PCen min er infisert med spyware/virus - hjelp

dot_ · 28. april 2006

Scan type: Auto-Protect Scan

Event: Threat Found!

Threat: Trojan Horse

File: C:\WINDOWS\system32\twain32.dll

Location: C:\WINDOWS\system32

Computer: Computername

User: Administrator

Action taken: Clean failed : Quarantine failed : Access denied

Date found: 28. april 2006 15:02:32

Kan noen være så inderlig snille og hjelpe?

zjulik · 28. april 2006

Start i safe mode og slett filen derfra, eller bruk moveonboot:

http://www.snapfiles.com/get/moveonboot.html

Du må ellers si litt mer om programvaren du beskytter deg med, andre symptomer evt og.

Scan m Housecall, post en hijackthis-logg (sig).

dot_ · 28. april 2006

Jeg skal prøve dette.

Saken er den at jeg aldri før har fått alvorlige virus/spyware. Er beskyttet med Spyware Blaster, og bruker for øvrig AdAware, AntiVirus Corp og Spyremover.

Kommer med tilbakemelding straks.

dot_ · 28. april 2006

Men før jeg gjør noe som helst; er det fullstendig trygt å slette C:\WINDOWS\system32\twain32.dll (?)

dot_ · 28. april 2006

Etter en rask omstart kom jeg noe lenger. Er dette en bekreftelse på filen er uskadeliggjort?

Action taken: Quarantine succeeded : Access denied

zjulik · 28. april 2006

Det står quarantene succeeded men access denied? snodig.

Sjekk om filen er der fremdeles. Ta et søk på den også på maskinen.

Normale systemfiler i stil med denne er:

C:\WINDOWS\twain.dll

C:\WINDOWS\twain_32.dll

Unormal fil er

C:\WINDOWS\system32\twain32.dll

Smarte virusmakere lager filer som ligner systemfiler mht navn.

Endret 28. april 2006 av zjulik

dot_ · 28. april 2006

Fila er borte, så det var én mindre trussel. PCen er derimot infisert av andre typer spyware. Systemressursene er sprengt og jeg aner ikke hva som må til.

zjulik: du nevnte noe om Housecall?

zjulik · 28. april 2006

Du finner link i min signatur. Prøv også Ccleaner derfra, og post så en logg fra Hijackthis. Alt i sig-en.

dot_ · 28. april 2006

Takker zjulik.

C:\PROGRA~1\DAMNNF~1\DAMNNF~1.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\PROGRA~1\McAfee.com\Agent\McDash.exe

c:\program files\mcafee.com\shared\mghtml.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp3D3A.tmp (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [sbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html

O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O16 - DPF: ImageUploader - http://www.direktefoto.no/df/Aurigma/ImageUploader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: HFolder Notifier - Unknown owner - C:\WINDOWS\hfdrsvc.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing)

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Pozzolan · 28. april 2006

Hei,

Her har du housecall.

Slik jeg ser det er det alle oppstartsprogrammene som gjør pcen din treg.

Du kan prøve å slette litt oppstartsprogrammer ved å skrive "msconfig" i kjør/run i start menyen.

Ting du kan fjerne med hijackthis er:

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing) Unnecessarily

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp3D3A.tmp (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

09 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing)

BTW hvorfor har du 3 forskjellige antivirus programmer på en pc? Det er anbefalt å bare ha en da de kan komme i konflikt med hverandre. Når du fjerner 2 antivirusprogrammer vil du se at pcen vil jobbe MYE raskere!

dot_ · 28. april 2006

Nå har tilstandene blitt bedre, men jeg har fremdeles infisisert materiale, noe dette burde være et klart eksempel på:

:mad:

berxter · 29. april 2006

Vel, her er det nok noe som ikke stemmer. Du får bare koke kaffe, finne fram cognacen og gå igjennom de mangeogtjue punktene her:

http://www.wilderssecurity.com/showthread.php?t=50662

Dersom du ikke har gjort som Zjulik sa om Ccleaner, kjører du den i stedet for punkt 13.

Vi vil gjerne se loggen fra Panda og en fersk HJTlogg etterpå.

Som Stealthy sa: Ikke ha mer enn ett AV-program i autostart. Du kan godt ha flere installert og kjøre manuelle scan med dem, men bare ett i autostart. Ett unntak er Ewido, det er laget for å gå sammen med andre.

Bernt K

Pozzolan · 29. april 2006

Og en til ting. Du bør kjøre Windons Update.

dot_ · 1. mai 2006

Nå har jeg tilsynelatende fått bort det aller meste, men det fortsetter stadig å dukke opp en rar form for melding (noe som vel må være spyware/virus), se bilde:

Jeg har også fulgt punktene i guiden til wilderssecurity + tatt en omfattende windowsoppdatering.

Her følger en oppdatert HijackThis-logg:

Logfile of HijackThis v1.99.1

Scan saved at 11:45:52, on 01.05.2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\TrojanHunter 4.5\THGuard.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Rainlendar\Rainlendar.exe

C:\Program Files\eMule\emule.exe

C:\WINDOWS\System32\atmclk.exe

C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe

C:\Program Files\Mozilla Firefox\firefox.exe

F:\0DAY\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [sbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe