komodovaran
-
Innlegg
3 -
Ble med
-
Besøkte siden sist
Innholdstype
Profiler
Forum
Hendelser
Blogger
Om forumet
Innlegg skrevet av komodovaran
-
-
Setter stor pris på om noen kan veilede meg til å bli kvitt malware på min maskin.
Logg fra mbam og dds ligger vedlagt. Jeg har fulgt prosedyren som er forklart flere steder på disse nettsidene.
Jeg har kjørt mbam og lagt filene i karantene. Men om jeg ble kvitt alt vet jeg ikke.
Etter en restart av pc-en var plutselig http blokkert. Jeg kom meg heldigvis inn på diskusjon.no via https, men da uten mulighet for å logge meg inn.
Jeg fant ut at jeg var koblet til en proxy under LAN-settings i windows 7 (64bit), så jeg fikk slått den av og har nå http-tilgang igjen. Proxyen var forresten 127.0.0.1 via port 50370 hvis det er til hjelp.
Her er logg fra mbam:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Databaseversjon: 4872
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
18.10.2010 17:39:30
mbam-log-2010-10-18 (17-39-30).txt
Skanntype: Hurtigsøk
Objekter skannet: 151489
Tid tilbakelagt: 3 minutt(er), 24 sekund(er)
Minneprosesser infisert: 2
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 2
Registerfiler infisert: 2
Mapper infisert: 0
Filer infisert 6
Minneprosesser infisert:
C:\Users\Mats\AppData\Roaming\Microsoft\svchost.exe (Trojan.Agent) -> No action taken.
C:\Users\Mats\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> No action taken.
Minnemoduler infisert:
(Ingen skadelige objekter funnet)
Registernøkler infisert:
(Ingen skadelige objekter funnet)
Registerverdier infisert:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken.
Registerfiler infisert:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Users\Mats\AppData\Roaming\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> No action taken.
Mapper infisert:
(Ingen skadelige objekter funnet)
Filer infisert
C:\Users\Mats\AppData\Roaming\Microsoft\svchost.exe (Trojan.Agent) -> No action taken.
C:\Users\Mats\AppData\Local\Temp\0.9209774918282296.exe (Trojan.Agent) -> No action taken.
C:\Windows\fileextract.exe (Worm.Palevo) -> No action taken.
C:\Windows\run_setup.exe (Adware.Agent) -> No action taken.
C:\Users\Mats\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> No action taken.
C:\Users\Mats\AppData\Local\Temp\0.48505556644572023.exe (Trojan.Dropper) -> No action taken.
DDS-logg:
DDS (Ver_10-10-10.03) - NTFS_AMD64
Run by Mats at 17:55:21,27 on 18.10.2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.47.1033.18.3071.1864 [GMT 2:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Voddler\service\voddler.exe
C:\Program Files (x86)\Xobni\XobniService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Users\Mats\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\Mats\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLiteShellHlp.exe
C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Mats\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
M:\Trommer\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
uRun: [Google Update] "C:\Users\Mats\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\Users\Mats\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Mats\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: E&ksporter til Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll
============= SERVICES / DRIVERS ===============
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-11-16 202752]
R2 PenCommService;Livescribe Pulse Smartpen Service;C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2009-11-17 265728]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
R2 VoddlerNet;VoddlerNet;C:\Program Files (x86)\Voddler\service\voddler.exe [2010-4-29 870096]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-18 497856]
R2 XobniService;XobniService;C:\Program Files (x86)\Xobni\XobniService.exe [2010-3-16 55016]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-20 239616]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-16 135664]
S3 DrvAgent64;DrvAgent64;C:\Windows\SysWOW64\drivers\DrvAgent64.SYS [2010-4-26 21712]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;C:\Windows\System32\drivers\PulseUsb.sys [2009-11-17 24576]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-8 1255736]
=============== Created Last 30 ================
2010-10-18 15:29:01 -------- d-----w- C:\Users\Mats\AppData\Roaming\Malwarebytes
2010-10-18 15:28:55 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-10-18 15:28:54 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-10-18 15:28:54 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-10-18 15:28:54 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-10-15 12:58:55 7935824 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{BC837D1E-10AE-4C98-BAA8-BDEE41859443}\mpengine.dll
2010-10-14 03:37:10 148992 ----a-w- C:\Windows\System32\t2embed.dll
2010-10-14 03:37:10 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll
2010-10-14 03:37:09 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
2010-10-14 03:37:09 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
2010-10-14 03:37:09 2085376 ----a-w- C:\Windows\System32\ole32.dll
2010-10-14 03:37:09 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll
2010-10-14 03:36:55 483840 ----a-w- C:\Windows\System32\StructuredQuery.dll
2010-10-14 03:36:55 363520 ----a-w- C:\Windows\SysWow64\StructuredQuery.dll
2010-10-14 03:34:05 340992 ----a-w- C:\Windows\System32\schannel.dll
2010-10-14 03:34:05 224256 ----a-w- C:\Windows\SysWow64\schannel.dll
2010-10-14 03:34:03 633856 ----a-w- C:\Windows\System32\comctl32.dll
2010-10-14 03:34:03 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll
2010-10-14 03:33:02 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2010-10-14 03:33:02 1024512 ----a-w- C:\Windows\System32\wmpmde.dll
2010-10-14 03:31:25 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-10-14 03:31:25 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-10-14 03:29:59 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
2010-10-14 03:29:59 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2010-10-14 03:29:59 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2010-10-14 03:29:59 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-10-14 03:29:27 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-10-14 03:29:27 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-10-14 03:29:27 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-10-14 03:29:27 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2010-10-14 03:29:27 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-10-14 03:29:18 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-10-06 16:41:47 -------- d-----w- C:\Program Files\Defraggler
2010-10-06 16:38:40 -------- d-----w- C:\Windows\pss
2010-10-06 16:34:13 -------- d-----w- C:\Program Files (x86)\CCleaner
2010-10-06 16:27:22 -------- d-----w- C:\Program Files\Speccy
2010-09-30 01:00:29 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2010-09-29 11:31:50 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-09-29 11:31:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-09-29 11:31:47 13312 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2010-09-29 11:31:47 13312 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2010-09-27 00:52:54 9216 ----a-w- C:\Windows\System32\RdCi1027.dll
2010-09-27 00:52:54 81920 ----a-w- C:\Windows\System32\drivers\Rdwm1027.sys
2010-09-27 00:52:54 56832 ----a-w- C:\Windows\System32\RDCP1027.CPL
2010-09-27 00:52:54 410624 ----a-w- C:\Windows\System32\RDDP1027.DAT
2010-09-27 00:52:54 -------- d-----w- C:\Program Files\RdDrv001
2010-09-25 20:46:16 -------- d-----w- C:\Windows\WindowsMobile
2010-09-22 21:27:33 -------- d--h--w- C:\CanoScan
2010-09-18 23:15:54 -------- d-----r- C:\Users\Mats\Podcasts
2010-09-18 22:53:24 -------- d-----w- C:\Windows\System32\drivers\UMDF\it-IT
2010-09-18 22:53:23 -------- d-----w- C:\Windows\System32\drivers\UMDF\de-DE
2010-09-18 22:53:22 -------- d-----w- C:\Windows\System32\drivers\UMDF\fr-FR
2010-09-18 22:53:21 -------- d-----w- C:\Windows\System32\drivers\UMDF\es-ES
2010-09-18 22:51:49 758272 ----a-w- C:\Windows\System32\PortableDeviceApi.dll
2010-09-18 22:51:49 547840 ----a-w- C:\Windows\SysWow64\PortableDeviceApi.dll
==================== Find3M ====================
2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec
2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-08-21 06:29:47 558592 ----a-w- C:\Windows\System32\spoolsv.exe
2010-07-29 06:30:34 82944 ----a-w- C:\Windows\SysWow64\iccvid.dll
============= FINISH: 17:55:51,56 ===============
-
Dere skriver mange artikler om Wind for tiden, men de selges vel ikke i Norge noe sted enda?
Trenger hjelp til å bli kvitt malware på maskinen, se logg
i IKT-drift og sikkerhet
Skrevet
Hverken MBAM eller BitDefender finner noe nå, så jeg får håpe jeg klarte å ta knekken på svina