Lednar Skrevet 20. mars 2008 Del Skrevet 20. mars 2008 (endret) Hei! Så, da har jeg et problem nå. Tenkte jeg skulle gå igjennom PCen for å sjekke ut om det var noe rart. Kjørte Anti-Virus scan/spionvare scan(har F-Secure Antivirus Client Security som jeg har fått av skolen). Greit nok selv om den fant ingenting. Men når jeg kjørte "rootchk" så fant F-Secure Trojan.Win32.Inject.ph. Selv finner jeg ikke filen i Temp mappen der den ligger da. Har da to muligheter med F-secure(Slette eller desinfisere). Når jeg prøvde å slette den får jeg opp at den brukes av et annet program og når jeg prøver å desinfisere den klikker hele programmet og jeg får en feilmelding og programmet vil avsluttes. Filnavn: DOROEPXJ.DLL Plassering: C:\DOCUMENTS AND SETTINGS\<Navn på bruker>\LOCAL SETTINGS\TEMP Legger ved en HijackThis log Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:50:08, on 20.03.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Acer\Empowering Technology\admtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\LManager.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Acer\OrbiCam\CameraAssistant.exe C:\WINDOWS\system32\ElkCtrl.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Arnt\My Documents\Random st00f\ProcessExplorer\procexp.exe C:\Acer\Empowering Technology\admServ.exe C:\DOCUME~1\Arnt\LOCALS~1\Temp\RtkBtMnt.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Common\FSMB32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\F-Secure\Common\FCH32.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsqh.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\F-Secure\Anti-Virus\fsrw.exe C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\Common\FIH32.EXE C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\F-Secure\FSGUI\fsguidll.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /idle O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Snarvei til procexp.lnk = C:\Documents and Settings\Arnt\My Documents\Random st00f\ProcessExplorer\procexp.exe O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5769A6-C869-4021-8FA2-4CA9491D2C18}: NameServer = 78.26.26.26,78.26.26.27 O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 10591 bytes Uansett, hvordan går jeg fram for å bli kvitt dette? F-secure har ingen måter for å kunne sette filen i karantene som jeg finner og har ingen mulighet til å starte F-secure i Safe Mode heller(for noe dritt(unnskyld banningen men det er latterlig)). Takker på forhånd. ledNar Endret 20. mars 2008 av Lednar Lenke til kommentar
snippsat Skrevet 20. mars 2008 Del Skrevet 20. mars 2008 (endret) Loggen ser grei ut den. Kan hende du må ha på "vis skjulte filer" Explorer->verktøy->mappealternativer->vis-> Sett hake på "vis skjulte filer og mapper" Fjern hake på "skjul beskyttede oprativsystem filer" Du skal nå se alle filer på pcen. Kan godt kjøre combofix denne kjør rootkitscann og. Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programet kjører. post logg C:\combofix.txt Denne sletter temp filer. Last ned kjør CCleaner Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere xx. Kjør register-renser og. Har du problemer med of slette filer bruker du denne. http://www.softpedia.com/get/System/Boot-M...oveOnBoot.shtml Endret 20. mars 2008 av SNIPPSAT Lenke til kommentar
Lednar Skrevet 20. mars 2008 Forfatter Del Skrevet 20. mars 2008 (endret) Loggen ser grei ut den. Kan hende du må ha på "vis skjulte filer" Explorer->verktøy->mappealternativer->vis-> Sett hake på "vis skjulte filer og mapper" Fjern hake på "skjul beskyttede oprativsystem filer" Du skal nå se alle filer på pcen. Kan godt kjøre combofix denne kjør rootkitscann og. Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programet kjører. post logg C:\combofix.txt Denne sletter temp filer. Last ned kjør CCleaner Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere xx. Kjør register-renser og. Har du problemer med of slette filer bruker du denne. http://www.softpedia.com/get/System/Boot-M...oveOnBoot.shtml 1) Dette har jeg satt på som standard. 2) Skal kjøre combofix etter jeg er ferdig. Driver å kjører BitDefender Online Scanner akkurat nå. Loggen blir postet her. Klikk for å se/fjerne innholdet nedenfor ComboFix 08-03-18.1 - Arnt 2008-03-20 17:22:12.2 - FAT32x86Running from: C:\Documents and Settings\Arnt\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 ))))))))))))))))))))))))))))))) . 