StD Skrevet 10. mars 2009 Rapporter Del Skrevet 10. mars 2009 Jeg har fått en prosess som heter wsctf.exe, som jeg ikke blir kvitt. Maskinen min har tullet litt i det siste, så jeg har kjørt virusscan og opptil flere malware og adwarescannere, men det blir ikke bra. Siden i går startet windows med to my documents-vinduer åpne. Kjørte malwarebytes i dag tidlig, og den fant en trojan som jeg slettet. Nå starter maskinen uten my documents-vinduer, men den er fortsatt veldig treg å surfe med, og så er det denne prosessen i task manager da.. Hadde satt veldig pris på om noen vet noe man kan gjøre med dette. Har lite lyst til å kjøre format c: ... Har hatt denne installasjonen i to år nå, uten noe tull. Jeg har flere maskiner hjemme, kan det være at andre maskiner også er blitt infisert, og burde jeg sjekke usbdisker også? Malwarebyte logg: Malwarebytes' Anti-Malware 1.34 Database version: 1760 Windows 5.1.2600 Service Pack 2 10.03.2009 12:00:12 mbam-log-2009-03-10 (12-00-12).txt Scan type: Quick Scan Objects scanned: 66348 Time elapsed: 4 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ComboFix logg: ComboFix 09-03-06.02 - General Strand 2009-03-10 12:17:20.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1619 [GMT 1:00] Running from: d:\download\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\General Strand\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat . ((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 ))))))))))))))))))))))))))))))) . 2009-03-10 12:15 . 2009-03-10 12:16 <DIR> d-------- C:\32788R22FWJFW 2009-03-08 14:07 . 2009-03-08 14:07 <DIR> d-------- c:\program files\Avira 2009-03-08 14:07 . 2009-03-08 14:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-02-27 12:28 . 2009-02-27 12:28 <DIR> d-------- c:\windows\system32\AGEIA 2009-02-27 12:28 . 2009-02-27 12:28 <DIR> d-------- c:\program files\AGEIA Technologies 2009-02-13 23:19 . 2009-02-13 23:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-13 23:19 . 2009-02-13 23:19 <DIR> d-------- c:\documents and settings\General Strand\Application Data\Malwarebytes 2009-02-13 23:19 . 2009-02-13 23:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-13 23:19 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-13 23:19 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-10 11:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-03-10 02:29 --------- d-----w c:\documents and settings\General Strand\Application Data\Skype 2009-03-09 22:39 --------- d-----w c:\documents and settings\General Strand\Application Data\skypePM 2009-03-09 13:19 --------- d-----w c:\documents and settings\General Strand\Application Data\uTorrent 2009-03-09 10:25 --------- d-----w c:\program files\Fraps 2009-03-08 18:19 --------- d-----w c:\program files\Steam 2009-02-27 11:28 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-26 16:49 --------- d-----w c:\program files\Opera 2009-02-05 09:54 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2009-01-24 16:29 --------- d-----w c:\program files\Analog Devices 2009-01-16 17:24 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-12-19 15:39 81,920 ----a-w c:\windows\system32\frapsvid.dll 2008-12-11 19:18 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-04-26 08:33 22,328 ----a-w c:\documents and settings\General Strand\Application Data\PnkBstrK.sys 2008-04-06 14:10 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2005-04-07 09:33 22,040 ---h--w c:\documents and settings\General Strand\Application Data\user.dat . ------- Sigcheck ------- 2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB884020$\tcpip.sys 2004-08-13 23:50 359040 4092c56967175f009dc8458dc434358e c:\windows\$NtUninstallKB889527$\tcpip.sys 2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$NtUninstallKB917953$\tcpip.sys 2008-08-25 20:14 360576 e7dfcffa380749b8626ad71e8f367dcb c:\windows\system32\dllcache\TCPIP.SYS 2008-08-25 20:14 360576 e7dfcffa380749b8626ad71e8f367dcb c:\windows\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Fraps"="c:\program files\FRAPS\FRAPS.EXE" [2008-12-19 2498216] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640] "JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024] "AsusServiceProvider"="c:\program files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 591360] "Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2006-08-22 1422848] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-21 805392] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G+ Wireless Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus G+ Wireless Utility.lnk backup=c:\windows\pss\D-Link AirPlus G+ Wireless Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor] --a------ 2006-11-22 18:40 1093632 c:\program files\ASUS\SmartDoctor\SmartDoctor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2006-10-09 11:28 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] --a------ 2003-01-13 14:05 69632 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "d:\\spill\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"= "d:\\spill\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "d:\\spill\\Mass Effect\\Binaries\\MassEffect.exe"= "d:\\spill\\Mass Effect\\MassEffectLauncher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408] S3 ZD1211U(3COM Corporation);3COM OfficeConnect Wireless 11g Compact USB Adapter(3COM Corporation);c:\windows\system32\DRIVERS\zd1211u.sys --> c:\windows\system32\DRIVERS\zd1211u.sys [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{172d11af-f5dd-11db-890e-0018f309f1e9}] \Shell\AutoRun\command - I:\EXPLORER.EXE \Shell\explore\Command - I:\EXPLORER.EXE \Shell\open\Command - I:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74029499-4a7b-11dc-896d-0018f309f1e9}] \Shell\AutoRun\command - I:\EXPLORER.EXE \Shell\explore\Command - I:\EXPLORER.EXE \Shell\open\Command - I:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76667f53-12fd-11dd-8a16-0018f309f1e9}] \Shell\AutoRun\command - I:\EXPLORER.EXE \Shell\explore\Command - I:\EXPLORER.EXE \Shell\open\Command - I:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a6df261-ca8c-11db-88db-0018f309f1e9}] \Shell\AutoRun\command - I:\EXPLORER.EXE \Shell\explore\Command - I:\EXPLORER.EXE \Shell\open\Command - I:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b2fa4d2-fb2c-11dc-89fa-0018f309f1e9}] \Shell\AutoRun\command - I:\EXPLORER.EXE \Shell\explore\Command - I:\EXPLORER.EXE \Shell\open\Command - I:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b52c1a9-f990-11db-8911-0018f309f1e9}] \Shell\AutoRun\command - I:\EXPLORER.EXE \Shell\explore\Command - I:\EXPLORER.EXE \Shell\open\Command - I:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da7b1c6-c3fd-11db-88d4-0018f309f1e9}] \Shell\AutoRun\command - J:\EXPLORER.EXE \Shell\explore\Command - J:\EXPLORER.EXE \Shell\open\Command - J:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ada7f210-b3bc-11db-a035-806d6172696f}] \Shell\AutoRun\command - F:\ASUSACPI.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e26c9c88-e137-11db-8900-0018f309f1e9}] \Shell\AutoRun\command - I:\EXPLORER.EXE \Shell\explore\Command - I:\EXPLORER.EXE \Shell\open\Command - I:\EXPLORER.EXE . - - - - ORPHANS REMOVED - - - - HKCU-Run-wsctf.exe - wsctf.exe MSConfigStartUp-Acrobat Assistant 7 - c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dagbladet.no/ uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uInternet Settings,ProxyOverride = *.local . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-10 12:19:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1004336348-789336058-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:89,d0,e2,88,2c,c9,d9,37,ce,a2,e7,25,1c,da,22,63,4e,df,9a,6b,d5,2a,c2, 8e,67,a0,d4,a9,c9,76,78,7a,8d,68,c7,ff,37,8e,c2,51,dc,15,ca,2e,f0,78,96,be,\ "??"=hex:d0,5e,f3,eb,8b,01,ca,62,73,9f,2f,b8,26,ae,ce,b6 [HKEY_USERS\S-1-5-21-1004336348-789336058-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:6d,b9,b5,ee,8c,00,7b,ef,12,d6,79,b9,3a,98,c1,3c,3f,db,d8,fe,5d, f0,21,f2,07,b9,58,37,e7,cf,60,08,13,03,8a,35,b8,d6,8d,cc,7c,1c,bb,27,dd,25,\ "rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(748) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll . Completion time: 2009-03-10 12:20:45 ComboFix-quarantined-files.txt 2009-03-10 11:20:43 Pre-Run: 9 086 316 544 bytes free Post-Run: 9,832,632,320 bytes free 207 Lenke til kommentar
norbat Skrevet 10. mars 2009 Rapporter Del Skrevet 10. mars 2009 Gå til Virustotal og sjekk følgende fil: c:\windows\system32\drivers\TCPIP.SYS Åpne notisblokk og lim inn det som står under i fet tekst. Lagre fila på skrivebordet som fix.bat Dobbeltklikk på fix.bat og si ja til å legge til info. i registeret. Restart pc'n Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e26c9c88-e137-11db-8900-0018f309f1e9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da7b1c6-c3fd-11db-88d4-0018f309f1e9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b52c1a9-f990-11db-8911-0018f309f1e9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b2fa4d2-fb2c-11dc-89fa-0018f309f1e9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a6df261-ca8c-11db-88db-0018f309f1e9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76667f53-12fd-11dd-8a16-0018f309f1e9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74029499-4a7b-11dc-896d-0018f309f1e9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{172d11af-f5dd-11db-890e-0018f309f1e9}] Oppdater Malwarebytes og kjør en ny rask skann. Hvis den finner noe, post loggen. Avinstaller ett av dine av-prog (Avira eller NOD32) Oppdater det du ønsker å bruke og kjør en skann. Gi tilbakemelding på om det finner noe og hvordan det går med problemet. Har du minnepenner du benytter, sjekk disse for vir. Lenke til kommentar
StD Skrevet 10. mars 2009 Forfatter Rapporter Del Skrevet 10. mars 2009 tcpip.sys va frisk og fin. La inn i registeret, reboota, og kjørte en malwarebyte update og en scan. Den fant ikke noe. Når det gjelder antivirus har jeg bare Avira. Nod32 hadde jeg for et års tid siden, men det ligger tydeligvis noe rusk igjen i registeret. Jeg så combofixen klagde på det, og fant en removal tool som jeg prøvde, uten at det hjalp.. Kjapp googling sier at man kan fjerne noenting i registeret, men jeg vet ikke... Er dette et problem? Skal kjøre en full scan litt senere i dag, med alle disker og usbpinner tilkoblet. Maskinen virker kjappere nå, men den har hatt timer med friske perioder før, så jeg tør ikke konkludere med noe. Tusen takk ihvertfall, hva nå enn du har gjort Lenke til kommentar
StD Skrevet 10. mars 2009 Forfatter Rapporter Del Skrevet 10. mars 2009 Har kjørt full scan nå, på minnepenner og disker. Fant litt, men jeg glemte å ta ut logger.. Var et par tilfeller med autorun.inf og explorer.exe på minnepennene, men ingenting på maskinen. Jeg slettet ihvertfall det som kom opp, og maskinen har ikke tullet noe mere i dag, så dette ser bra ut Lenke til kommentar
norbat Skrevet 10. mars 2009 Rapporter Del Skrevet 10. mars 2009 Høres bra ut Du kan avinstallere combofix ved å skrive combofix /u i kjør-feltet (start-kjør) Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Hold forøvrig dine program oppdatert. Bruk gjerne F-secure Health Check for å sjekke dette. Surf trygt! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå