Trojan på Temporary Internet Files

Crowley_ · 28. mars 2008

Hei, jeg har en trojan i Temporary Internet Files på Firefox.

AVG klarer å heale alle, unntatt en, men de kommer alltid tilbake igjen.

Går ikke å slette filene heller. De bare kommer tilbake.

Grunnen til viruset var at tenkte på å skaffe meg et virusprogram (Tenkte selvfølgelig ikke på AVG da), og lasta ned en etter et søk på google. Jeg kom til der jeg skulle velge om jeg ville kjøre eller lagre filen. Jeg kjørte, og dermed skjedde det ikke mer. Så fikk jeg opp noen popups, som kommer når de selv vil, samt Security Alert osv.

Lasta ned CCleaner også, men etter at jeg har analysert, og skal kjøre den, så får jeg en blå feilmelding, og pc-en restartes. Noen tips til hva jeg burde gjøre?

norbat · 28. mars 2008

Hei, Doppe

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix (c:\combofix.txt)

Crowley_ · 28. mars 2008

ComboFix 08-03-27.1 - Roar 2008-03-28 20:05:23.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.262 [GMT 1:00]

Running from: C:\Documents and Settings\Roar\Skrivebord\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Programfiler\Helper

.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))

.

2008-03-28 19:42 . 2008-03-28 19:42 <DIR> d-------- C:\Programfiler\Windows Media Connect 2

2008-03-28 19:42 . 2006-10-04 15:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb

2008-03-28 19:42 . 2006-10-04 15:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb

2008-03-28 19:42 . 2006-10-04 15:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb

2008-03-28 19:41 . 2008-03-28 19:41 3,461 --a------ C:\WINDOWS\system32\spupdsvc.inf

2008-03-28 19:40 . 2008-03-28 19:41 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

2008-03-28 19:40 . 2008-03-28 19:40 <DIR> d-------- C:\WINDOWS\LastGood

2008-03-28 16:54 . 2008-03-28 17:00 <DIR> d-------- C:\Programfiler\Everest Poker

2008-03-27 22:59 . 2008-03-27 22:59 <DIR> d-------- C:\Programfiler\CCleaner

2008-03-26 15:50 . 2008-03-28 15:21 <DIR> d-------- C:\Programfiler\MalwareWar 7.3

2008-03-26 15:50 . 2008-03-28 15:21 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP

2008-03-26 00:00 . 2008-03-28 14:42 <DIR> d-------- C:\Programfiler\NetProject

2008-03-25 22:19 . 2008-03-26 16:48 <DIR> d-------- C:\Programfiler\WinVorbis

2008-03-23 19:57 . 2008-03-23 19:57 <DIR> d-------- C:\Documents and Settings\Roar\Programdata\Leadertech

2008-03-22 00:36 . 2008-03-22 00:36 0 --a------ C:\WINDOWS\nsreg.dat

2008-03-16 17:09 . 2008-03-28 14:11 <DIR> d-------- C:\Documents and Settings\Roar\Programdata\AVG7

2008-03-16 17:09 . 2008-03-16 17:09 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\AVG7

2008-03-16 17:09 . 2008-03-16 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Grisoft

2008-03-16 17:09 . 2008-03-17 01:20 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\avg7

2008-03-16 15:04 . 2008-03-16 15:17 <DIR> d-------- C:\Documents and Settings\Roar\Programdata\fretsonfire

2008-03-15 22:11 . 2008-03-25 23:02 <DIR> d-------- C:\Programfiler\Conduit

2008-03-15 21:11 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll

2008-03-15 02:49 . 2008-03-15 02:57 61,257 --a------ C:\WINDOWS\War3Unin.dat

2008-03-15 02:48 . 2008-03-15 02:53 139,264 --a------ C:\WINDOWS\War3Unin.exe

2008-03-15 02:48 . 2008-03-15 02:53 2,829 --a------ C:\WINDOWS\War3Unin.pif

2008-03-14 17:02 . 2008-03-14 17:02 <DIR> d-------- C:\Programfiler\Fellesfiler\PocketSoft

2008-03-14 17:02 . 2001-04-12 18:00 182,272 --a------ C:\WINDOWS\patchw32.dll

2008-03-14 17:01 . 2008-03-14 17:02 <DIR> d-------- C:\Programfiler\Ubi Soft Games

2008-03-10 01:06 . 2008-03-10 01:06 25 --a------ C:\WINDOWS\cdplayer.ini

2008-03-10 01:05 . 2008-03-10 01:05 <DIR> d-------- C:\Programfiler\Fellesfiler\xing shared

2008-03-10 01:05 . 2008-03-10 01:05 <DIR> d-------- C:\Programfiler\Fellesfiler\Real

2008-03-10 01:05 . 2008-03-10 01:05 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2008-03-07 15:06 . 2008-03-07 15:12 <DIR> d-------- C:\Documents and Settings\Roar\Programdata\Pro Cycling Manager 2007

2008-03-06 20:43 . 2008-03-06 21:28 <DIR> d-------- C:\Programfiler\Metin2_UK

2008-03-05 18:38 . 2008-03-05 18:38 <DIR> d-------- C:\Programfiler\directx

2008-03-05 18:37 . 2008-03-05 18:37 <DIR> d-------- C:\Programfiler\Rockstar Games

2008-03-05 17:00 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe

2008-03-05 00:37 . 2008-03-07 23:44 <DIR> d-------- C:\Documents and Settings\Roar\Programdata\BearShare

2008-03-05 00:37 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx

2008-03-03 23:03 . 2008-03-15 03:47 <DIR> d-------- C:\Soldat

2008-03-03 16:26 . 2008-03-03 16:26 <DIR> d-------- C:\Programfiler\Fellesfiler\Macrovision Shared

2008-03-03 00:38 . 2008-03-03 00:38 0 --a------ C:\WINDOWS\PowerReg.dat

2008-03-03 00:36 . 2008-03-03 00:36 <DIR> d-------- C:\Programfiler\Infogrames Interactive

2008-03-02 02:06 . 2008-03-02 02:06 <DIR> d-------- C:\Documents and Settings\Roar\WINDOWS

2008-02-29 23:48 . 2008-03-18 22:55 <DIR> d-------- C:\Documents and Settings\Roar\Programdata\dvdcss

2008-02-29 21:02 . 2001-08-18 06:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll

2008-02-29 21:02 . 2001-08-18 06:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll

2008-02-29 21:02 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll

2008-02-29 21:02 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll

2008-02-29 21:02 . 2001-08-17 22:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll

2008-02-29 21:02 . 2001-08-17 22:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll

2008-02-29 21:02 . 2001-08-17 22:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

2008-02-29 21:02 . 2001-08-17 22:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll

2008-02-28 18:52 . 2008-02-28 18:52 <DIR> d-------- C:\Programfiler\iTunes

2008-02-28 18:52 . 2008-02-28 18:52 <DIR> d-------- C:\Programfiler\iPod

2008-02-28 18:52 . 2008-03-28 14:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-02-28 18:52 . 2008-02-28 18:52 1,409 --a------ C:\WINDOWS\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-28 14:20 --------- d-----w C:\Programfiler\BitLord

2008-03-28 13:10 5 ----a-w C:\NPF_USER.DAT

2008-03-28 13:08 --------- d-----w C:\Programfiler\Norman

2008-03-25 20:04 --------- d-----w C:\Documents and Settings\Roar\Programdata\LimeWire

2008-03-21 18:48 13,312 --s-a-w C:\WINDOWS\system32\sozctue.dll

2008-03-21 18:45 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2008-03-15 20:32 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-03-15 04:20 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-03-15 03:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2008-03-10 00:05 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-03-03 19:42 --------- d-----w C:\Programfiler\Google

2008-03-03 15:35 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-03-02 16:40 --------- d-----w C:\Documents and Settings\Roar\Programdata\My Battle for Middle-earth II Files

2008-03-02 15:25 --------- d-----w C:\Programfiler\DAEMON Tools

2008-02-23 17:24 --------- d-----w C:\Documents and Settings\Roar\Programdata\vlc

2008-02-23 17:23 --------- d-----w C:\Programfiler\VideoLAN

2008-02-23 09:14 --------- d-----w C:\Documents and Settings\Roar\Programdata\Xfire

2008-02-23 09:13 --------- d-s---w C:\Programfiler\Xfire

2008-02-22 12:26 --------- d-----w C:\Programfiler\Bethesda Softworks

2008-02-21 00:47 --------- d-----w C:\Documents and Settings\Roar\Programdata\Apple Computer

2008-02-21 00:46 --------- d-----w C:\Programfiler\QuickTime

2008-02-21 00:46 --------- d-----w C:\Programfiler\Bonjour

2008-02-21 00:46 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2008-02-21 00:45 --------- d-----w C:\Programfiler\Apple Software Update

2008-02-21 00:44 --------- d-----w C:\Programfiler\Fellesfiler\Apple

2008-02-21 00:44 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple

2008-02-20 22:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2008-02-18 16:39 --------- d-----w C:\Programfiler\Windows Live

2008-02-18 16:38 --------- dcsh--w C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2008-02-18 16:34 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-02-18 14:07 --------- d-----w C:\Documents and Settings\Roar\Programdata\Sports Interactive

2008-02-18 14:01 22,328 ----a-w C:\Documents and Settings\Roar\Programdata\PnkBstrK.sys

2008-02-18 13:46 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-02-18 13:46 --------- d--h--r C:\Documents and Settings\Roar\Programdata\SecuROM

2008-02-18 13:45 --------- d--h--w C:\Programfiler\Zero G Registry

2008-02-18 13:44 --------- d-----w C:\Programfiler\Sports Interactive

2008-02-18 13:26 0 ----a-r C:\logwmemory.bin

2008-02-18 12:26 --------- d-----w C:\Documents and Settings\Roar\Programdata\ATI

2008-02-18 12:23 --------- d-----w C:\Programfiler\ATI Technologies

2008-02-18 12:10 --------- d-----w C:\Programfiler\Realtek

2008-02-18 12:07 --------- d-----w C:\Programfiler\Launch Manager

2008-02-18 12:02 --------- d-----w C:\Programfiler\Intel

2008-02-18 11:32 --------- d-----w C:\Programfiler\DIFX

2008-02-18 11:31 557,056 ----a-w C:\WINDOWS\system32\Netw2c32.dll

2008-02-18 11:31 2,732,032 ----a-w C:\WINDOWS\system32\Netw2r32.dll

2008-02-18 10:56 --------- d-----w C:\Programfiler\Fellesfiler\InstallShield

2008-02-18 08:37 --------- d-----w C:\Documents and Settings\All Users\Programdata\PC Drivers HeadQuarters

2008-02-16 23:22 --------- d-----w C:\Documents and Settings\Roar\Programdata\Norman

2008-02-16 21:53 --------- d-----w C:\Documents and Settings\Roar\Programdata\InstallShield

2008-02-16 21:19 --------- d-----w C:\Programfiler\Java

2008-02-16 21:19 --------- d-----w C:\Programfiler\Fellesfiler\Java

2008-02-16 20:04 --------- d-----w C:\Programfiler\D-Link

2008-02-16 20:04 --------- d-----w C:\Programfiler\ANI

2008-02-16 16:23 --------- d-----w C:\Programfiler\microsoft frontpage

2008-02-16 16:22 --------- d-----w C:\Programfiler\Elektroniske tjenester

2008-02-16 16:21 --------- d-----w C:\Programfiler\Fellesfiler\Tjenester

2008-02-11 13:56 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6860A44B-5D3E-433D-A7B5-D517F810D0E7}]

C:\Programfiler\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}"= "C:\Programfiler\NetProject\wamdl.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}"= C:\Programfiler\NetProject\wamdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

"DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]

"AlcoholAutomount"="D:\Programfiler\Alcohol Soft\Alcohol 120\axcmd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"D-Link AirPlus G"="C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 15:07 1249280]

"ANIWZCS2Service"="C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 11:54 45056]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"Norman ZANDA"="C:\Programfiler\Norman\Npm\bin\ZLH.exe" [2007-04-27 14:02 183352]

"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]

"LaunchAp"="C:\Programfiler\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]

"HotkeyApp"="C:\Programfiler\Launch Manager\HotkeyApp.exe" [2005-08-17 10:05 61440]

"CtrlVol"="C:\Programfiler\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]

"LMgrOSD"="C:\Programfiler\Launch Manager\OSD.exe" [2005-03-16 13:52 204800]

"Wbutton"="C:\Programfiler\Launch Manager\Wbutton.exe" [2005-09-02 15:14 81920]

"RTHDCPL"="RTHDCPL.EXE" [2005-10-24 09:52 14820864 C:\WINDOWS\RTHDCPL.EXE]

"AzMixerSel"="C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe" [2005-10-24 09:52 53248]

"ATICCC"="C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" [2005-08-31 00:40 57344]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-01-31 23:13 385024]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-03-10 01:05 185896]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-17 01:20 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-17 01:20 219136]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

ATI CATALYST-systemstatusfelt.lnk - C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344]

PowerReg Scheduler.exe [2008-03-14 17:02:46 256000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"some"= C:\Programfiler\NetProject\scit.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Sports Interactive\\Football Manager 2008\\fm.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"D:\\Programfiler\\Electronic Arts\\The Battle for Middle-earth II\\game.dat"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"D:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Programfiler\\Grisoft\\AVG7\\avgemc.exe"=

R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2004-12-06 10:18]

R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]

R1 TDI_RD;Firewall Engine Type-R;C:\WINDOWS\system32\drivers\tdi_rd.sys [2004-10-13 22:01]

R2 Ndiskio;Ndiskio;C:\Programfiler\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 14:56]

R3 nvcoas;Norman Virus Control on-access component;C:\Programfiler\Norman\Nvc\bin\nvcoas.exe [2007-12-12 11:45]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE [2007-03-15 11:48]

S1 tdidrv32.sys;tdidrv32.sys;C:\WINDOWS\system32\tdidrv32.sys []

S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

*Newly Created Service* - UPNPHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-03-27 18:39:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-28 20:09:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-03-28 20:10:32

ComboFix-quarantined-files.txt 2008-03-28 19:10:26

Pre-Run: 7,437,094,912 byte ledig

Post-Run: 7,430,324,224 byte ledig

.

2008-03-12 13:02:32 --- E O F ---

There u go :thumbup:

Endret 28. mars 2008 av Doppe

norbat · 28. mars 2008

Se om du får avinstallert fra legg til / fjern programmer:

MalwareWar 7.3

BearShare

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\system32\actskn45.ocx

C:\WINDOWS\system32\sozctue.dll

Folder::

C:\Programfiler\MalwareWar 7.3

C:\Programfiler\NetProject

C:\Documents and Settings\Roar\Programdata\BearShare

Driver::

tdidrv32.sys

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6860A44B-5D3E-433D-A7B5-D517F810D0E7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}"=-

[-HKEY_CLASSES_ROOT\clsid\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

[-HKEY_CLASSES_ROOT\clsid\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"some"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]

Kjør deretter en quick scan med SAS (gratisversjonen).

Post den ny combofix-loggen + loggen fra SAS (preferences->statistics/logs).

Endret 28. mars 2008 av norbat

Crowley_ · 28. mars 2008

Se om du får avinstallert fra legg til / fjern programmer:
MalwareWar 7.3

BearShare

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\system32\actskn45.ocx

C:\WINDOWS\system32\sozctue.dll

Folder::

C:\Programfiler\MalwareWar 7.3

C:\Programfiler\NetProject

C:\Documents and Settings\Roar\Programdata\BearShare

Driver::

tdidrv32.sys

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6860A44B-5D3E-433D-A7B5-D517F810D0E7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}"=-

[-HKEY_CLASSES_ROOT\clsid\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

[-HKEY_CLASSES_ROOT\clsid\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"some"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]

Kjør deretter en quick scan med SAS (gratisversjonen).

Post den ny combofix-loggen + loggen fra SAS (preferences->statistics/logs).

Combofix:

ComboFix 08-03-27.1 - Roar 2008-03-28 20:56:51.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.113 [GMT 1:00]

Running from: C:\Documents and Settings\Roar\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Roar\Skrivebord\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\WINDOWS\system32\actskn45.ocx

C:\WINDOWS\system32\sozctue.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Roar\Programdata\BearShare

C:\Documents and Settings\Roar\Programdata\BearShare\Creatives.xml

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\10.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1040.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1043.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1044.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1050.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1054.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1055.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1057.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1058.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1060.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1062.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1063.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\1070.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\11.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\12.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\13.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\14.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\15.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\16.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\17.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\18.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\19.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\2.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\20.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\21.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\22.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\23.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\24.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\25.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\26.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\27.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\28.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\29.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\3.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\30.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\31.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\32.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\33.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\34.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\35.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\36.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\37.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\38.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\4.gif

C:\Documents and Settings\Roar\Programdata\BearShare\CreativesFiles\5.gif

SAS:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 03/28/2008 at 09:20 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412

Trace Rules Database Version: 1404

Scan type : Quick Scan

Total Scan Time : 00:09:15

Memory items scanned : 654

Memory threats detected : 0

Registry items scanned : 339

Registry threats detected : 3

File items scanned : 4499

File threats detected : 16

Trojan.Smitfraud Variant/IE Anti-Spyware

HKLM\Software\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}

Adware.Tracking Cookie

C:\Documents and Settings\Roar\Cookies\roar@doubleclick[1].txt

C:\Documents and Settings\Roar\Cookies\[email protected][2].txt

C:\Documents and Settings\Roar\Cookies\roar@statcounter[1].txt

C:\Documents and Settings\Roar\Cookies\roar@imrworldwide[1].txt

C:\Documents and Settings\Roar\Cookies\[email protected][1].txt

C:\Documents and Settings\Roar\Cookies\roar@advancedcleaner[1].txt

C:\Documents and Settings\Roar\Cookies\roar@atdmt[2].txt

C:\Documents and Settings\Roar\Cookies\[email protected][2].txt

C:\Documents and Settings\Roar\Cookies\[email protected][1].txt

C:\Documents and Settings\Roar\Cookies\roar@antispykit[1].txt

C:\Documents and Settings\Roar\Cookies\[email protected][2].txt

C:\Documents and Settings\Roar\Cookies\roar@advertising[2].txt

C:\Documents and Settings\Roar\Cookies\roar@tradedoubler[2].txt

C:\Documents and Settings\Roar\Cookies\roar@adtech[1].txt

Trojan.Security Toolbar

C:\Documents and Settings\All Users\Start-meny\Online Security Guide.url

C:\Documents and Settings\All Users\Start-meny\Security Troubleshooting.url

Trojan.Media-Codec/V4

HKCR\videoPl.chl

HKCR\videoPl.chl\CLSID

Virker som det er borte nå.

norbat · 28. mars 2008

Tror ikke hele combofix-loggen ble med. Kunne du lagt ut hele loggen?

Crowley_ · 28. mars 2008