Gå til innhold

» Data » IKT-drift og sikkerhet

Tyding av logger

billywillie

Av billywillie
1. desember 2010 i IKT-drift og sikkerhet

Anbefalte innlegg

billywillie

billywillie

Skrevet 1. desember 2010

- Del

Skrevet 1. desember 2010

Tror jeg har fått en trojaner. Har kjørt Combofix i sikkerhetsmodus og

MB. I vanlig modus. Poster loggene her.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Databaseversjon: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18975

01.12.2010 16:19:22

mbam-log-2010-12-01 (16-19-22).txt

Skanntype: Hurtigsøk

Objekter skannet: 118487

Tid tilbakelagt: 4 minutt(er), 3 sekund(er)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert 0

Minneprosesser infisert:

(Ingen skadelige objekter funnet)

Minnemoduler infisert:

(Ingen skadelige objekter funnet)

Registernøkler infisert:

(Ingen skadelige objekter funnet)

Registerverdier infisert:

(Ingen skadelige objekter funnet)

Registerfiler infisert:

(Ingen skadelige objekter funnet)

Mapper infisert:

(Ingen skadelige objekter funnet)

Filer infisert

(Ingen skadelige objekter funnet)

ComboFix 10-11-30.09 - Terje 01.12.2010 19:34:52.1.2 - x86 MINIMAL

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.47.1044.18.2939.2499 [GMT 1:00]

Kjører fra: D:\ComboFix.exe

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\spool\prtprocs\w32x86\CNMPPA1.DLL

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2010-11-01 til 2010-12-01 )))))))))))))))))))))))))))))))))

.

2010-12-01 18:39 . 2010-12-01 18:39 -------- d-----w- c:\users\Terje\AppData\Local\temp

2010-12-01 18:39 . 2010-12-01 18:39 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-12-01 15:15 . 2010-12-01 15:15 -------- d-----w- c:\users\Terje\AppData\Roaming\Malwarebytes

2010-12-01 15:14 . 2010-11-29 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-01 15:14 . 2010-12-01 18:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 15:14 . 2010-12-01 15:14 -------- d-----w- c:\programdata\Malwarebytes

2010-12-01 15:14 . 2010-11-29 16:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-30 10:20 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E4CAA76A-EDF5-4760-9B4E-3D80FE0E2CCC}\mpengine.dll

2010-11-26 13:24 . 2010-11-26 13:24 -------- d-----w- c:\users\Terje\AppData\Roaming\PDF Writer

2010-11-26 13:24 . 2010-11-26 13:24 -------- d-----w- c:\users\Terje\AppData\Local\PDF Writer

2010-11-26 13:24 . 2010-11-26 13:24 -------- d-----w- c:\programdata\PDF Writer

2010-11-26 12:11 . 2008-01-21 02:23 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL

2010-11-26 12:09 . 2010-11-26 12:09 -------- d-----w- c:\program files\Common Files\Bullzip

2010-11-26 12:09 . 2008-07-09 23:19 103424 ----a-w- c:\windows\system32\bzDCT.dll

2010-11-26 12:09 . 2010-09-27 14:27 135168 ----a-w- c:\windows\system32\bzpdfc.dll

2010-11-26 12:09 . 2008-10-30 22:15 227840 ----a-w- c:\windows\system32\bzFlRdr.dll

2010-11-26 12:09 . 2010-09-27 14:28 196096 ----a-w- c:\windows\system32\bzpdf.dll

2010-11-26 12:09 . 2010-11-26 12:09 -------- d-----w- c:\program files\Bullzip

2010-11-24 11:30 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2010-11-17 16:03 . 2007-04-09 12:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll

2010-11-17 16:03 . 2007-04-09 12:23 28040 ----a-w- c:\windows\system32\mdimon.dll

2010-11-17 11:51 . 2010-11-17 11:51 -------- d-----w- c:\users\Terje\AppData\Local\Seven Zip

2010-11-11 17:00 . 2010-11-11 17:00 -------- d-----w- c:\users\Terje\AppData\Local\MotionDSP

2010-11-11 17:00 . 2010-11-11 17:00 -------- d-----w- c:\users\Terje\AppData\Roaming\MotionDSP

2010-11-11 17:00 . 2010-11-11 17:00 -------- d-----w- c:\program files\vReveal

2010-11-10 09:47 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2010-11-09 19:26 . 2010-11-09 20:00 -------- d-----w- c:\users\Terje\AppData\Local\DVD Profiler

2010-11-09 19:25 . 2010-11-09 19:25 -------- d-----w- c:\program files\DVD Profiler

2010-11-09 18:52 . 2010-11-10 16:23 -------- d-----w- c:\users\Terje\AppData\Local\Sony

2010-11-02 10:56 . 2010-11-10 16:23 -------- d-----w- c:\users\Terje\AppData\Roaming\Sony

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-19 09:41 . 2010-10-10 00:31 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-17 14:35 . 2010-10-17 14:35 108544 ------w- c:\windows\system32\pxcpyi64.exe

2010-10-17 14:35 . 2010-10-17 14:35 109568 ------w- c:\windows\system32\pxinsi64.exe

2010-10-09 18:09 . 2010-10-09 18:06 19236168 ----a-w- c:\users\Terje\QuickTime_Alternative_322.exe

2010-10-09 18:03 . 2010-10-09 18:03 319456 ----a-w- c:\windows\DIFxAPI.dll

2010-10-09 18:03 . 2010-10-09 18:03 315392 ----a-w- c:\windows\HideWin.exe

2010-09-22 22:47 . 2010-09-22 22:47 49016 ----a-w- c:\windows\system32\sirenacm.dll

2010-09-22 22:32 . 2010-09-22 22:32 301936 ----a-w- c:\windows\WLXPGSS.SCR

2010-09-15 03:50 . 2010-10-09 17:53 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-13 13:56 . 2010-10-14 18:36 8147456 ----a-w- c:\windows\system32\wmploc.DLL

2010-09-08 06:01 . 2010-10-14 18:14 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 05:57 . 2010-10-14 18:14 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 05:57 . 2010-10-14 18:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-08 05:56 . 2010-10-14 18:14 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-09-08 05:56 . 2010-10-14 18:14 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-09-08 05:04 . 2010-10-14 18:14 385024 ----a-w- c:\windows\system32\html.iec

2010-09-08 04:26 . 2010-10-14 18:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2010-09-08 04:25 . 2010-10-14 18:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-09-06 16:20 . 2010-10-14 18:15 125952 ----a-w- c:\windows\system32\srvsvc.dll

2010-09-06 16:19 . 2010-10-14 18:15 17920 ----a-w- c:\windows\system32\netevent.dll

2010-09-06 13:45 . 2010-10-14 18:15 304128 ----a-w- c:\windows\system32\drivers\srv.sys

2010-09-06 13:45 . 2010-10-14 18:15 145408 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-09-06 13:45 . 2010-10-14 18:15 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]

"NDSTray.exe"="NDSTray.exe" [bU]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]

"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]

"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]

"Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2010-01-29 189824]

"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2010-08-27 1050072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2006-12-22 05:29 67752 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

2010-04-10 06:45 979344 ----a-w- c:\progra~1\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]

2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-09-22 22:47 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]

2007-11-20 16:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2008-08-14 16:50 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]

2007-07-10 08:24 581632 ----a-w- c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]

2008-01-11 02:07 574864 ----a-w- c:\program files\TOSHIBA\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]

2007-05-31 07:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2010-01-04 26744]

R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]

R2 gupdate;Googles oppdateringstjeneste (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 135664]

R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\NDISKIO.SYS [2009-10-09 22880]

R2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\Nnf.exe [2010-06-24 219904]

R2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\npf\bin\npfsvc32.exe [2010-08-26 288936]

R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin\Nprosec.exe [2010-05-07 103016]

R2 nregsec;Norman Registry Security driver;c:\program files\Norman\Ngs\Bin\nregsec.sys [2010-05-14 40384]

R2 NVOY;Norman Resource Provider;c:\program files\Norman\npm\bin\nvoy.exe [2010-03-15 98776]

R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2010-08-27 124368]

R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2008-02-06 126976]

R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\NSESVC.EXE [2010-06-14 282624]

R3 NvcMFlt;NvcMFlt;c:\windows\system32\DRIVERS\nvcv32mf.sys [2009-10-14 23392]

R3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\Nvc\Bin\nvcoas.exe [2010-08-12 210248]

R3 RTL8187B;Realtek RTL8187B trådløs 802.11b/g 54M bps USB 2.0 nettverksadapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-06-26 337920]

R3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe [2009-10-15 133272]

R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-24 73728]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 ALE_NF;Norman Network Filter ALE driver;c:\windows\system32\drivers\ale_nf.sys [2010-08-19 61472]

S1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec.sys [2010-05-10 72392]

S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]

--- Andre tjenester/drivere lastet i minnet ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 09:55]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 09:55]

2010-12-01 c:\windows\Tasks\User_Feed_Synchronization-{2BEF0C96-8199-4B56-8E4A-E25E3C8453FE}.job

- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]

.

.

------- Tilleggsskanning -------

.

uStart Page = about:blank

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA

IE: &D&ownload alle med BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: &L&ast Ned &med BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url2.pl?NO

IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home

.

- - - - TOMME PEKERE FJERNET - - - -

HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-01 19:39

Windows 6.0.6002 Service Pack 2 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????{j????P?K?x?K???K???K??

skanner skjulte filer ...

skanning vellykket

skjulte filer: 0

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

Tidspunkt ferdig: 2010-12-01 19:40:47

ComboFix-quarantined-files.txt 2010-12-01 18:40

ComboFix2.txt 2010-12-01 15:08

Pre-Run: 75 840 049 152 byte ledig

Post-Run: 75 940 257 792 byte ledig

- - End Of File - - A416EB3C29ABDDCE16DEEB99FB0223CE

Lenke til kommentar

Videoannonse

Annonse

norbat

norbat

Skrevet 1. desember 2010

- Del

Skrevet 1. desember 2010

Oppdater MBAM og kjør en ny rask skann. Post loggen om den finner noe.

Hvorfor mistenker du trojaner?

Lenke til kommentar

billywillie

billywillie

Skrevet 1. desember 2010

Forfatter

- Del

Skrevet 1. desember 2010

Fordi ingenting virker på maskinen. (fungerer normalt men 10 min etter oppstart får jeg ikke startet noen programmer og kommer heller ikke på nett) Prøvde å kjøre combofix i normal modus men det gikk ikke. Normann antivirus popper opp med en advarsel om de har finni trojaner som de fjerner men like etterpå kommer ny melding. Kjører ny scan nå så får vi se.

Lenke til kommentar

Lednar

Lednar

Skrevet 2. desember 2010

- Del

Skrevet 2. desember 2010

Husk å deaktivere antivirusprogramvaren før du kjører Combofix. AVer kan klusse med Combofix når den arbeider, og dermed gjøre enda større skade.

Lenke til kommentar

billywillie

billywillie

Skrevet 2. desember 2010

Forfatter

- Del

Skrevet 2. desember 2010

Da har jeg kjørt ny runde med combofix og nå ser det ut som det ble orden på sakene. Maskinen oppfører seg helt normalt nå.

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå

Gå til emneliste

Hvem er aktive 0 medlemmer
- Ingen innloggede medlemmer aktive

×

×

Opprett ny...