Løsning: Virtumonde-trojaner, Wixawin-popups. antivirusXP 2008...

[norbat]

Du kan sjekke i prioritert rekkefølge:

 

1. Det kan være brannmuren som blokkerer. Du bruker Norton? Prøv å slå av brannmuren midlertidig

 

2. Klikk: Start->Kjør

Skriv: cmd

Fra ledetekst, skriv: ipconfig

Hva står det som ip-adresse og gateway?

 

Fra ledetekst, skriv: ping www.vg.no

Får du noe svar eller står det noe med at man ikke får kontakt etc.

 

3. Last ned Winsockfix og overfør det til den pc'n som ikke kommer seg på nett. Kjør programmet.

 

4. Telenor som internettleverandør? Kommer andre pc'er seg på nett? Hvis ikke, kjør 'telenor-cd'n' på nytt der du legger inn brukernavn og passord på nytt.

[Demantios]

AntivirXP08 "sperrer" nettlesere som vil ut på nettet, mange som får det for tida. Får fjernet det fra oppstarten med hjt

[alda88]

Du kan sjekke i prioritert rekkefølge:

 

1. Det kan være brannmuren som blokkerer. Du bruker Norton? Prøv å slå av brannmuren midlertidig

 

2. Klikk: Start->Kjør

Skriv: cmd

Fra ledetekst, skriv: ipconfig

Hva står det som ip-adresse og gateway?

 

Fra ledetekst, skriv: ping www.vg.no

Får du noe svar eller står det noe med at man ikke får kontakt etc.

 

3. Last ned Winsockfix og overfør det til den pc'n som ikke kommer seg på nett. Kjør programmet.

 

4. Telenor som internettleverandør? Kommer andre pc'er seg på nett? Hvis ikke, kjør 'telenor-cd'n' på nytt der du legger inn brukernavn og passord på nytt.

 

 

AntivirXP08 "sperrer" nettlesere som vil ut på nettet, mange som får det for tida. Får fjernet det fra oppstarten med hjt

 

 

Ok tack så mycket, ska hem och testa detta ikväll.

 

Men PepsiCo, vad är hjt?

[Demantios]

hjt = hijackthis

 

 

Forresten, ligger det i mappen %programfiles%\AntiVirXP08 ?

[Paradoxo]

Results fra Malware Programmet!

 

Malwarebytes' Anti-Malware 1.28

Database versjon: 1172

Windows 5.1.2600 Service Pack 2

 

19.09.2008 13:23:23

mbam-log-2008-09-19 (13-23-23).txt

 

Skanntype: Rask Skann

Objekter skannet: 47180

Tid tilbakelagt: 2 minute(s), 34 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 1

Registerverdier infisert: 1

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0055854 (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f3795f42.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

 

 

 

Resultater fra Combofix

 

ComboFix 08-09-16.05 - Jørn Cato 2008-09-19 13:25:00.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1581 [GMT 2:00]

Running from: C:\Documents and Settings\Jørn Cato\Skrivebord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\xcrashdump.dat

 

.

((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))

.

 

2008-09-19 13:18 . 2008-09-19 13:18 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-09-19 13:18 . 2008-09-19 13:18 <DIR> d-------- C:\Documents and Settings\Jørn Cato\Programdata\Malwarebytes

2008-09-19 13:18 . 2008-09-19 13:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Programdata\Malwarebytes

2008-09-19 13:18 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-19 13:18 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-18 23:34 . 2008-09-19 13:23 <DIR> dr-h----- C:\Documents and Settings\Jørn Cato\Siste

2008-09-18 23:34 . 2008-09-19 13:23 <DIR> dr-h----- C:\Documents and Settings\Jørn Cato\Siste

2008-08-28 23:13 . 2008-08-28 23:13 57 --a------ C:\WINDOWS\sierra.ini

2008-08-23 21:12 . 2008-08-23 22:49 <DIR> d-------- C:\Programfiler\Cheat Engine

2008-08-20 06:02 . 2008-08-20 06:03 <DIR> d-------- C:\Programfiler\LimeWire

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-18 21:37 --------- d-----w C:\Programfiler\Sony

2008-09-18 21:30 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-09-14 05:30 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Programdata\TEMP

2008-09-13 20:11 --------- d-----w C:\Documents and Settings\Jørn Cato\Programdata\LimeWire

2008-09-13 18:04 --------- d-----w C:\Documents and Settings\Jørn Cato\Programdata\.ABC

2008-08-28 21:40 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-08-12 18:28 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll

2008-08-12 18:28 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-08-12 18:28 --------- d-----w C:\Programfiler\Fellesfiler\xing shared

2008-08-12 18:28 --------- d-----w C:\Programfiler\Fellesfiler\Real

2008-08-10 02:59 --------- d-----w C:\Programfiler\Fellesfiler\Adobe AIR

2008-08-02 21:54 --------- d-----w C:\Programfiler\Teamspeak2_RC2

2008-08-02 21:54 --------- d-----w C:\Documents and Settings\Jørn Cato\Programdata\teamspeak2

2008-07-31 12:12 --------- d-----w C:\Programfiler\Fellesfiler\Blizzard Entertainment

2008-07-30 13:36 --------- d-----w C:\Programfiler\CCleaner

2008-07-21 18:27 --------- d-----w C:\Documents and Settings\Jørn Cato\Programdata\dvdcss

2008-07-21 02:52 --------- d-----w C:\Programfiler\Red Kawa

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-05 16:37 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

2008-07-04 03:48 9,490,432 ----a-w C:\WINDOWS\system32\atioglx2.dll

2008-07-04 03:25 421,888 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll

2008-07-04 03:23 309,248 ----a-w C:\WINDOWS\system32\ati2dvag.dll

2008-07-04 03:14 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe

2008-07-04 03:14 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll

2008-07-04 03:14 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll

2008-07-04 03:13 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll

2008-07-04 03:13 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll

2008-07-04 03:12 561,152 ----a-w C:\WINDOWS\system32\ati2evxx.exe

2008-07-04 03:10 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL

2008-07-04 03:06 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll

2008-07-04 03:00 3,786,144 ----a-w C:\WINDOWS\system32\ati3duag.dll

2008-07-04 02:55 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll

2008-07-04 02:49 2,140,672 ----a-w C:\WINDOWS\system32\ativvaxx.dll

2008-07-04 02:34 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll

2008-07-04 02:30 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll

2008-07-04 02:29 32,768 ----a-w C:\WINDOWS\system32\atiadlxx.dll

2008-07-04 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll

2008-07-04 02:25 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll

2008-07-04 02:22 565,248 ----a-w C:\WINDOWS\system32\ati2cqag.dll

2008-07-03 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll

2008-06-23 15:41 658,944 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-21 12:45 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="C:\Programfiler\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 1235736]

"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-08-12 185896]

"SoundMan"="SOUNDMAN.EXE" [2005-07-22 C:\WINDOWS\SOUNDMAN.EXE]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

C:\Documents and Settings\All Users.WINDOWS\Start-meny\Programmer\Oppstart\

Ralink Wireless Utility.lnk - C:\WINDOWS\RaUI.exe [2008-01-26 598016]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgemc.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"=

"D:\\steamapps\\paradoxo94\\counter-strike source\\hl2.exe"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"D:\\steamapps\\paradoxo94\\counter-strike\\hl.exe"=

"D:\\steamapps\\paradoxo94\\opposing force\\hl.exe"=

"D:\\The Lord of the Rings Online\\The Lord of the Rings Online\\lotroclient.exe"=

"D:\\steamapps\\paradoxo94\\team fortress classic\\hl.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

 

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-28 97928]

R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]

R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]

R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 76040]

S3 DBKDRVR54;DBKDRVR54;C:\Programfiler\Cheat Engine\dbk32.sys [ ]

S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys [ ]

S3 XDva136;XDva136;C:\WINDOWS\system32\XDva136.sys [ ]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c69fcd3-cbb6-11dc-8ea2-806d6172696f}]

\Shell\AutoRun\command - E:\Setup.exe

 

*Newly Created Service* - PROCEXP90

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-ProxyFirewall - C:\Programfiler\ProxyFirewall\ProxyFirewall.exe

HKCU-Run-Vidalia - C:\Programfiler\Vidalia Bundle\Vidalia\vidalia.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Jørn Cato\Programdata\Mozilla\Firefox\Profiles\602w4oym.default\

FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll

FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll

FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-19 13:25:48

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ProxyFirewall = C:\Programfiler\ProxyFirewall\ProxyFirewall.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-09-19 13:26:21

ComboFix-quarantined-files.txt 2008-09-19 11:26:17

 

Pre-Run: 12,028,690,432 byte ledig

Post-Run: 12,019,220,480 byte ledig

 

153 --- E O F --- 2008-09-16 13:08:33

 

 

 

 

Håper alt er borte nå

Endret 19. september 2008 av Paradoxo

[norbat]

Bytt ut den ene MBAM-loggen med Combofix-loggen

[Paradoxo]

Bytt ut den ene MBAM-loggen med Combofix-loggen

skjønte ikke helt hva du mente med det : P

[Demantios]

Du har posta MBAM-loggen din to ganger. ComboFix-loggen mangler

[Paradoxo]

AVG fant et Virus på MBAM fila.. !

trojan horse backdoor.generic3.rfq

Heal eller Move to Vault?

Endret 19. september 2008 av Paradoxo

[norbat]

Ikke gjør noe annet enn å poste combofix-loggen.

Hvis du ikke finner den, så kan du søke etter den: Start->Søk. Søk etter combofix.txt

[Paradoxo]

den står riktig i første post nå

[norbat]

Combofix-loggen ser fint ut.

Det skulle ikke ligge noe mer malware på pc.

 

Hvis AVG mener at en av filene som hører til selve MBAM programmer, så er det å regne som en falsk positiv.

Nå kan det imidlertid ligge noen filer i karantene hos MBAM som AVG finner. Du kan fjerne karantenefilene (start MBAM, velg Karantene, slett oppføringene).

 

Deretter rydder du litt ved å skrive combofix /u i kjør-feltet (start->kjør).

Dette fjerner combofix + nullstiller systemgjeopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

 

Ta deretter å kjør en scan med AVG igjen og se om den fortsatt finner noe av interesse.

[alda88]

Du kan sjekke i prioritert rekkefølge:

 

1. Det kan være brannmuren som blokkerer. Du bruker Norton? Prøv å slå av brannmuren midlertidig

 

2. Klikk: Start->Kjør

Skriv: cmd

Fra ledetekst, skriv: ipconfig

Hva står det som ip-adresse og gateway?

 

Fra ledetekst, skriv: ping www.vg.no

Får du noe svar eller står det noe med at man ikke får kontakt etc.

 

3. Last ned Winsockfix og overfør det til den pc'n som ikke kommer seg på nett. Kjør programmet.

 

4. Telenor som internettleverandør? Kommer andre pc'er seg på nett? Hvis ikke, kjør 'telenor-cd'n' på nytt der du legger inn brukernavn og passord på nytt.

 

 

Etter at ha lastat in Winsockfix via USB-stick och kört programmet så fungerar internet igen!

Tusen tack norbat för all hjälp - helt suveränt!

[Bazic]

TUSEN takk for hjelpen. Jeg hadde et stort pop-up problem som så ut til å formere seg. Men så vidt jeg vet er det borte nå. Loggen som kom opp når programmet hadde knertet svineriet så sånn ut:

 

Malwarebytes' Anti-Malware 1.33

Databaseversjon: 1659

Windows 6.0.6000

 

17.01.2009 02:17:00

mbam-log-2009-01-17 (02-17-00).txt

 

Skanntype: Rask Skann

Objekter skannet: 48788

Tid tilbakelagt: 4 minute(s), 12 second(s)

 

Minneprosesser infisert: 1

Minnemoduler infisert: 1

Registernøkler infisert: 13

Registerverdier infisert: 6

Registerfiler infisert: 2

Mapper infisert: 14

Filer infisert: 32

 

Minneprosesser infisert:

C:\Users\Larsa\AppData\Local\Temp\~tmpa.exe (Trojan.FakeAlert) -> Unloaded process successfully.

 

Minnemoduler infisert:

C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc7gbj0e1a4 (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhc7gbj0e1a4 (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host process (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc3gbj0e1a4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Mapper infisert:

C:\Program Files\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Roaming\rhc7gbj0e1a4\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Filer infisert:

C:\Users\Larsa\AppData\Local\Temp\~tmpa.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Delete on reboot.

C:\Windows\System32\msqpdxxcjehjoo.dll (Trojan.TDSS) -> Delete on reboot.

C:\Users\Larsa\AppData\Local\Temp\ioybmdls.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\psylijom.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\suogctrc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\byXQHbBu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\wojsdhvj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\tmp0000c4f3 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\tmp0000f3d0 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\tmp0000ff16 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\tmp000125a8 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\tmp0001270f (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\tmp004aa20a (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\mapwpjpk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\tmp0401f77c (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\rhc7gbj0e1a4.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7gbj0e1a4\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Windows\System32\drivers\msqpdxqmqdcuxd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\lphc3gbj0e1a4.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\System32\RichVideoCodec.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Larsa\AppData\Local\Temp\yyy19003.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\Users\Larsa\AppData\Local\Temp\matrix32717.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Larsa\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

[r2d290]

Hei bazic, og velkommen til forumet.

 

Når MBAM fant så mye rart, vil jeg påstå at det er stor sansynlighet for at det er rester igjen på maskinen. Jeg anbefaler deg derfor å kjøre gjennom hele veiledningen (øverst i signaturen min), og poste loggene i en NY TRÅD (ikke fortsett på denne). Det vil da komme noen å se på loggene dine