

1. Oppdater MBAM og kjør en ny rask skann

2. Kjør en onlineskann, eks. BitDefender

 

Gi tilbakemelding på om det ble funnet noe.

[komodovaran]

Hverken MBAM eller BitDefender finner noe nå, så jeg får håpe jeg klarte å ta knekken på svina

[norbat]

Det gjorde du. Surf trygt!