2008-03-20 15:54 . 2008-03-20 15:54 <DIR> d-------- C:\WINDOWS\LastGood 2008-03-20 15:54 . 2008-03-20 15:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-03-20 13:04 . 2008-03-20 13:04 <DIR> d-------- C:\fsaua.data 2008-03-19 22:36 . 2008-03-19 22:36 <DIR> d-------- C:\Program Files\Teamspeak2_RC2 2008-03-19 22:36 . 2008-03-19 22:36 <DIR> d-------- C:\Documents and Settings\Arnt\Application Data\teamspeak2 2008-03-19 22:36 . 2008-03-19 22:36 34,064 --a------ C:\WINDOWS\system32\lhacm.acm 2008-03-17 19:34 . 2008-03-17 19:34 <DIR> d-------- C:\Documents and Settings\Arnt\Application Data\LimeWire 2008-03-17 19:33 . 2008-03-17 19:33 <DIR> d-------- C:\Program Files\LimeWire 2008-03-11 13:22 . 2008-03-11 13:22 <DIR> d-------- C:\WINDOWS\system32\autorun 2008-03-06 17:00 . 2008-03-06 17:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet 2008-03-03 19:31 . 2008-03-03 19:31 <DIR> d-------- C:\Program Files\Bonjour 2008-03-03 19:22 . 2008-03-03 19:22 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2008-03-01 18:51 . 2007-01-01 20:03 40,960 -ra------ C:\WINDOWS\system32\psfind.dll 2008-02-25 10:21 . 2008-02-25 10:21 <DIR> d-------- C:\Program Files\Riva 2008-02-25 10:21 . 2008-02-25 10:21 <DIR> d-------- C:\Program Files\Common Files\SWF Studio 2008-02-25 10:20 . 2008-02-25 10:20 <DIR> d-------- C:\Program Files\FLVPlayer 2008-02-21 02:57 . 2008-02-21 02:57 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-19 03:48 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-02-19 03:46 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-02-19 00:46 22,328 ----a-w C:\Documents and Settings\Arnt\Application Data\PnkBstrK.sys 2008-02-19 00:45 674,600 ----a-w C:\WINDOWS\system32\pbsvc.exe 2008-02-19 00:45 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2008-02-18 07:34 --------- d-----w C:\Program Files\Vstplugins 2008-02-18 07:34 --------- d-----w C:\Program Files\Sony 2008-02-18 07:34 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony 2008-02-17 12:19 --------- d-----w C:\Program Files\Alcohol Soft 2008-02-17 12:07 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-02-11 17:08 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2008-02-08 12:00 --------- d-----w C:\Program Files\GIMP-2.0 2008-02-07 12:11 --------- d-----w C:\Program Files\Parallax Inc 2008-02-07 12:11 --------- d-----w C:\Program Files\DIFX 2008-02-07 09:46 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire 2008-02-07 09:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Xfire 2008-02-06 18:39 --------- d-----w C:\Documents and Settings\Arnt\Application Data\Ventrilo 2008-02-06 18:38 --------- d-----w C:\Program Files\Ventrilo 2008-02-06 18:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-30 11:44 --------- d-----w C:\Program Files\Xfire 2008-01-30 11:44 --------- d-----w C:\Documents and Settings\Arnt\Application Data\Xfire 2008-01-29 07:25 --------- d-----w C:\Program Files\Futuremark 2008-01-29 07:25 --------- d-----w C:\Documents and Settings\Arnt\Application Data\InstallShield 2008-01-24 08:33 --------- d-----w C:\Program Files\Project64 1.6 2008-01-22 11:23 --------- d-----w C:\Program Files\EA GAMES 2008-01-21 09:01 --------- d-----w C:\Program Files\Common Files\Real 2008-01-21 08:42 --------- d-----w C:\Program Files\Pinnacle 2008-01-20 17:28 --------- d-----w C:\Documents and Settings\Arnt\Application Data\AdobeUM 2008-01-14 11:10 118,842 ------r C:\WINDOWS\bwUnin-6.3.2.116-7681197L.exe 2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-01-04 21:58 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2008-01-04 21:58 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe 2008-01-04 21:58 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll 2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll . ((((((((((((((((((((((((((((( snapshot@2008-03-20_15.31.23.64 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-20 14:54:46 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll + 2008-03-20 14:54:46 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll + 2008-03-20 14:54:46 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll + 2008-03-20 14:54:48 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll + 2008-03-20 14:54:50 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2008-03-20 14:54:46 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17 118784] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512] "LaunchApp"="Alaunch" [] "RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946] "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15 45056] "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50 69632] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 05:58 86016] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 19:29 352256] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 12:54 3080704] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 22:15 593920] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39 225280] "WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08 61440] "LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47 331776] "LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728] "LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22 262144] "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-10-26 02:51 122929] "F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 09:57 684032] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-12-04 12:34 406016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 05:58 7581696] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Snarvei til procexp.lnk - C:\Documents and Settings\Arnt\My Documents\Random st00f\ProcessExplorer\procexp.exe [2008-02-12 09:38:56 3564584] F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2008-01-14 12:10:27 32807] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme "RunStartupScriptSync"= 0 (0x0) "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableChangePassword"= 0 (0x0) "DisableLockWorkStation"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 1 (0x1) "MemCheckBoxInRunDlg"= 0 (0x0) "NoAutoTrayNotify"= 0 (0x0) "NoResolveTrack"= 0 (0x0) "NoResolveSearch"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "NoDesktopCleanupWizard"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Net Tools\\nettools5.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "C:\\WINDOWS\\System32\\PnkBstrA.exe"= "C:\\WINDOWS\\System32\\PnkBstrB.exe"= "C:\\Program Files\\EA GAMES\\Battlefield 2\\pb\\PnkBstrB.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 11:01] R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20] R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2008-01-14 12:10] R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2006-01-23 12:41] R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2006-01-23 12:41] R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 14:37] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 15:30] R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 14:37] R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57] R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20] R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 10:40] R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34] S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-07-25 12:52] S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-07-25 12:53] S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-07-25 12:53] S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-07-25 12:54] S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-07-25 12:51] S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-07-25 12:54] S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-07-25 12:51] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Autorun.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-20 17:25:13 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "LogitechCameraAssistant"="C:\\Program Files\\Acer\\OrbiCam\\CameraAssistant.exe" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NPF] "ImagePath"="system32\drivers\npf.sys" . Completion time: 2008-03-20 17:25:53 ComboFix-quarantined-files.txt 2008-03-20 16:25:48 . 2008-03-12 07:12:42 --- E O F --- 3) Sånn. Kjørte rensing av både register og temp filer. EDIT: ComboFix logg lagt inn. Endret 20. mars 2008 av Lednar Lenke til kommentar
snippsat Skrevet 20. mars 2008 Del Skrevet 20. mars 2008 Ikke så ulikt denne posten. https://www.diskusjon.no/index.php?showtopic=927365 Combofix ser grei ut. Last ned oppdatere og kjør full scan SAS free Så ccleaner igjen. Scann med f-secure se om den finner noe nå. Lenke til kommentar
Lednar Skrevet 20. mars 2008 Forfatter Del Skrevet 20. mars 2008 (endret) Nei, bare det at jeg har ikke brukt Limewire leeeeeenge. Har heller ikke iTunes og får ikke de fancye effektene han får Men sant nok, får feilmelding når jeg prøver å desinfisere det. Finner ingenting med F-secure. Har prøvd ett par ganger nå. Skal prøve SAS Free. EDIT: SAS fant absolutt ingenting. EDITEDIT: Prøvde å desinfisere, fikk ingen feilmelding denne gangen men filen kunne ikke bli desinfisert... EDITEDITEDIT: rootchk/F-secure fant ingenting nå. Hmm Blir bare mer og mer forvirret. Noe jeg kan gjøre for å gjøre en siste sjekk? Joda, edit igjen: Der fant den igjen. Snakk om å forvirre meg >_< Endret 21. mars 2008 av Lednar Lenke til kommentar
Lednar Skrevet 21. mars 2008 Forfatter Del Skrevet 21. mars 2008 Bumper denne. Ok, nå har jeg prøvd å slette den via cmd eller noe sånt. Finner ikke filen da. Kan jeg være sikker på at filen ikke er det selv om rootchk/F-secure finner den? Lenke til kommentar
snippsat Skrevet 21. mars 2008 Del Skrevet 21. mars 2008 (endret) Er det denne filen "DOROEPXJ.DLL" Den lå i temp folder har du slettet alt der er den borte. Comobofix kjører også rootikscann fant ikke noe. CCleaner skal slette temp folder. Manulet. START->KJØR – skriv inn %temp% slett alt. Problemer bruker du denne. http://www.softpedia.com/get/System/Boot-M...oveOnBoot.shtml rootchk/F-secure finner den? Du må si hva den finner. Endret 21. mars 2008 av SNIPPSAT Lenke til kommentar
Lednar Skrevet 21. mars 2008 Forfatter Del Skrevet 21. mars 2008 (endret) Selv om alt er slettet der finner den enda filen som jeg ikke finner i utforsker. Har mistanke denne filen er ganske gjemt i så fall >_< Starter rootchk så når Gmer's Cathcme starter popper F-secure med beskyttelse for virus/spionvare har oppdaget Trojan.Win32.Inject.ph. Har mulighet til å slette den og desinfisere. Men ingen av delene fungerer. Legger med meldingen jeg får av F-Secure. Skal gå inn i Linux å se om jeg finner filen da. EDIT: neida, finner ikke den der heller. Begynner å mistenke falsk alarm fra F-secure av en eller annen grunn. Kan også være pga programmet ikke er aktiv at jeg ikke finner filen. Eller...? Uten_navn.bmp Endret 21. mars 2008 av Lednar Lenke til kommentar
snippsat Skrevet 21. mars 2008 Del Skrevet 21. mars 2008 Rename temp folder scann igjen. Kan være falks alarm ja. Lenke til kommentar
Lednar Skrevet 21. mars 2008 Forfatter Del Skrevet 21. mars 2008 Rename? Har ingen tilgang til å kunne gjøre det. Men scannet den igjen men den er ikke fjernet enda i følge F-Secure. Lenke til kommentar
snippsat Skrevet 21. mars 2008 Del Skrevet 21. mars 2008 Tenkte på at du kunne gjøre det med linux. Eller er bart grei full lese og skivetilgang til ntfs. http://www.nu2.nu/pebuilder/ Lenke til kommentar
Lednar Skrevet 21. mars 2008 Forfatter Del Skrevet 21. mars 2008 Så over til Linux for å så skifte navn til ett eller annet random. Så tilbake til Windows for å scanne med? Lenke til kommentar
snippsat Skrevet 21. mars 2008 Del Skrevet 21. mars 2008 (endret) Jepp. scanne med? Du scanner med f-secure. Endret 21. mars 2008 av SNIPPSAT Lenke til kommentar
Lednar Skrevet 22. mars 2008 Forfatter Del Skrevet 22. mars 2008 (endret) Ok, da var det gjort. Rename mappet til noe nytt med Linux, switched over, det kom en ny mappe med det gamle navnet da. Søkte igjennom begge mappene men fant ingenting. Men derimot var en fil som ikke ble søket igjennom. C:\DOCUME~1\Arnt\LOCALS~1\Temp\Perflib_Perfdata_74c.dat Den tilhører Process Explorer uansett sett så den vil jeg si er ganske trygg. Skal sjekke filen på nettet når jeg er i Windows og Linux. Legger merker til at jeg skriver navnet på filen oppe i banen så forsvinner den helt uten grunn =/ Altså, "C:\Documents and Settings\Arnt\Local Settings\Temp\<prøver å skrive inn navnet på filen>" så forsvinner alt teksten eller det jeg har skrevet. Kommer vanligvis til \doro så forsvinner det.. Hmmm Vanligvis forsvinner det når etter en stund og når jeg er ferdig å skrive og ikke halvveis. EDIT: Neida, funker ikke. Men jeg har slettet Temp mappen i Linux nå. Logger inn i Windows og får akkurat samme melding når jeg kjører Rootchk(den finner ingenting men F-Secure finner den trojaneren). Den er jo ingen fornuft i det. Endret 22. mars 2008 av Lednar Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå