Kanstad Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 (endret) Min svoger (ja faktisk, for sjøl bruker jeg mest Mac) har fått det populære MSN-viruset. Jeg har kjørt Combofix og loggen ser slik ut: ComboFix 08-06-09.7 - * * 2008-06-10 11:57:02.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.199 [GMT 2:00] Running from: C:\Documents and Settings\* *\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 ))))))))))))))))))))))))))))))) . 2008-06-10 08:47 . 2008-06-10 08:47 1,156 --a------ C:\WINDOWS\mozver.dat 2008-06-10 08:13 . 2008-06-10 08:13 0 --a------ C:\WINDOWS\nsreg.dat 2008-06-09 15:08 . 2008-06-09 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-06-09 15:07 . 2008-06-09 15:07 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-06-09 15:07 . 2008-06-09 15:07 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-06-09 15:07 . 2008-06-09 15:07 <DIR> d-------- C:\Documents and Settings\* *\Programdata\SUPERAntiSpyware.com 2008-06-09 14:52 . 2008-06-09 15:33 5,894 --a------ C:\a.0at 2008-06-03 19:36 . 2008-06-03 22:39 195,072 --a------ C:\WINDOWS\39382.got 2008-06-02 16:33 . 2008-06-02 16:32 53,252 -r-hs---- C:\WINDOWS\ehSched.0xe 2008-05-28 18:08 . 2008-05-28 18:08 <DIR> d-------- C:\Documents and Settings\* *\Programdata\Leadertech 2008-05-24 20:15 . 2007-10-12 03:55 1,279,000 --a------ C:\WINDOWS\system32\drivers\LV302V32.SYS 2008-05-24 20:12 . 2007-10-12 03:57 195,096 --a------ C:\WINDOWS\system32\lvci1150.dll 2008-05-18 16:25 . 2008-05-18 16:25 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files 2008-05-18 16:22 . 2008-05-18 16:24 <DIR> d-------- C:\WINDOWS\system32\msmq 2008-05-18 16:19 . 2004-08-04 14:00 2,178,131 --a------ C:\WINDOWS\system32\dllcache\shvlres.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-29 15:23 --------- d-----w C:\Documents and Settings\* * B *\Programdata\OpenOffice.org2 2008-05-28 13:09 --------- d-----w C:\Documents and Settings\* B *\Programdata\OpenOffice.org2 2008-05-24 18:17 --------- d-----w C:\Programfiler\Fellesfiler\LogiShrd 2008-05-24 17:59 --------- d-----w C:\Documents and Settings\All Users\Programdata\LogiShrd 2008-05-24 17:57 --------- d-----w C:\Programfiler\Logitech 2008-05-20 19:31 --------- d-----w C:\Programfiler\Microsoft Silverlight 2008-05-18 17:43 --------- d-----w C:\Documents and Settings\* *\Programdata\OpenOffice.org2 2008-04-20 17:05 --------- d-----w C:\Programfiler\Pan Vision 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-10_ 9.19.24,56 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-09 13:30:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-10 09:27:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-09 13:34:50 214,432 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-06-10 09:32:29 214,434 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ] "WMPNSCFG"="C:\Programfiler\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:46 204288] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2005-06-20 21:42 77824 C:\WINDOWS\SOUNDMAN.EXE] "SiSPower"="SiSPower.dll" [2005-07-13 02:55 49152 C:\WINDOWS\system32\SiSPower.dll] "F-Secure Manager"="C:\Programfiler\F-Secure Internet Security\Common\FSM32.exe" [2007-05-28 11:19 183208] "F-Secure TNB"="C:\Programfiler\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-28 11:18 740208] "News Service"="C:\Programfiler\F-Secure Internet Security\FSGUI\ispnews.exe" [2005-05-31 14:45 356352] "SSBkgdUpdate"="C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648] "PaperPort PTD"="C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-18 15:03 57393] "IndexSearch"="C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-18 15:15 40960] "BrMfcWnd"="C:\Programfiler\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592] "ControlCenter3"="C:\Programfiler\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "MsmqIntCert"="regsvr32 /s mqrt.dll" [] "LogitechQuickCamRibbon"="C:\Programfiler\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832] "LogitechCommunicationsManager"="C:\Programfiler\Fellesfiler\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] C:\Documents and Settings\* B *\Start-meny\Programmer\Oppstart\ OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-03-22 03:53:44 393216] C:\Documents and Settings\* * B *\Start-meny\Programmer\Oppstart\ OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-03-22 03:53:44 393216] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Logitech Desktop Messenger.lnk - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-15 17:51:54 67128] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-02-17 16:22:29 262144] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "DEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~”ü"= R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-08-16 10:49] R1 F-Secure HIPS;F-Secure HIPS;C:\Programfiler\F-Secure Internet Security\HIPS\fshs.sys [2008-02-13 21:32] R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-10-28 10:23] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-28 11:15] S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50] S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys [2001-08-17 22:51] S4 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-28 11:15] S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-28 11:15] . Contents of the 'Scheduled Tasks' folder "2008-06-10 05:58:09 C:\WINDOWS\Tasks\Scheduled scanning task.job" - C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-10 11:59:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-10 12:02:15 ComboFix-quarantined-files.txt 2008-06-10 10:02:04 ComboFix2.txt 2008-06-10 07:20:29 Pre-Run: 1,936,769,024 byte ledig Post-Run: 1,924,456,448 byte ledig 125 --- E O F --- 2008-05-28 18:45:15 --------------------------------------- What next? Endret 12. juni 2008 av Kanstad Lenke til kommentar
r2d290 Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 Kjør MAM, og deretter ny runde med Combofix. Se her: https://www.diskusjon.no/index.php?showtopic=962315 Lenke til kommentar
norbat Skrevet 10. juni 2008 Del Skrevet 10. juni 2008 Du har F-secure som av-prog. og det virker som det fungerer godt mot denne infeksjonen. Følgende filer i combofix-loggen er knyttet til infeksjonen: C:\a.0at C:\WINDOWS\ehSched.0xe F-secure har uskadeliggjort dem ved å endre filendelsen. Du kan derfor fjerne de manuelt via utforskeren. Du kan samtidig finne følgende fil som du også sletter: C:\WINDOWS\39382.got Det skader ikke å kjøre en ekstra runde med Malwarebytes Anti-Malware, slik r2d290 sier. Post gjerne loggene. Lenke til kommentar
Kanstad Skrevet 11. juni 2008 Forfatter Del Skrevet 11. juni 2008 Her er loggene: ------------------------------- ComboFix 08-06-09.7 - ** ** 2008-06-11 9:41:34.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.222 [GMT 2:00] Running from: C:\Documents and Settings\** **\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 ))))))))))))))))))))))))))))))) . 2008-06-11 09:23 . 2008-06-11 09:23 <DIR> d-------- C:\WINDOWS\LastGood 2008-06-10 14:09 . 2008-06-11 09:34 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-06-10 14:09 . 2008-06-10 14:09 <DIR> d-------- C:\Documents and Settings\** **\Programdata\Malwarebytes 2008-06-10 14:09 . 2008-06-10 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-06-10 14:09 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-10 14:09 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-10 08:47 . 2008-06-10 08:47 1,156 --a------ C:\WINDOWS\mozver.dat 2008-06-10 08:13 . 2008-06-10 08:13 0 --a------ C:\WINDOWS\nsreg.dat 2008-06-09 15:08 . 2008-06-09 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-06-09 15:07 . 2008-06-09 15:07 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-06-09 15:07 . 2008-06-09 15:07 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-06-09 15:07 . 2008-06-09 15:07 <DIR> d-------- C:\Documents and Settings\** **\Programdata\SUPERAntiSpyware.com 2008-06-03 19:36 . 2008-06-03 22:39 195,072 --a------ C:\WINDOWS\39382.got 2008-05-28 18:08 . 2008-05-28 18:08 <DIR> d-------- C:\Documents and Settings\** **\Programdata\Leadertech 2008-05-24 20:15 . 2007-10-12 03:55 1,279,000 --a------ C:\WINDOWS\system32\drivers\LV302V32.SYS 2008-05-24 20:12 . 2007-10-12 03:57 195,096 --a------ C:\WINDOWS\system32\lvci1150.dll 2008-05-18 16:25 . 2008-05-18 16:25 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files 2008-05-18 16:22 . 2008-05-18 16:24 <DIR> d-------- C:\WINDOWS\system32\msmq 2008-05-18 16:19 . 2004-08-04 14:00 2,178,131 --a------ C:\WINDOWS\system32\dllcache\shvlres.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-29 15:23 --------- d-----w C:\Documents and Settings\** ** B **\Programdata\OpenOffice.org2 2008-05-28 13:09 --------- d-----w C:\Documents and Settings\** B **\Programdata\OpenOffice.org2 2008-05-24 18:17 --------- d-----w C:\Programfiler\Fellesfiler\LogiShrd 2008-05-24 17:59 --------- d-----w C:\Documents and Settings\All Users\Programdata\LogiShrd 2008-05-24 17:57 --------- d-----w C:\Programfiler\Logitech 2008-05-20 19:31 --------- d-----w C:\Programfiler\Microsoft Silverlight 2008-05-18 17:43 --------- d-----w C:\Documents and Settings\** **\Programdata\OpenOffice.org2 2008-04-20 17:05 --------- d-----w C:\Programfiler\Pan Vision 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-10_ 9.19.24,56 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-09 13:30:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-11 07:07:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-09 13:34:50 214,432 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-06-11 07:11:57 214,433 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ] "WMPNSCFG"="C:\Programfiler\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:46 204288] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2005-06-20 21:42 77824 C:\WINDOWS\SOUNDMAN.EXE] "SiSPower"="SiSPower.dll" [2005-07-13 02:55 49152 C:\WINDOWS\system32\SiSPower.dll] "F-Secure Manager"="C:\Programfiler\F-Secure Internet Security\Common\FSM32.exe" [2007-05-28 11:19 183208] "F-Secure TNB"="C:\Programfiler\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-28 11:18 740208] "News Service"="C:\Programfiler\F-Secure Internet Security\FSGUI\ispnews.exe" [2005-05-31 14:45 356352] "SSBkgdUpdate"="C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648] "PaperPort PTD"="C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-18 15:03 57393] "IndexSearch"="C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-18 15:15 40960] "BrMfcWnd"="C:\Programfiler\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592] "ControlCenter3"="C:\Programfiler\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "MsmqIntCert"="regsvr32 /s mqrt.dll" [] "LogitechQuickCamRibbon"="C:\Programfiler\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832] "LogitechCommunicationsManager"="C:\Programfiler\Fellesfiler\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] C:\Documents and Settings\** B **\Start-meny\Programmer\Oppstart\ OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-03-22 03:53:44 393216] C:\Documents and Settings\** ** B **\Start-meny\Programmer\Oppstart\ OpenOffice.org 2.2.lnk - C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-03-22 03:53:44 393216] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Logitech Desktop Messenger.lnk - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-15 17:51:54 67128] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-02-17 16:22:29 262144] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "C:\\Programfiler\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "DEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~”ü"= R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-08-16 10:49] R1 F-Secure HIPS;F-Secure HIPS;C:\Programfiler\F-Secure Internet Security\HIPS\fshs.sys [2008-02-13 21:32] R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-10-28 10:23] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-28 11:15] S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50] S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys [2001-08-17 22:51] S4 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-28 11:15] S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-28 11:15] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-06-11 07:09:53 C:\WINDOWS\Tasks\Scheduled scanning task.job" - C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-11 09:44:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-11 9:46:50 ComboFix-quarantined-files.txt 2008-06-11 07:46:28 ComboFix2.txt 2008-06-10 12:21:21 ComboFix3.txt 2008-06-10 10:02:16 ComboFix4.txt 2008-06-10 07:20:29 Pre-Run: 1,859,653,632 byte ledig Post-Run: 1,848,987,648 byte ledig 132 --- E O F --- 2008-05-28 18:45:15 -------------------------------- Malwarebytes' Anti-Malware 1.17 Database versjon: 846 09:40:46 11.06.2008 mbam-log-6-11-2008 (09-40-46).txt Skann type: Rask Skann Objekter skannet: 44463 Tid tilbakelagt: 4 minute(s), 9 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) ------------------- Det ser bra ut så langt. Nå tenkte jeg å kjøre noen runder med Ccleaner til ingen feil blir funnet. BTW, det aller første jeg gjorde var å starte maskinen med UBCD for Win og kjøre Spybot S&D (oppdatert) fra denne. Hadde dette noe for seg? Lenke til kommentar
Kanstad Skrevet 12. juni 2008 Forfatter Del Skrevet 12. juni 2008 Jeg skulle gjerne visst om jeg kan friskmelde maskinen og levere den tilbake til eieren? Kanskje norbat eller en annen kyndig person kan ta en kjapp titt på loggene? Lenke til kommentar
norbat Skrevet 12. juni 2008 Del Skrevet 12. juni 2008 (endret) Vet ikke om du forsøkte å fjerne fila C:\WINDOWS\39382.got, men vi kan gjøre et nytt forsøk: Start Malwarebytes Anti-Malware Klikk arkfanen: Flere verktøy Under feltet FileAssassin, klikker du Kjør verktøy Bla deg fram og velg aktuelle fil Si Ja til å fortsette. Trenger ingen nye logger. Fjern de programmene som er brukt. Tenker først og fremst på combofix. Du fjerner dette programmet ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil i tillegg til å fjerne combofix, nullstille systemgjenopprettigen slik at du ikke blir infisert ved en gjenoppretting senere. PC-en kan leveres tilbake til eier med stempelet 'Frisk fisk'. Surf trygt. Edit: Du spør om det gjorde noe fra eller til å boote med ubcd og kjøre spybot. Ved slike infeksjoner er det lurt å handle rask. Kanskje var det Spybot som renamet de filene som var knyttet til infeksjonen? (Fint om du gir tilbakemelding på dette), men du kunne fått den samme effekten om du hadde kjørt f.eks Malwarebytes A-M eller det programmet (F-secure el. Spybot) fra normal tilstand. Det finnes ingen fasit på slik, så jeg synes du gjorde det eneste riktige Endret 12. juni 2008 av norbat Lenke til kommentar
Kanstad Skrevet 12. juni 2008 Forfatter Del Skrevet 12. juni 2008 Ja, nå fikk jeg fjernet C:\WINDOWS\39382.got. Jeg husker ikke hva Spybot slettet i første omgang, men husker at F-Secure fortsatt fant "rusk i maskineriet" etterpå. Takk for hjelpen! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå