cfx86 Skrevet 13. mai 2008 Del Skrevet 13. mai 2008 Nod32 sier lsass.exe er et virus. Når jeg fjerner den får jeg etterhvert feilmelding av systemet, så jeg gjenopprettet den nå og alt går like knirkefritt som det gjorde før. 13.05.2008 16:02:28 Startup scanner file C:\WINDOWS\Config\lsass.exe probably unknown NewHeur_PE virus System: WinXP Sp3, Nod32 3.0.650 med nyeste oppdateringer. Lenke til kommentar
norbat Skrevet 13. mai 2008 Del Skrevet 13. mai 2008 Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Last ned Hijackthis. Legg det i en egen mappe på skrivebordet. Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster sammen med loggen fra Combofix (c:\combofix.txt) Lenke til kommentar
cfx86 Skrevet 13. mai 2008 Forfatter Del Skrevet 13. mai 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:56:58, on 13.05.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Bonjour\mDNSResponder.exe C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Programfiler\MagicTune Premium\MagicTuneEngine.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe C:\Programfiler\RocketDock\RocketDock.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Windows Live\Messenger\msnmsgr.exe C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe C:\Programfiler\Logitech\SetPoint\SetPoint.exe C:\Programfiler\Styler\Styler.exe C:\Programfiler\Fellesfiler\Logishrd\KHAL2\KHALMNPR.EXE C:\Programfiler\MagicTune Premium\MagicTune.exe C:\Programfiler\uTorrent\utorrent.exe C:\WINDOWS\explorer.exe C:\Programfiler\Opera\Opera.exe C:\Documents and Settings\Christoffer\Skrivebord\H\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Programfiler\Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [egui] "C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [RocketDock] "C:\Programfiler\RocketDock\RocketDock.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background O4 - Startup: Styler.lnk = ? O4 - Global Startup: Belkin Wireless Utility.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Programfiler\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195032067896 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195244970765 O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/downlo...-ship-WD.V1.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://212.116.42.243/activex/AMC.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programfiler\a-squared Free\a2service.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programfiler\Fellesfiler\LogiShrd\Bluetooth\LBTServ.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programfiler\Fellesfiler\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: MagicTuneEngine - Unknown owner - C:\Programfiler\MagicTune Premium\MagicTuneEngine.exe O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk2008\PD91Agent.exe O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk2008\PD91Engine.exe O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 7074 bytes ComboFix 08-05-12.1 - Christoffer 2008-05-13 17:51:50.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.1525 [GMT 2:00] Running from: C:\Documents and Settings\Christoffer\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\install.exe . ((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 ))))))))))))))))))))))))))))))) . 2008-05-13 02:54 . 2008-05-13 02:55 <DIR> d-------- C:\000 2008-05-13 00:07 . 2008-05-13 00:07 4,696 --a------ C:\WINDOWS\imsins.BAK 2008-05-12 15:16 . 2008-05-12 15:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-12 15:16 . 2008-05-12 15:16 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-09 11:32 . 2008-05-09 11:32 20 --a------ C:\WINDOWS\system32\PDBootState 2008-05-09 11:27 . 2008-04-10 12:08 71,184 -ra------ C:\WINDOWS\system32\drivers\DefragFS.sys 2008-05-09 11:26 . 2008-05-12 21:45 <DIR> d--hs---- C:\Documents and Settings\Christoffer\Siste 2008-05-08 19:59 . 2008-05-08 20:03 6,120 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd 2008-05-08 19:21 . 2004-08-04 02:03 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-05-08 19:17 . 2008-05-08 19:17 <DIR> d-------- C:\WINDOWS\system32\no 2008-05-08 19:17 . 2008-05-08 19:17 <DIR> d-------- C:\WINDOWS\system32\bits 2008-05-08 19:17 . 2008-05-08 19:17 <DIR> d-------- C:\WINDOWS\l2schemas 2008-05-05 22:43 . 2008-05-05 22:43 <DIR> d-------- C:\Documents and Settings\Christoffer\Programdata\Alien Skin 2008-05-05 22:42 . 2008-05-05 22:42 <DIR> d-------- C:\Programfiler\Alien Skin 2008-05-04 02:12 . 2008-05-04 02:12 <DIR> d-------- C:\Programfiler\Belkin 2008-05-04 02:12 . 2005-10-03 09:49 204,800 --a------ C:\WINDOWS\system32\UploadDLL.dll 2008-05-04 02:12 . 2005-11-20 04:31 192,512 --a------ C:\WINDOWS\system32\blkwcd.dll 2008-05-04 02:12 . 2005-10-03 09:50 167,936 --a------ C:\WINDOWS\system32\BelkinwcuiDLL.dll 2008-05-04 02:12 . 2005-10-03 09:50 101,888 --a------ C:\WINDOWS\system32\CrashRpt.dll 2008-05-04 02:12 . 2005-10-03 09:49 81,920 --a------ C:\WINDOWS\system32\brdcm2k.dll 2008-05-04 02:12 . 2005-10-03 09:49 61,440 --a------ C:\WINDOWS\system32\BelkinHWStatus.dll 2008-05-04 02:12 . 2004-10-29 12:09 53,248 --a------ C:\WINDOWS\system32\preflib.dll 2008-05-04 02:12 . 2003-07-24 12:10 17,149 --a------ C:\WINDOWS\system32\DNINDIS5.SYS 2008-05-04 02:11 . 2008-05-04 02:11 <DIR> d-------- C:\WINDOWS\Cache 2008-05-04 02:02 . 2008-05-04 02:02 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2008-05-03 23:49 . 2004-05-21 11:47 258,560 -ra------ C:\WINDOWS\system32\drivers\mrv8ka51.sys 2008-05-02 14:21 . 2007-09-07 11:31 3,499,304 --a------ C:\WINDOWS\system32\WacomTablet.cpl 2008-05-02 14:21 . 2007-09-05 14:30 1,910,035 --a------ C:\WINDOWS\system32\WacomTablet.znc 2008-05-02 14:21 . 2007-02-15 16:11 11,440 --a------ C:\WINDOWS\system32\drivers\WacomVKHid.sys 2008-05-02 14:19 . 2008-05-02 14:19 <DIR> d-------- C:\WINDOWS\system32\WTablet 2008-05-02 14:19 . 2008-05-02 14:21 <DIR> d-------- C:\Programfiler\Tablet 2008-05-02 14:19 . 2007-09-07 11:40 1,373,480 --a------ C:\WINDOWS\system32\Wacom_Tablet.exe 2008-05-02 14:19 . 2007-09-07 11:20 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll 2008-05-02 14:19 . 2007-09-07 11:33 128,296 --a------ C:\WINDOWS\system32\Wacom_Tablet.dll 2008-05-02 14:19 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys 2008-05-02 14:19 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys 2008-05-01 01:21 . 2008-05-01 01:21 <DIR> d-------- C:\Programfiler\Opera 2008-04-28 09:52 . 2008-04-28 09:52 <DIR> d-------- C:\Programfiler\ESET 2008-04-26 19:45 . 2008-04-26 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ESET 2008-04-26 19:06 . 2008-04-26 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avira 2008-04-26 17:15 . 2008-04-26 17:21 <DIR> d-------- C:\Programfiler\RocketDock 2008-04-26 09:37 . 2008-04-26 09:37 <DIR> d-------- C:\Documents and Settings\Christoffer\Programdata\fltk.org 2008-04-23 23:30 . 2008-04-23 23:30 <DIR> d-------- C:\Programfiler\Raxco 2008-04-23 17:29 . 2008-04-23 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ALM 2008-04-23 17:19 . 2008-04-23 17:19 <DIR> d-------- C:\Programfiler\Bonjour 2008-04-23 17:16 . 2008-04-23 17:16 <DIR> d-------- C:\Programfiler\Fellesfiler\Macrovision Shared 2008-04-23 17:14 . 2008-04-23 23:43 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe 2008-04-23 17:08 . 2008-04-23 17:08 <DIR> d-------- C:\Documents and Settings\Christoffer\Mine dokumenter 2008-04-23 14:25 . 2008-04-23 14:25 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-04-19 04:17 . 2008-04-19 04:17 <DIR> d-------- C:\Programfiler\Apple Software Update 2008-04-16 13:00 . 2008-04-16 13:00 230,664 --a------ C:\WINDOWS\system32\PDBoot.exe 2008-04-16 01:10 . 2008-04-16 01:10 <DIR> d-------- C:\Programfiler\Spybot - Search & Destroy 2008-04-14 21:16 . 2008-04-14 21:16 <DIR> d-------- C:\Programfiler\DAEMON Tools Lite 2008-04-14 21:13 . 2008-04-14 21:13 <DIR> d-------- C:\Documents and Settings\Christoffer\Programdata\DAEMON Tools 2008-04-14 20:34 . 2008-04-14 20:34 <DIR> d-------- C:\Programfiler\Fellesfiler\CyberLink 2008-04-14 20:33 . 2008-04-14 20:32 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-13 15:52 --------- d-----w C:\Documents and Settings\Christoffer\Programdata\uTorrent 2008-05-13 01:33 --------- d-----w C:\Documents and Settings\Christoffer\Programdata\WTablet 2008-05-13 01:28 --------- d-----w C:\Documents and Settings\LocalService\Programdata\WTablet 2008-05-08 18:03 64,131 ----a-w C:\WINDOWS\BricoPackUninst.cmd 2008-05-08 18:03 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll 2008-05-04 00:12 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-05-02 12:15 354,560 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe 2008-05-02 12:15 --------- d-----w C:\Programfiler\TuneUp Utilities 2008 2008-04-24 06:18 --------- d-----w C:\Programfiler\a-squared Free 2008-04-15 23:13 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy 2008-04-14 19:13 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-04-14 18:34 --------- d-----w C:\Programfiler\CyberLink 2008-04-14 18:32 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll 2008-04-14 18:32 353,576 ----a-w C:\WINDOWS\system32\msvcr71.dll 2008-04-14 16:39 1,804 ----a-w C:\WINDOWS\system32\dcache.bin 2008-04-14 16:22 98,816 ----a-w C:\WINDOWS\system32\winscard.dll 2008-04-14 16:21 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll 2008-04-14 16:20 7,680 ------w C:\WINDOWS\system32\kbdsmsno.dll 2008-04-14 16:19 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll 2008-04-14 16:19 811,064 ----a-w C:\WINDOWS\system32\imjp81k.dll 2008-04-14 16:19 3,584 ----a-w C:\WINDOWS\system32\icmp.dll 2008-04-14 16:19 3,072 ----a-w C:\WINDOWS\system32\dpnlobby.dll 2008-04-14 16:19 3,072 ----a-w C:\WINDOWS\system32\dpnaddr.dll 2008-04-14 16:19 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll 2008-04-14 16:19 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll 2008-04-14 15:56 73,344 ----a-w C:\WINDOWS\system32\drivers\sr.sys 2008-04-14 15:56 120,192 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys 2008-04-14 15:55 80,000 ----a-w C:\WINDOWS\system32\drivers\parport.sys 2008-04-14 15:55 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys 2008-04-14 15:55 46,592 ----a-w C:\WINDOWS\system32\drivers\p3.sys 2008-04-14 15:53 2,146,816 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-14 15:53 2,025,472 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-04-14 15:52 4,096 ------w C:\WINDOWS\system32\dsprpres.dll 2008-04-14 15:50 799,872 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys 2008-04-14 15:50 24,448 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys 2008-04-14 15:50 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys 2008-04-14 15:50 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys 2008-04-14 15:49 79,360 ----a-w C:\WINDOWS\system32\msxml6r.dll 2008-04-14 15:49 37,376 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys 2008-04-14 15:48 77,312 ------w C:\WINDOWS\system32\msshavmsg.dll 2008-04-14 15:48 40,576 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys 2008-04-14 15:48 40,192 ------w C:\WINDOWS\system32\drivers\intelppm.sys 2008-04-14 15:47 673,280 ----a-w C:\WINDOWS\system32\shdoclc.dll 2008-04-14 15:47 47,616 ----a-w C:\WINDOWS\system32\inetres.dll 2008-04-14 15:46 64,640 ----a-w C:\WINDOWS\system32\drivers\serial.sys 2008-04-14 15:45 51,840 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys 2008-04-14 15:44 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys 2008-04-14 15:43 9,728 ----a-w C:\WINDOWS\system32\gpkrsrc.dll 2008-04-14 15:43 57,600 ----a-w C:\WINDOWS\system32\drivers\redbook.sys 2008-04-14 15:43 273,152 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-04-14 15:43 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys 2008-04-14 15:42 65,024 ----a-w C:\WINDOWS\system32\browselc.dll 2008-04-14 15:41 52,480 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys 2008-04-14 15:41 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys 2008-04-14 15:41 39,680 ----a-w C:\WINDOWS\system32\drivers\processr.sys 2008-04-14 15:39 41,600 ------w C:\WINDOWS\system32\drivers\amdk7.sys 2008-04-14 15:39 41,216 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys 2008-04-14 15:39 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll 2008-04-14 15:38 22,912 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys 2008-04-14 15:37 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys 2008-04-14 15:37 187,776 ----a-w C:\WINDOWS\system32\drivers\acpi.sys 2008-04-14 07:23 11,264 ------w C:\WINDOWS\system32\spnpinst.exe 2008-04-14 07:22 987,136 ----a-w C:\WINDOWS\system32\setupapi.dll 2008-04-14 07:22 423,936 ----a-w C:\WINDOWS\system32\licdll.dll 2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys 2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys 2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys 2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys 2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys 2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys 2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys 2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys 2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys 2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys 2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys 2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys 2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys 2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys 2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys 2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys 2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys 2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys 2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys 2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys 2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys 2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys 2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys 2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys 2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys 2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys 2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys 2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys 2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys 2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys 2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys 2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys . ------- Sigcheck ------- 2007-08-22 14:58 665088 7d0c03b1e9f352f537fe1f58bbc2d4c7 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll 2007-08-20 11:52 825344 d1fd68d12db5a9b67d608e7a356ba9f2 C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll 2007-10-11 01:42 825344 06fb7a0d18f4546f120af73ae24354c8 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll 2007-12-07 04:00 825344 5b32804f6adaea2d9615637a353b1c82 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll 2008-03-01 14:49 827392 49f00b84be5a82d0de6ab10b1fa93c32 C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll 2004-08-04 02:03 655872 10f493204ebe9eaad8664819e97c36cf C:\WINDOWS\$NtUninstallKB939653$\wininet.dll 2007-08-22 15:18 658432 91c22066fea3ac4cc898926f18091f18 C:\WINDOWS\ie7\wininet.dll 2007-08-13 19:54 818688 a4a0fc92358f39538a6494c42ef99fe9 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll 2007-08-20 12:03 1259008 d0be095e6296e8ee3c705a70d3a9d557 C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll 2007-10-11 01:54 824832 58bb40542f013c10d21af514a6380209 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll 2007-12-07 04:17 824832 b55fe0db96700d41313e0c613a1adb16 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll 2008-03-01 15:05 817152 b44f2446e38694da3b8cb77b3b405b8a C:\WINDOWS\ServicePackFiles\i386\wininet.dll 2007-08-20 12:03 824832 25aebfd7dc4e210e048bdcace2893122 C:\WINDOWS\SoftwareDistribution\Download\ac3824a229f7c3df0a8e55c7d147a3e2\SP2GDR\wininet.dll 2007-08-20 11:52 825344 d1fd68d12db5a9b67d608e7a356ba9f2 C:\WINDOWS\SoftwareDistribution\Download\ac3824a229f7c3df0a8e55c7d147a3e2\SP2QFE\wininet.dll 2008-03-01 15:05 817152 b44f2446e38694da3b8cb77b3b405b8a C:\WINDOWS\system32\wininet.dll 2008-03-01 15:05 826368 5ba67869f780094ab4dbda4e336c7705 C:\WINDOWS\system32\dllcache\wininet.dll 2008-04-14 18:22 976384 9e5bc741765c907f017e0b8b21052228 C:\WINDOWS\explorer.exe 2007-06-13 15:12 1033216 1a8e8cace017e1b143de91e11987ed39 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 2007-06-13 15:24 3195904 6bf38cb195b260dff81a1ba41510a05b C:\WINDOWS\$NtServicePackUninstall$\explorer.exe 2004-08-04 02:03 1032192 0b4a898de1aa20d133c91ba260e7a8a1 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe 2008-04-14 18:22 976384 9e5bc741765c907f017e0b8b21052228 C:\WINDOWS\ServicePackFiles\i386\explorer.exe 2008-04-14 18:22 1033728 8059c34b6f4758f678e975665eadfd87 C:\WINDOWS\SoftwareDistribution\Download\6b87f018d0fb69e9c5ccb760afc4cb7b\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RocketDock"="C:\Programfiler\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:22 15360] "msnmsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2008-03-04 21:52 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cmaudio8788"="cmicnfgp.cpl" [] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe] "egui"="C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072] C:\Documents and Settings\Christoffer\Start-meny\Programmer\Oppstart\ Styler.lnk - C:\Documents and Settings\Christoffer\Programdata\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-02-23 01:22:42 15086] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Belkin Wireless Utility.lnk - C:\Programfiler\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe [2008-05-04 02:12:51 1523712] Logitech SetPoint.lnk - C:\Programfiler\Logitech\SetPoint\SetPoint.exe [2008-01-12 22:19:37 784912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] c:\programfiler\fellesfiler\logishrd\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Programfiler\Fellesfiler\LogiShrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] C:\Programfiler\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-05-08 20:24 229376 C:\Programfiler\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\uTorrent\\utorrent.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "C:\\Programfiler\\CyberLink\\PowerDVD8\\PowerDVD8.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "139:TCP"= 139:TCP:192.168.1.3/255.255.255.255:Enabled:@xpsp2res.dll,-22004 R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-06-01 11:19] R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52] R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Programfiler\CyberLink\PowerDVD8\000.fcl [2008-02-01 17:24] R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 11:40] R3 cmudaxp;C-Media Oxygen HD Audio Interface;C:\WINDOWS\system32\drivers\cmudaxp.sys [2007-06-01 18:14] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10] R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12] R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30] R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11] S3 PD91Agent;PD91Agent;C:\Programfiler\Raxco\PerfectDisk2008\PD91Agent.exe [2008-04-16 13:00] S3 PD91Engine;PD91Engine;C:\Programfiler\Raxco\PerfectDisk2008\PD91Engine.exe [2008-04-16 13:00] S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-02 14:15] S3 W8100XP;Marvell Libertas 802.11b/g SoftAP Driver for Windows XP ;C:\WINDOWS\system32\DRIVERS\mrv8ka51.sys [2004-05-21 11:47] S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 18:23] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-13 17:53:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\C:\Programfiler\CyberLink\PowerDVD8\000.fcl" . Completion time: 2008-05-13 17:53:37 ComboFix-quarantined-files.txt 2008-05-13 15:53:33 Pre-Run: 21,254,164,480 byte ledig Post-Run: 21,267,337,216 byte ledig 272 Lenke til kommentar
norbat Skrevet 13. mai 2008 Del Skrevet 13. mai 2008 Loggene ser greie ut. Melder NOD fortsatt om noe ang. C:\WINDOWS\Config\lsass.exe? Lenke til kommentar
cfx86 Skrevet 13. mai 2008 Forfatter Del Skrevet 13. mai 2008 (endret) Ja dessverre. Hvorfor finnes det to lsass.exe filer, en i System32 og en i Config. Når jeg høyreklikker og trykker egenskaper på lsass.exe i C:\WINDOWS\Config og trykker versjon, står det: Filversjon: 1.0.0.0 Internt navn: whatever Opprinnelig filnavn: whatever.exe Produktnavn: fgdfgdfg Produktversjon: 1.00 Språk: Engelsk (USA) Hmm ser ikke veldig troverdig ut. Endret 13. mai 2008 av cfx86 Lenke til kommentar
norbat Skrevet 13. mai 2008 Del Skrevet 13. mai 2008 (endret) Ok, Fortsett med følgende: Last ned gratisversjonen til SAS og kjør en full scan. Det den finner, skal den slette. Programmet vil be om en restart. Gi tilbakemelding på hva den fant og om config/lsass.exe fortsatt er tilstede. Hvis, så sletter du fila, restarter PC-en. Si i såfall om du får noen feilmeldinger og evt. hva disse sier. Den riktige lsass.exe skal ligge i system32-mappa. All annen plassering er i all hovedsak knyttet til malware. Edit: og feilmedlingen du får er antakelig fordi det ligger noen henvisninger til denne fila i registeret. Men den skal vi nok også finne Endret 13. mai 2008 av norbat Lenke til kommentar
cfx86 Skrevet 14. mai 2008 Forfatter Del Skrevet 14. mai 2008 Som forventet fant SAS lsass.exe og slettet den. Da er det bare å vente for å se om det dukker opp noe feilmeldinger. Takk skal du ha norbat Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå