objeCt Skrevet 8. desember 2008 Skrevet 8. desember 2008 (endret) Her er min rapport fra Malmwarebytes. ser det greit ut? Malwarebytes' Anti-Malware 1.31 Databaseversjon: 1475 Windows 5.1.2600 Service Pack 3 08.12.2008 20:14:11 mbam-log-2008-12-08 (20-14-11).txt Skanntype: Rask Skann Objekter skannet: 41734 Tid tilbakelagt: 2 minute(s), 9 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 1 Registerverdier infisert: 0 Registerfiler infisert: 2 Mapper infisert: 1 Filer infisert: 2 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: C:\WINDOWS\system32\prio.dll (Spyware.OnlineGames) -> Delete on reboot. Registernøkler infisert: HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. Filer infisert: C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\system32\prio.dll (Spyware.OnlineGames) -> Delete on reboot. Her er combofix rapporten: d:\resycled\boot.com . ((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 ))))))))))))))))))))))))))))))) . 2008-12-08 20:09 . 2008-12-08 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-08 20:09 . 2008-12-08 20:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-12-08 20:09 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-08 20:09 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-08 19:59 . 2008-11-13 16:20 203,540 --a------ c:\windows\system32\nvapps.nvb 2008-12-08 19:55 . 2008-07-29 13:33 446,464 --a------ c:\windows\system32\nvunrm.exe 2008-12-08 19:55 . 2008-07-29 13:30 6,045 --a------ c:\windows\system32\nvnrm.nvu 2008-12-08 19:24 . 2008-12-08 19:24 <DIR> d-------- c:\program files\ffdshow 2008-12-08 19:24 . 2007-11-29 12:52 60,273 --a------ c:\windows\system32\pthreadGC2.dll 2008-12-08 19:24 . 2007-12-24 13:47 7,680 --a------ c:\windows\system32\ff_vfw.dll 2008-12-08 19:24 . 2007-11-29 12:52 547 --a------ c:\windows\system32\ff_vfw.dll.manifest 2008-12-08 19:23 . 2008-12-08 19:24 <DIR> d-------- c:\program files\TVersity Codec Pack 2008-12-08 19:22 . 2008-12-08 19:22 <DIR> d-------- c:\program files\TVersity 2008-12-08 18:33 . 2008-12-08 18:54 202,040 --a------ c:\windows\system32\PnkBstrB.exe 2008-12-08 18:33 . 2008-12-08 18:54 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys 2008-12-08 18:32 . 2008-12-08 18:32 66,872 --a------ c:\windows\system32\PnkBstrA.exe 2008-12-08 18:22 . 2008-12-08 18:22 <DIR> d-------- c:\program files\VideoLAN 2008-12-08 18:05 . 2007-07-30 19:19 1,712,984 --a------ c:\windows\system32\wuaueng.dll 2008-12-08 18:05 . 2007-07-30 19:19 549,720 --a------ c:\windows\system32\wuapi.dll 2008-12-08 18:05 . 2007-07-30 19:19 325,976 --a------ c:\windows\system32\wucltui.dll 2008-12-08 18:05 . 2007-07-30 19:19 216,408 --a------ c:\windows\system32\wuaucpl.cpl 2008-12-08 18:05 . 2007-07-30 19:19 203,096 --a------ c:\windows\system32\wuweb.dll 2008-12-08 18:05 . 2007-07-30 19:19 92,504 --a------ c:\windows\system32\cdm.dll 2008-12-08 18:05 . 2007-07-30 19:19 53,080 --a------ c:\windows\system32\wuauclt.exe 2008-12-08 18:05 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll 2008-12-08 18:05 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll 2008-12-08 18:03 . 2006-09-11 17:27 356,352 --------- c:\windows\system32\nvuide.exe 2008-12-08 18:03 . 2008-07-10 04:07 7,143 --a------ c:\windows\system32\nvide.nvu 2008-12-08 18:02 . 2008-08-20 18:35 453,152 --a------ c:\windows\system32\nvusmb.exe 2008-12-08 18:02 . 2008-08-19 11:41 2,344 --a------ c:\windows\system32\nvsmb.nvu 2008-12-08 18:01 . 2008-12-08 18:01 <DIR> d-------- c:\program files\Common Files\InstallShield 2008-12-08 18:01 . 2008-12-08 17:39 <DIR> d-------- C:\NVIDIA 2008-12-08 18:01 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-08 20:01 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-08 20:01 --------- d-----w c:\program files\NVIDIA Corporation 2008-12-08 19:42 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent 2008-12-08 18:28 --------- d-----w c:\documents and settings\Administrator\Application Data\Ventrilo 2008-12-08 17:52 --------- d-----w c:\program files\Windows Live 2008-12-08 17:51 --------- d-----w c:\program files\Windows Media Connect 2 2008-12-08 17:51 --------- d-----w c:\program files\Microsoft 2008-12-08 17:49 62,633 ----a-w c:\windows\prio197uninstall.exe 2008-12-08 17:49 --------- d-----w c:\program files\uTorrent 2008-12-08 17:47 --------- d-----w c:\program files\Common Files\Windows Live 2008-12-08 17:43 315,392 ----a-w c:\windows\HideWin.exe 2008-12-08 17:43 --------- d-----w c:\program files\Realtek 2008-12-08 17:34 --------- d-----w c:\program files\Xfire 2008-12-08 17:34 --------- d-----w c:\documents and settings\Administrator\Application Data\Xfire 2008-12-08 17:33 --------- d-----w c:\program files\Ventrilo 2008-12-08 17:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-08 17:29 --------- d-----w c:\program files\AGEIA Technologies 2008-12-08 17:28 --------- d-----w c:\program files\Opera 2008-12-08 17:15 --------- d-----w c:\program files\Alwil Software 2008-11-20 20:45 42,320 ----a-w c:\windows\system32\xfcodec.dll 2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-09-09 00:03 51,712 ----a-w c:\windows\system32\sirenacm.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-05-03 15360] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016] "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-01-31 c:\windows\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2007-08-13 c:\windows\system32\advpack.dll] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "MemCheckBoxInRunDlg"= 1 (0x1) "StartMenuFavorites"= 0 (0x0) "Start_ShowMyComputer"= 1 (0x1) "Start_ShowMyDocs"= 1 (0x1) "Start_ShowMyMusic"= 0 (0x0) "Start_ShowRun"= 1 (0x1) "Start_ShowSearch"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=prio.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "e:\\Spill\\Call Of Duty 4\\iw3mp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/8/2008 5:15:10 PM 111184] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [12/8/2008 5:15:10 PM 20560] R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [12/8/2008 8:09:55 PM 38496] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\AutorunPlayer.exe RightAutorunPro.dat *Newly Created Service* - CATCHME *Newly Created Service* - MBAMSWISSARMY *Newly Created Service* - PROCEXP90 *Newly Created Service* - SR *Newly Created Service* - SRSERVICE . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\43uyhxff.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-08 20:22:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-12-08 20:23:02 ComboFix-quarantined-files.txt 2008-12-08 20:22:53 Pre-Run: 37 318 930 432 bytes free Post-Run: 37,355,167,744 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 165 her er Trend Micro greia: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:26:53, on 08.12.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\All Users\Desktop\New Folder\halla.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: prio.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 3402 bytes Hvordan ser dette ut? Takk for fin guide Nobat Endret 8. desember 2008 av objeCt
raWrz Skrevet 9. desember 2008 Skrevet 9. desember 2008 Gå til http://virusscan.jotti.org , trykk på Browse, og last opp følgende fil til analyse: C:\Documents and Settings\All Users\Desktop\New Folder\halla.exe Deretter trykker du på Submit. Godta at filen blir scannet. Til slutt kopierer du resultatet, og limer det inn i din neste post, så jeg kan se på den, og vurdere hva som må gjøres videre.
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå