TBJ Skrevet 25. august 2008 Del Skrevet 25. august 2008 (endret) Hei Ungene har fått virus (eller annet svineri) på maskinen. Det ligger nå et utropstegn nede i systemtray'en og så dukker det opp en melding om at det er kommet virus (husker ikke detajert hva som sto der), men trykket man på den, ville maskina laste ned et antivirus program som garantert ikke er det som den utgir seg for. Jeg har kjørt CCleaner, Malwarebytes' Anti-Malware (MBAM), Combofix og tilslutt HijackThis. Håper "dritten" er nå blitt fjernet. Jeg har ikke fikset noe på listen HijackThis kom frem med. Jeg legger opp loggene her, så jeg håper noen kan hjelpe meg med å titte på de. ****************************************************************************************** ********* ******************* mbam-log-08-26-2008 (12-31-57).txt ****************************************** Malwarebytes' Anti-Malware 1.25 Database versjon: 1087 Windows 5.1.2600 Service Pack 2 12:31:57 26.08.2008 mbam-log-08-26-2008 (12-31-57).txt Skanntype: Rask Skann Objekter skannet: 46491 Tid tilbakelagt: 1 minute(s), 25 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) ****************************************************************************************** ********* ******************* ComboFix.txt ***************. ComboFix 08-08-24.02 - Administrator 2008-08-26 12:32:28.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1764 [GMT 2:00] Running from: \\TBJ\Ge$\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Start-meny\Programmer\Oppstart\findfast.exe C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\autorun.exe C:\Documents and Settings\Børge\Start-meny\Programmer\Oppstart\findfast.exe C:\Documents and Settings\Pappa\Cookies\[email protected][2].txt C:\Documents and Settings\Pappa\Cookies\pappa@clicktorrent[2].txt C:\Documents and Settings\Pappa\Start-meny\Programmer\Oppstart\findfast.exe C:\Documents and Settings\Simen\Cookies\simen@clicktorrent[2].txt C:\Documents and Settings\Simen\Cookies\[email protected][1].txt C:\Documents and Settings\Simen\Start-meny\Programmer\Oppstart\findfast.exe C:\WINDOWS\Downloaded Program Files\setup.inf . ((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))) . 2008-08-26 12:29 . 2008-08-26 12:29 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste 2008-08-25 00:02 . 2008-08-25 00:02 <DIR> d-------- C:\Documents and Settings\Pappa\Programdata\Malwarebytes 2008-08-24 23:48 . 2008-08-24 23:48 <DIR> d-------- C:\Programfiler\CCleaner 2008-08-24 23:35 . 2008-08-26 11:46 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-08-24 23:35 . 2008-08-24 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-08-24 23:35 . 2008-08-24 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Malwarebytes 2008-08-24 23:35 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-24 23:35 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-24 12:42 . 2008-08-24 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6 2008-08-24 12:42 . 2008-08-24 12:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-08-24 02:49 . 2008-08-24 02:59 <DIR> d-------- C:\Programfiler\Browser Hijack Recover 2008-08-24 02:49 . 2008-08-24 02:49 0 --a------ C:\WINDOWS\system32\8104297.jun 2008-08-24 02:12 . 2008-08-24 21:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-08-24 02:02 . 2008-08-24 02:02 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\ATI 2008-08-24 00:03 . 2008-08-24 00:04 <DIR> d-------- C:\Programfiler\Unlocker 2008-08-23 22:00 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-08-23 22:00 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-08-23 22:00 . 2008-08-21 23:41 87,552 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe 2008-08-23 22:00 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-08-23 22:00 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe 2008-08-23 22:00 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-08-23 22:00 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-08-23 22:00 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-08-23 08:14 . 2008-08-23 22:02 3,192 --a------ C:\WINDOWS\system32\tmp.reg 2008-08-23 00:55 . 2008-08-24 02:52 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-17 17:35 . 2008-08-26 07:32 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2008-08-14 17:46 . 2008-08-14 17:47 <DIR> d-------- C:\WINDOWS\system32\Adobe 2008-08-12 15:18 . 2008-08-12 15:18 0 --a------ C:\Documents and Settings\Simen\jagex_runescape_preferences.dat 2008-08-11 17:17 . 2008-08-11 17:17 <DIR> d-------- C:\Documents and Settings\Pappa\Programdata\Ahead 2008-08-11 17:16 . 2008-08-11 17:16 <DIR> d-------- C:\Programfiler\Nero 2008-08-11 17:16 . 2008-08-11 17:16 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead 2008-08-03 19:46 . 2008-08-03 19:46 <DIR> d-------- C:\Documents and Settings\Simen\Programdata\Command & Conquer 3 Tiberium Wars . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-22 19:52 --------- d-----w C:\Programfiler\Bonjour 2008-08-21 18:41 --------- d-----w C:\Programfiler\Java 2008-08-14 15:46 --------- d-----w C:\Programfiler\Google 2007-11-24 17:52 22,328 ----a-w C:\Documents and Settings\Pappa\Programdata\PnkBstrK.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Programfiler\Analog Devices\Core\smax4pnp.exe" [2006-12-18 15:34 868352] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "Start WingMan Profiler"="C:\Programfiler\Logitech\Gaming Software\LWEMon.exe" [2007-09-25 16:03 93208] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-01-10 16:27 385024] "nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2007-09-24 00:04 949376] "Malwarebytes Anti-Malware (reboot)"="C:\Programfiler\Malwarebytes' Anti-Malware\mbam.exe" [2008-08-17 15:01 1195640] "Resume copy"="copyfstq.exe" [2002-03-24 12:54 46080 C:\WINDOWS\COPYFSTQ.EXE] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start-meny^Programmer^Oppstart^findfast.exe] path=C:\Documents and Settings\Administrator\Start-meny\Programmer\Oppstart\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^autorun.exe] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Simen^Start-meny^Programmer^Oppstart^findfast.exe] path=C:\Documents and Settings\Simen\Start-meny\Programmer\Oppstart\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "G:\\Spill\\Battlefield 2\\BF2.exe"= "G:\\Spill\\Call of Duty 2\\CoD2MP_s.exe"= "G:\\Spill\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"= "G:\\Spill\\Star Wars Battlefront\\GameData\\Battlefront.exe"= "G:\\Spill\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"= "G:\\Spill\\TrackMania Nations ESWC\\TmNationsESWC.exe"= "G:\\Spill\\TrackMania United\\TmUnited.exe"= "G:\\Spill\\FlatOut2\\FlatOut2.exe"= "C:\\Programfiler\\uTorrent\\uTorrent.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "G:\\Spill\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "G:\\Spill\\Aliens versus Predator 2 - Primal Hunt\\lithtech.exe"= "G:\\Spill\\Crysis\\Bin32\\Crysis.exe"= "G:\\Spill\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "G:\\Spill\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "G:\\Spill\\Battlefield Vietnam\\bfvietnam.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "G:\\Spill\\Steam\\steamapps\\simenbj\\garrysmod\\hl2.exe"= "G:\\Spill\\Steam\\steamapps\\simenbj\\team fortress 2\\hl2.exe"= "G:\\Spill\\SWAT 4\\Content\\System\\Swat4.exe"= "G:\\Spill\\Half-Life.2.PROPER-EMPORiO\\hl2.exe"= "G:\\Spill\\Steam\\steamapps\\simenbj\\counter-strike source\\hl2.exe"= "G:\\Spill\\Steam\\steamapps\\simenbj\\day of defeat source\\hl2.exe"= "G:\\Spill\\ArmA\\arma.exe"= "G:\\Spill\\Aliens vs. Predator 2\\lithtech.exe"= "G:\\Spill\\Steam\\steamapps\\borgebj\\garrysmod\\hl2.exe"= "G:\\Spill\\Steam\\steamapps\\borgebj\\counter-strike source\\hl2.exe"= "G:\\Spill\\Steam\\steamapps\\simenbj\\day of defeat source beta\\hl2.exe"= "G:\\Spill\\Dawn of War - Soulstorm\\Soulstorm.exe"= "G:\\Spill\\Steam\\steamapps\\simenbj\\source sdk base\\hl2.exe"= "G:\\Spill\\Dawn Of War\\W40k.exe"= "C:\\Documents and Settings\\Pappa\\Programdata\\syscleaner"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\V] \Shell\AutoRun\command - V:\AutoPlay.exe . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = about:blank O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 13:17:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-26 13:18:50 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-26 11:18:48 Pre-Run: 12,687,638,528 byte ledig Post-Run: 12,703,924,224 byte ledig 154 --- E O F --- 2008-08-15 18:08:29 ****************************************************************************************** ********* ******************* hijackthis.log *************'** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:46:52, on 26.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [start WingMan Profiler] C:\Programfiler\Logitech\Gaming Software\LWEMon.exe /noui O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programfiler\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190598614796 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe -- End of file - 4047 bytes *********** langt innlegg... Endret 27. august 2008 av TBJ Lenke til kommentar
r2d290 Skrevet 25. august 2008 Del Skrevet 25. august 2008 Hold deg til ett forum! Det er de samme personene som hjelper deg her og på itpro.no, så du får ikke noe rasker hjelp uansett. Bestem deg for hvilket forum du vil fortsette i, og raporter tråden din i det andre forumet (og be moderator stenge). (dette gjelder selvsagt begge postene du har lagt ut (for deg selv, og naboen). Lenke til kommentar
TBJ Skrevet 25. august 2008 Forfatter Del Skrevet 25. august 2008 Hold deg til ett forum! Det er de samme personene som hjelper deg her og på itpro.no, så du får ikke noe rasker hjelp uansett. Bestem deg for hvilket forum du vil fortsette i, og raporter tråden din i det andre forumet (og be moderator stenge). (dette gjelder selvsagt begge postene du har lagt ut (for deg selv, og naboen). Beklager. Slettet fra itpro.no Holder meg til diskusjon.no ******************** "Flytter" en post fra XGirl , postet idag, 17:44 på itpro.no forumet: ***' Hei! Har tittet litt på din hijack log. De andre som MBAM elller CF kan jeg dessverre ikke...! Det er mulig at årsaken til problemet er IDriverT.exe i 023 som er delvis "nasty". Kanskje denne ser du i system tray? Men ikke fjern denne ennå... fordi denne tjenesten skulle ikke ha innvirkning på ytelsen til PCen og skulle bli inaktiv 99,5% av tiden. Når du installerer eller avinstallerer programvare pakket med Macrovision InstallShield blir den aktivisert. Har du/ dine barn installert i det siste noe multimedia komponenter, software, kanskje har du tilkoblet TV? ****** Nei, ungene har ikke installert noe spesielt av multimedia komponenter eller software i det siste. Ei heller er maskinen tilkoblet TV, men de ser mye på www.youtube.com (selv om kanskje det ikke har noe med saken å gjøre). Eneste jeg vet de har gjort i det siste, er å laste ned mod'er til Garry's Mod. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå