Eon83 Skrevet 1. juli 2008 Del Skrevet 1. juli 2008 Hei. Sliter litt med popup og missing .dll filer når jeg starter maskinen. Kjørte ad-aware og "fjernet" det, kjørte en ny scan og så var det tilbake. Når jeg rebootet kom ingen av de .dll fil problemene. Kan noen lese ut av loggene og se om jeg er kvitt det, og hvis ikke hva jeg må gjøre for å blir det? Takk Hijack Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:43:50, on 01.07.2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\rdpclip.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\uTorrent\uTorrent.exe C:\Windows\system32\mmc.exe C:\Windows\system32\mmc.exe C:\Windows\system32\rundll32.exe C:\Program Files\Lavasoft\Ad-Aware\LSUpdateManager.exe C:\Users\Administrator\Desktop\vundo\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\bYOigGyv.dll,#1 O4 - HKLM\..\Run: [f02caab0] rundll32.exe "C:\Windows\system32\mksktdso.dll",b O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [bMf31f992c] Rundll32.exe "C:\Windows\system32\dwlditlr.dll",s O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O13 - Gopher Prefix: O15 - ESC Trusted Zone: http://a248.e.akamai.net O15 - ESC Trusted Zone: http://*.cetrk.com O15 - ESC Trusted Zone: http://i.i.com.com O15 - ESC Trusted Zone: http://bwp.download.com O15 - ESC Trusted Zone: http://www.download.com O15 - ESC Trusted Zone: http://www.google-analytics.com O15 - ESC Trusted Zone: http://www.google.no O15 - ESC Trusted Zone: http://free.grisoft.com O15 - ESC Trusted Zone: http://counter.hitslink.com O15 - ESC Trusted Zone: http://runonce.msn.com O15 - ESC Trusted Zone: http://ssl-hints.netflame.cc O15 - ESC Trusted Zone: http://opera.nsc.no O15 - ESC Trusted Zone: http://www.opera.com O15 - ESC Trusted Zone: http://*.utorrent.com O15 - ESC Trusted Zone: http://*.windowsupdate.com O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM) O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{D2B377CF-1097-4025-85D6-F0C5CBF34563}: NameServer = 10.0.0.138 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 4052 bytes Combo Klikk for å se/fjerne innholdet nedenfor ComboFix 08-06-30.2 - Administrator 2008-07-01 22:44:53.1 - NTFSx86 Microsoft® Windows Server® 2008 Enterprise 6.0.6001.1.1252.1.1033.18.1154 [GMT 2:00] Running from: C:\Users\Administrator\Desktop\vundo\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\system32\anvxsd.dll C:\Windows\system32\bnbwhvpg.dll C:\Windows\system32\bYOigGyv.dll C:\Windows\system32\clinocwe.dll C:\Windows\system32\dwlditlr.dll C:\Windows\system32\fydwtahx.ini C:\Windows\system32\hkohieng.ini C:\Windows\system32\hPVxbbIi.ini C:\Windows\System32\hPVxbbIi.ini2 C:\Windows\system32\iIbbxVPh.dll C:\Windows\System32\IjPonnmp.ini C:\Windows\System32\IjPonnmp.ini2 C:\Windows\System32\IPqAJPVw.ini C:\Windows\System32\IPqAJPVw.ini2 C:\Windows\system32\mpokhwyn.dll C:\Windows\System32\NXIRYyay.ini C:\Windows\System32\NXIRYyay.ini2 C:\Windows\system32\osdtkskm.ini C:\Windows\system32\QqAGOqss.ini C:\Windows\System32\QqAGOqss.ini2 C:\Windows\system32\rwcznj.dll C:\Windows\system32\ssqOGAqQ.dll C:\Windows\system32\uhclwjda.dll C:\Windows\system32\vnugdclo.dll C:\Windows\system32\wVPJAqPI.dll C:\Windows\system32\yayYRIXN.dll . ((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 ))))))))))))))))))))))))))))))) . 2008-07-01 21:48 . 2008-07-01 21:55 <DIR> d-------- C:\Users\All Users\Lavasoft 2008-07-01 21:48 . 2008-07-01 21:55 <DIR> d-------- C:\ProgramData\Lavasoft 2008-07-01 21:48 . 2008-07-01 21:48 <DIR> d-------- C:\Program Files\Lavasoft 2008-07-01 21:48 . 2008-07-01 21:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-29 18:39 . 2008-06-29 18:40 <DIR> d-------- C:\php 2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Users\All Users\Symantec 2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\ProgramData\Symantec 2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Program Files\Symantec AntiVirus 2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Program Files\Symantec 2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared 2008-06-29 16:21 . 2008-06-29 16:21 109,744 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS 2008-06-29 16:21 . 2008-06-29 16:21 8,014 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT 2008-06-29 16:21 . 2008-06-29 16:21 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF 2008-06-29 13:07 . 2008-06-29 13:07 <DIR> d-------- C:\kav 2008-06-29 12:08 . 2008-06-29 12:08 <DIR> d-------- C:\Program Files\Alwil Software 2008-06-29 12:08 . 2003-03-18 21:20 1,060,864 --a------ C:\Windows\System32\MFC71.dll 2008-06-29 12:08 . 2003-03-18 20:14 499,712 --a------ C:\Windows\System32\MSVCP71.dll 2008-06-29 12:08 . 2003-02-21 04:42 348,160 --a------ C:\Windows\System32\MSVCR71.dll 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Videos 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Searches 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Saved Games 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Pictures 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Music 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Links 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Downloads 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Documents 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Contacts 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> d--h----- C:\Users\ftp\AppData 2008-06-29 11:41 . 2008-06-29 11:41 <DIR> d-------- C:\Users\ftp 2008-06-28 23:38 . 2008-06-28 23:40 <DIR> d-------- C:\Users\Jostein\AppData\Roaming\uTorrent 2008-06-28 13:19 . 2008-07-01 22:46 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\uTorrent 2008-06-28 13:19 . 2008-06-28 13:19 <DIR> d-------- C:\Program Files\uTorrent 2008-06-28 13:19 . 2008-06-28 13:19 <DIR> d-------- C:\Program Files\Opera 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Videos 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Searches 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Saved Games 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Pictures 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Music 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Links 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Downloads 2008-06-24 20:31 . 2008-06-24 20:32 <DIR> dr------- C:\Users\Jostein\Documents 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Contacts 2008-06-24 20:31 . 2008-06-24 20:31 <DIR> d--h----- C:\Users\Jostein\AppData 2008-06-24 20:31 . 2008-06-25 22:07 <DIR> d-------- C:\Users\Jostein 2008-06-24 19:32 . 2008-04-26 10:08 1,314,816 --a------ C:\Windows\System32\quartz.dll 2008-06-24 19:30 . 2008-06-24 19:30 <DIR> d-------- C:\inetpub 2008-06-24 19:10 . 2008-06-24 19:10 0 --a------ C:\Windows\ativpsrm.bin 2008-06-24 19:09 . 2008-07-01 21:54 <DIR> d--hs---- C:\Windows\Installer 2008-06-24 19:09 . 2008-06-24 19:09 <DIR> d-------- C:\Program Files\ATI 2008-06-24 19:09 . 2007-12-21 04:33 3,107,788 --a------ C:\Windows\System32\atiumdva.dat 2008-06-24 19:09 . 2007-12-21 05:02 368,640 --a------ C:\Windows\System32\ATIDEMGX.dll 2008-06-24 19:09 . 2006-08-24 00:26 328,162 --a------ C:\Windows\System32\drivers\ativcaxx.cpa 2008-06-24 19:09 . 2007-09-09 05:37 52,400 --a------ C:\Windows\System32\drivers\ativvpxx.vp 2008-06-24 19:09 . 2007-11-20 10:23 11,874 --a------ C:\Windows\atiogl.xml 2008-06-24 19:09 . 2007-05-30 18:37 2,096 --a------ C:\Windows\System32\drivers\ativpkxx.vp 2008-06-24 19:09 . 2007-05-30 18:37 2,096 --a------ C:\Windows\System32\drivers\ativokxx.vp 2008-06-24 19:09 . 2007-04-18 15:19 2,096 --a------ C:\Windows\System32\drivers\ativdkxx.vp 2008-06-24 19:09 . 2006-08-24 00:26 929 --a------ C:\Windows\System32\drivers\ativcaxx.vp 2008-06-24 19:08 . 2008-06-24 19:08 <DIR> d-------- C:\Program Files\ATI Technologies 2008-06-24 19:01 . 2008-06-24 19:02 <DIR> d-------- C:\Repository 2008-06-24 18:55 . 2008-02-29 06:21 2,032,128 --a------ C:\Windows\System32\win32k.sys 2008-06-24 18:55 . 2008-04-25 04:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb 2008-06-24 18:55 . 2008-04-25 06:35 826,880 --a------ C:\Windows\System32\wininet.dll 2008-06-24 18:55 . 2008-02-22 06:57 295,936 --a------ C:\Windows\System32\gdi32.dll 2008-06-24 18:55 . 2008-05-10 03:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-16 09:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe 2008-01-19 11:41 174 --sha-w C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-06-28 13:19 266544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) "disablecad"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ShowSuperHidden"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy] "DisableStatefulFTP"= 1 (0x1) "DisableStatefulPPTP"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{7720B70E-5C70-4D12-8842-4C168A45A2FA}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In) "{9CFC3F98-966A-43EC-B49A-2515337AA3E7}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In) "{6CAE79C5-A9FE-406A-8377-D651BBA22AA6}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus "{416D7A4E-CEB0-4560-BA9E-09D6BA78BD58}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus "{39B13D74-2ED0-4851-8E18-54DDA1BD0ED9}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email "{243F04DA-BDEA-44AA-98D5-C96BE08DF246}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "DisableNotifications"= 1 (0x1) R0 storflt;Disk VMBUS Acceleration Filter Driver;C:\Windows\system32\drivers\storflt.sys [2008-01-19 13:23] R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-21 05:55] S0 sacdrv;sacdrv;C:\Windows\system32\DRIVERS\sacdrv.sys [2008-01-19 13:23] S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;C:\Windows\system32\svchost.exe [2008-01-19 09:33] S3 RSoPProv;Resultant Set of Policy Provider;C:\Windows\system32\RSoPProv.exe [2008-01-19 13:24] S3 sacsvr;Special Administration Console Helper;C:\Windows\System32\svchost.exe [2008-01-19 09:33] S4 b06bdrv;Broadcom NetXtreme II VBD;C:\Windows\system32\drivers\bxvbdx.sys [2008-01-19 13:23] S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-19 07:32] S4 ioatdma;Intel® QuickData Technology Device;C:\Windows\system32\drivers\qd26032.sys [2008-01-19 13:23] S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-19 09:43] S4 s3cap;Microsoft Emulated S3 Device Cap Driver;C:\Windows\system32\drivers\s3cap.sys [2008-01-19 13:23] S4 storvsc;storvsc;C:\Windows\system32\drivers\storvsc.sys [2008-01-19 13:23] S4 UMPass;Microsoft UMPass Driver;C:\Windows\system32\drivers\umpass.sys [2008-01-19 07:53] S4 vmbus;VMBus;C:\Windows\system32\drivers\vmbus.sys [2008-01-19 13:23] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc TapiSrv REG_MULTI_SZ TapiSrv GPSvcGroup REG_MULTI_SZ GPSvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs sacsvr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted FCRegSvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec08d918-bf12-11db-88aa-806e6f6e6963}] \shell\AutoRun\command - D:\Launch.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser . - - - - ORPHANS REMOVED - - - - HKLM-Run-f02caab0 - C:\Windows\system32\mksktdso.dll HKLM-Run-BMf31f992c - C:\Windows\system32\dwlditlr.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-01 22:50:47 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Windows\System32\LogonUI.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Windows\System32\audiodg.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Windows\System32\inetsrv\inetinfo.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Windows\System32\msdtc.exe C:\Windows\System32\rdpclip.exe C:\Windows\System32\conime.exe . ************************************************************************** . Completion time: 2008-07-01 22:51:57 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-01 20:51:53 Pre-Run: 28,380,368,896 bytes free Post-Run: 28,287,692,800 bytes free 201 --- E O F --- 2008-06-24 17:32:42 Lenke til kommentar
norbat Skrevet 1. juli 2008 Del Skrevet 1. juli 2008 Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked: O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\bYOigGyv.dll,#1 O4 - HKLM\..\Run: [f02caab0] rundll32.exe "C:\Windows\system32\mksktdso.dll",b O4 - HKLM\..\Run: [bMf31f992c] Rundll32.exe "C:\Windows\system32\dwlditlr.dll",s Kjør en quick scan med gratisversjonen til SAS Hvis det blir funnet noe annet en cookies, post loggen (preferences->statistics/logs). Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå