Hjelp angående virus

[Lednar]

Hei!

Så, da har jeg et problem nå. Tenkte jeg skulle gå igjennom PCen for å sjekke ut om det var noe rart. Kjørte Anti-Virus scan/spionvare scan(har F-Secure Antivirus Client Security som jeg har fått av skolen). Greit nok selv om den fant ingenting. Men når jeg kjørte "rootchk" så fant F-Secure Trojan.Win32.Inject.ph.

 

Selv finner jeg ikke filen i Temp mappen der den ligger da. Har da to muligheter med F-secure(Slette eller desinfisere). Når jeg prøvde å slette den får jeg opp at den brukes av et annet program og når jeg prøver å desinfisere den klikker hele programmet og jeg får en feilmelding og programmet vil avsluttes.

 

Filnavn: DOROEPXJ.DLL

Plassering: C:\DOCUMENTS AND SETTINGS\<Navn på bruker>\LOCAL SETTINGS\TEMP

 

Legger ved en HijackThis log

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:50:08, on 20.03.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\admtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Acer\OrbiCam\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\F-Secure\Common\FSM32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Arnt\My Documents\Random st00f\ProcessExplorer\procexp.exe

C:\Acer\Empowering Technology\admServ.exe

C:\DOCUME~1\Arnt\LOCALS~1\Temp\RtkBtMnt.exe

C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe

C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure\Common\FSMA32.EXE

C:\Program Files\F-Secure\Common\FSMB32.EXE

C:\Program Files\F-Secure\Anti-Virus\fssm32.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\F-Secure\Common\FCH32.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\F-Secure\Common\FAMEH32.EXE

C:\Program Files\F-Secure\Anti-Virus\fsqh.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\F-Secure\Anti-Virus\fsrw.exe

C:\Program Files\F-Secure\Anti-Virus\fsav32.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\F-Secure\Common\FNRB32.EXE

C:\Program Files\F-Secure\Common\FIH32.EXE

C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\F-Secure\FSGUI\fsguidll.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /idle

O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe

O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect

O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Snarvei til procexp.lnk = C:\Documents and Settings\Arnt\My Documents\Random st00f\ProcessExplorer\procexp.exe

O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5769A6-C869-4021-8FA2-4CA9491D2C18}: NameServer = 78.26.26.26,78.26.26.27

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe

O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 10591 bytes

 

Uansett, hvordan går jeg fram for å bli kvitt dette? F-secure har ingen måter for å kunne sette filen i karantene som jeg finner og har ingen mulighet til å starte F-secure i Safe Mode heller(for noe dritt(unnskyld banningen men det er latterlig)).

 

Takker på forhånd.

ledNar

Endret 20. mars 2008 av Lednar

[snippsat]

Loggen ser grei ut den.

 

Kan hende du må ha på "vis skjulte filer"

Explorer->verktøy->mappealternativer->vis->

Sett hake på "vis skjulte filer og mapper"

Fjern hake på "skjul beskyttede oprativsystem filer"

 

Du skal nå se alle filer på pcen.

 

Kan godt kjøre combofix denne kjør rootkitscann og.

Last Combofix ned ,legg på skrivebordet.

Ikke klikk på vindu mens programet kjører.

post logg C:\combofix.txt

 

Denne sletter temp filer.

Last ned kjør CCleaner

Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere xx.

Kjør register-renser og.

 

Har du problemer med of slette filer bruker du denne.

http://www.softpedia.com/get/System/Boot-M...oveOnBoot.shtml

Endret 20. mars 2008 av SNIPPSAT

[Lednar]

Loggen ser grei ut den.

 

Kan hende du må ha på "vis skjulte filer"

Explorer->verktøy->mappealternativer->vis->

Sett hake på "vis skjulte filer og mapper"

Fjern hake på "skjul beskyttede oprativsystem filer"

 

Du skal nå se alle filer på pcen.

 

Kan godt kjøre combofix denne kjør rootkitscann og.

Last Combofix ned ,legg på skrivebordet.

Ikke klikk på vindu mens programet kjører.

post logg C:\combofix.txt

 

Denne sletter temp filer.

Last ned kjør CCleaner

Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere xx.

Kjør register-renser og.

 

Har du problemer med of slette filer bruker du denne.

http://www.softpedia.com/get/System/Boot-M...oveOnBoot.shtml

1) Dette har jeg satt på som standard.

2) Skal kjøre combofix etter jeg er ferdig. Driver å kjører BitDefender Online Scanner akkurat nå. Loggen blir postet her.

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-03-18.1 - Arnt 2008-03-20 17:22:12.2 - FAT32x86

Running from: C:\Documents and Settings\Arnt\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))

.

 

2008-03-20 15:54 . 2008-03-20 15:54 <DIR> d-------- C:\WINDOWS\LastGood

2008-03-20 15:54 . 2008-03-20 15:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-03-20 13:04 . 2008-03-20 13:04 <DIR> d-------- C:\fsaua.data

2008-03-19 22:36 . 2008-03-19 22:36 <DIR> d-------- C:\Program Files\Teamspeak2_RC2

2008-03-19 22:36 . 2008-03-19 22:36 <DIR> d-------- C:\Documents and Settings\Arnt\Application Data\teamspeak2

2008-03-19 22:36 . 2008-03-19 22:36 34,064 --a------ C:\WINDOWS\system32\lhacm.acm

2008-03-17 19:34 . 2008-03-17 19:34 <DIR> d-------- C:\Documents and Settings\Arnt\Application Data\LimeWire

2008-03-17 19:33 . 2008-03-17 19:33 <DIR> d-------- C:\Program Files\LimeWire

2008-03-11 13:22 . 2008-03-11 13:22 <DIR> d-------- C:\WINDOWS\system32\autorun

2008-03-06 17:00 . 2008-03-06 17:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet

2008-03-03 19:31 . 2008-03-03 19:31 <DIR> d-------- C:\Program Files\Bonjour

2008-03-03 19:22 . 2008-03-03 19:22 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

2008-03-01 18:51 . 2007-01-01 20:03 40,960 -ra------ C:\WINDOWS\system32\psfind.dll

2008-02-25 10:21 . 2008-02-25 10:21 <DIR> d-------- C:\Program Files\Riva

2008-02-25 10:21 . 2008-02-25 10:21 <DIR> d-------- C:\Program Files\Common Files\SWF Studio

2008-02-25 10:20 . 2008-02-25 10:20 <DIR> d-------- C:\Program Files\FLVPlayer

2008-02-21 02:57 . 2008-02-21 02:57 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-19 03:48 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-02-19 03:46 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2008-02-19 00:46 22,328 ----a-w C:\Documents and Settings\Arnt\Application Data\PnkBstrK.sys

2008-02-19 00:45 674,600 ----a-w C:\WINDOWS\system32\pbsvc.exe

2008-02-19 00:45 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2008-02-18 07:34 --------- d-----w C:\Program Files\Vstplugins

2008-02-18 07:34 --------- d-----w C:\Program Files\Sony

2008-02-18 07:34 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony

2008-02-17 12:19 --------- d-----w C:\Program Files\Alcohol Soft

2008-02-17 12:07 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-02-11 17:08 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment

2008-02-08 12:00 --------- d-----w C:\Program Files\GIMP-2.0

2008-02-07 12:11 --------- d-----w C:\Program Files\Parallax Inc

2008-02-07 12:11 --------- d-----w C:\Program Files\DIFX

2008-02-07 09:46 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-02-07 09:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Xfire

2008-02-06 18:39 --------- d-----w C:\Documents and Settings\Arnt\Application Data\Ventrilo

2008-02-06 18:38 --------- d-----w C:\Program Files\Ventrilo

2008-02-06 18:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-30 11:44 --------- d-----w C:\Program Files\Xfire

2008-01-30 11:44 --------- d-----w C:\Documents and Settings\Arnt\Application Data\Xfire

2008-01-29 07:25 --------- d-----w C:\Program Files\Futuremark

2008-01-29 07:25 --------- d-----w C:\Documents and Settings\Arnt\Application Data\InstallShield

2008-01-24 08:33 --------- d-----w C:\Program Files\Project64 1.6

2008-01-22 11:23 --------- d-----w C:\Program Files\EA GAMES

2008-01-21 09:01 --------- d-----w C:\Program Files\Common Files\Real

2008-01-21 08:42 --------- d-----w C:\Program Files\Pinnacle

2008-01-20 17:28 --------- d-----w C:\Documents and Settings\Arnt\Application Data\AdobeUM

2008-01-14 11:10 118,842 ------r C:\WINDOWS\bwUnin-6.3.2.116-7681197L.exe

2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll

2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe

2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-01-04 21:58 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-01-04 21:58 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-01-04 21:58 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-03-20_15.31.23.64 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-03-20 14:54:46 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll

+ 2008-03-20 14:54:46 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll

+ 2008-03-20 14:54:46 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll

+ 2008-03-20 14:54:48 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll

+ 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll

+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll

+ 2008-03-20 14:54:50 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll

+ 2008-03-20 14:54:46 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll

+ 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll

+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17 118784]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]

"LaunchApp"="Alaunch" []

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946]

"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15 45056]

"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50 69632]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 05:58 86016]

"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 19:29 352256]

"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 12:54 3080704]

"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 22:15 593920]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39 225280]

"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08 61440]

"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47 331776]

"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728]

"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22 262144]

"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-10-26 02:51 122929]

"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 09:57 684032]

"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312]

"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-12-04 12:34 406016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 05:58 7581696]

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

Snarvei til procexp.lnk - C:\Documents and Settings\Arnt\My Documents\Random st00f\ProcessExplorer\procexp.exe [2008-02-12 09:38:56 3564584]

F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2008-01-14 12:10:27 32807]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

"RunStartupScriptSync"= 0 (0x0)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableChangePassword"= 0 (0x0)

"DisableLockWorkStation"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 1 (0x1)

"MemCheckBoxInRunDlg"= 0 (0x0)

"NoAutoTrayNotify"= 0 (0x0)

"NoResolveTrack"= 0 (0x0)

"NoResolveSearch"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"NoDesktopCleanupWizard"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Net Tools\\nettools5.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Xfire\\xfire.exe"=

"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"C:\\WINDOWS\\System32\\PnkBstrA.exe"=

"C:\\WINDOWS\\System32\\PnkBstrB.exe"=

"C:\\Program Files\\EA GAMES\\Battlefield 2\\pb\\PnkBstrB.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

 

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 11:01]

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]

R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2008-01-14 12:10]

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2006-01-23 12:41]

R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2006-01-23 12:41]

R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 14:37]

R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 15:30]

R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 14:37]

R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]

R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]

R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]

R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]

R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 10:40]

R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]

S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-07-25 12:52]

S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-07-25 12:53]

S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-07-25 12:53]

S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-07-25 12:54]

S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-07-25 12:51]

S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-07-25 12:54]

S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-07-25 12:51]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\Autorun.exe

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-20 17:25:13

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

"LogitechCameraAssistant"="C:\\Program Files\\Acer\\OrbiCam\\CameraAssistant.exe"

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NPF]

"ImagePath"="system32\drivers\npf.sys"

.

Completion time: 2008-03-20 17:25:53

ComboFix-quarantined-files.txt 2008-03-20 16:25:48

.

2008-03-12 07:12:42 --- E O F ---

3) Sånn. Kjørte rensing av både register og temp filer.

 

EDIT: ComboFix logg lagt inn.

Endret 20. mars 2008 av Lednar

[snippsat]

Ikke så ulikt denne posten.

https://www.diskusjon.no/index.php?showtopic=927365

 

Combofix ser grei ut.

 

Last ned oppdatere og kjør full scan SAS free

 

Så ccleaner igjen.

 

Scann med f-secure se om den finner noe nå.

[Lednar]

Nei, bare det at jeg har ikke brukt Limewire leeeeeenge. Har heller ikke iTunes og får ikke de fancye effektene han får Men sant nok, får feilmelding når jeg prøver å desinfisere det.

Finner ingenting med F-secure. Har prøvd ett par ganger nå.

Skal prøve SAS Free.

 

EDIT: SAS fant absolutt ingenting.

EDITEDIT: Prøvde å desinfisere, fikk ingen feilmelding denne gangen men filen kunne ikke bli desinfisert...

EDITEDITEDIT: rootchk/F-secure fant ingenting nå. Hmm Blir bare mer og mer forvirret. Noe jeg kan gjøre for å gjøre en siste sjekk?

Joda, edit igjen: Der fant den igjen. Snakk om å forvirre meg >_<

Endret 21. mars 2008 av Lednar

[Lednar]

Bumper denne.

Ok, nå har jeg prøvd å slette den via cmd eller noe sånt. Finner ikke filen da. Kan jeg være sikker på at filen ikke er det selv om rootchk/F-secure finner den?

[snippsat]

Er det denne filen "DOROEPXJ.DLL"

Den lå i temp folder har du slettet alt der er den borte.

 

Comobofix kjører også rootikscann fant ikke noe.

 

CCleaner skal slette temp folder.

 

Manulet.

START->KJØR – skriv inn %temp% slett alt.

Problemer bruker du denne.

http://www.softpedia.com/get/System/Boot-M...oveOnBoot.shtml

 

rootchk/F-secure finner den?

Du må si hva den finner.

Endret 21. mars 2008 av SNIPPSAT

[Lednar]

Selv om alt er slettet der finner den enda filen som jeg ikke finner i utforsker. Har mistanke denne filen er ganske gjemt i så fall >_<

 

Starter rootchk så når Gmer's Cathcme starter popper F-secure med beskyttelse for virus/spionvare har oppdaget Trojan.Win32.Inject.ph. Har mulighet til å slette den og desinfisere. Men ingen av delene fungerer.

 

Legger med meldingen jeg får av F-Secure.

 

Skal gå inn i Linux å se om jeg finner filen da.

EDIT: neida, finner ikke den der heller. Begynner å mistenke falsk alarm fra F-secure av en eller annen grunn. Kan også være pga programmet ikke er aktiv at jeg ikke finner filen. Eller...?

Uten_navn.bmp

Endret 21. mars 2008 av Lednar

[snippsat]

Rename temp folder scann igjen.

Kan være falks alarm ja.

[Lednar]

Rename? Har ingen tilgang til å kunne gjøre det. Men scannet den igjen men den er ikke fjernet enda i følge F-Secure.

[snippsat]

Tenkte på at du kunne gjøre det med linux.

Eller er bart grei full lese og skivetilgang til ntfs.

http://www.nu2.nu/pebuilder/

[Lednar]

Så over til Linux for å så skifte navn til ett eller annet random. Så tilbake til Windows for å scanne med?

[snippsat]

Jepp.

 

scanne med?

Du scanner med f-secure.

Endret 21. mars 2008 av SNIPPSAT

[Lednar]

Ok, da var det gjort. Rename mappet til noe nytt med Linux, switched over, det kom en ny mappe med det gamle navnet da. Søkte igjennom begge mappene men fant ingenting. Men derimot var en fil som ikke ble søket igjennom.

C:\DOCUME~1\Arnt\LOCALS~1\Temp\Perflib_Perfdata_74c.dat

Den tilhører Process Explorer uansett sett så den vil jeg si er ganske trygg.

 

Skal sjekke filen på nettet når jeg er i Windows og Linux. Legger merker til at jeg skriver navnet på filen oppe i banen så forsvinner den helt uten grunn =/ Altså, "C:\Documents and Settings\Arnt\Local Settings\Temp\<prøver å skrive inn navnet på filen>" så forsvinner alt teksten eller det jeg har skrevet. Kommer vanligvis til \doro så forsvinner det.. Hmmm Vanligvis forsvinner det når etter en stund og når jeg er ferdig å skrive og ikke halvveis.

 

EDIT: Neida, funker ikke.

 

Men jeg har slettet Temp mappen i Linux nå. Logger inn i Windows og får akkurat samme melding når jeg kjører Rootchk(den finner ingenting men F-Secure finner den trojaneren). Den er jo ingen fornuft i det.

Endret 22. mars 2008 av Lednar