Cookiemonster, erm, virus

Lilac1 · 20. mai 2008

Hei, fant ut at e-mailadressen min hadde blitt brukt til å sende reklamemail til vennelisten min på hotmail/windows live messenger, kjørte boot-time scan med avast, og fant kanskje ti trojanere (to ulike typer), enkelte i temporary internet files mappen.

Kastet dritten i kista, og kjørte combofix. Noen som kan hjelpe meg med å tyde loggen?

ComboFix 08-05-20.1 - Bjørnar 2008-05-21 0:26:53.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1545 [GMT 2:00]

Running from: C:\Documents and Settings\Bjørnar\Desktop\Combo\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))

.

2008-05-21 00:25 . 2008-05-21 00:25 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-10 18:33 . 2008-05-10 18:34 <DIR> d-------- C:\4d9a61929b0270ed52a04f2104ca

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-04 23:57 --------- d-----w C:\Program Files\Diskeeper Corporation

2008-04-04 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation

2008-04-04 23:54 --------- d-----w C:\Program Files\CCleaner

2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-02-21 02:05 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2008-01-19 05:09 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

2008-01-19 05:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2008-01-19 05:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011920080120\index.dat

2008-01-19 05:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-03-12 18:37 5724184]

"QuickGammaLoader"="C:\Program Files\QuickGamma\QuickGammaLoader.exe" [2005-03-28 01:13 68096]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 18:13 141848]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 18:13 166424]

"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 18:13 137752]

"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 17:47 16860672 C:\WINDOWS\RTHDCPL.exe]

"FingerPrintSoftware"="C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" [2007-03-02 07:32 933888]

"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 17:40 89542 C:\WINDOWS\AGRSMMSG.exe]

"PMHandler"="C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 06:26 31840]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-30 19:22:42 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]

C:\WINDOWS\system32\FpWinLogonNp.dll 2007-02-27 18:26 131072 C:\WINDOWS\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\SPILL\\wc3\\Warcraft III.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-24 12:48]

R2 ubsbm;Unibrain 1394 SBM Driver;C:\WINDOWS\system32\DRIVERS\ubsbm.sys [2005-07-27 18:25]

R2 ubumapi;Unibrain 1394 FireAPI Driver;C:\WINDOWS\system32\DRIVERS\ubumapi.sys [2005-07-27 18:25]

R3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 08:27]

R3 ubohci;Unibrain 1394 OHCI Driver;C:\WINDOWS\system32\DRIVERS\ubohci.sys [2005-07-27 18:25]

S3 FingerprintServer;Fingerprint Server;C:\WINDOWS\system32\FpLogonServ.exe [2007-01-19 16:16]

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2008-02-18 12:16]

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-03-19 14:15:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-21 00:27:32

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-21 0:27:59

ComboFix-quarantined-files.txt 2008-05-20 22:27:56

ComboFix2.txt 2008-05-20 22:25:18

Pre-Run: 100,579,979,264 bytes free

Post-Run: 100,568,285,184 bytes free

105 --- E O F --- 2008-05-10 16:34:13

Btw, slutter aldri å forbause meg hvor plaget jeg er med slik dritt på XP maskinen min i forhold til den med vista som aldri får antydninger til kødd, selv om jeg alltid er på de samme nettstedene.

norbat · 21. mai 2008

Loggen viser ikke noe malware.

Man bør uansett bytte passord på mailkontoen/brukerkontoen (msn, hotmail?).

Hvis avast lager logg, kunne det ha vært interessant og sett den.

Lilac1 · 22. mai 2008

Loggen viser ikke noe malware.
Man bør uansett bytte passord på mailkontoen/brukerkontoen (msn, hotmail?).

Hvis avast lager logg, kunne det ha vært interessant og sett den.

Om du er interessert, kan jeg gi deg innholdet i kista, skjønt den beskriver bare plassering, virustype og dato funnet.

norbat · 22. mai 2008

Ja takk

Logg inn

Cookiemonster, erm, virus

Anbefalte innlegg

Lilac1

Lenke til kommentar

Videoannonse

norbat

Lenke til kommentar

Lilac1

Lenke til kommentar

norbat

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Opprett konto

Logg inn

Populær nå

Overrasket? Nei, det er FrP på gang igjen 1 2 3 4 5

Woke i moderne underholdningsindustri 1 2 3 4 505

Russlands invasjon av Ukraina [Ny tråd, les førstepost] 1 2 3 4 3570

Elbil-tråden 1 2 3 4 1014

Hvem er aktive 0 medlemmer