Gå til innhold

Combofix logg. Har jeg fått fjernet rusket?


Anbefalte innlegg

Skrevet

Avast ga meg noen meldinger om en Win32:Trojan-gen {Other} i form av en rncsys32.exe fil i startup mappen.

 

Fulgte Norbat sin "Veiledning: Hjelp til å få fjernet malware"

 

 

Combofix:

 

ComboFix 09-06-29.07 - User 30.06.2009 22:31.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.47.1033.18.2047.1603 [GMT 2:00]

Kjører fra: c:\documents and settings\User\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090630-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

 

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-28 til 2009-06-30 )))))))))))))))))))))))))))))))))

.

 

2009-06-30 20:08 . 2009-06-30 20:08 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2009-06-30 20:08 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-30 20:08 . 2009-06-30 20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-30 20:08 . 2009-06-30 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-30 20:08 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-30 12:04 . 2009-06-30 12:05 -------- d-----w- c:\program files\AlterWind Log Analyzer Professional

2009-06-30 08:28 . 2009-06-30 08:32 -------- d-----w- C:\winxp

2009-06-30 08:21 . 2009-06-30 08:22 -------- d-----w- C:\exchange2003

2009-06-29 20:16 . 2001-08-08 00:39 49152 ----a-r- c:\windows\system32\pscVSWIA.dll

2009-06-29 20:16 . 2000-12-15 03:27 40960 ----a-r- c:\windows\system32\pscN104U.exe

2009-06-29 20:16 . 2001-08-10 05:42 339968 ----a-r- c:\windows\system32\pscU104U.dll

2009-06-29 20:16 . 2001-08-03 05:43 94208 ----a-r- c:\windows\system32\PSCL104U.dll

2009-06-28 20:47 . 2009-06-28 20:47 -------- d-----w- c:\documents and settings\User\.GalleryRemote

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-30 20:25 . 2008-12-26 16:54 -------- d-----w- c:\documents and settings\User\Application Data\VMware

2009-06-30 20:25 . 2008-12-26 16:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2009-06-30 20:25 . 2008-12-26 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2009-06-30 18:26 . 2008-12-29 08:41 -------- d-----w- c:\documents and settings\User2\Application Data\VMware

2009-06-30 10:03 . 2008-12-19 11:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-06-28 18:41 . 2009-03-09 09:38 -------- d-----w- c:\program files\Notepad++

2009-06-14 01:09 . 2008-12-19 14:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-13 01:04 . 2008-12-19 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-07 15:32 . 2008-04-14 03:41 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:56 . 2008-04-14 03:42 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2008-04-14 03:41 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-20 15:38 . 2009-04-20 15:38 71632 ----a-w- c:\documents and settings\User2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-17 12:26 . 2008-04-13 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2008-04-14 03:42 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-04-01 21:41 . 2008-12-18 22:01 71632 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 72240]

"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 55856]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

Trusted 1fae

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2008 23:41 114768]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [19.12.2008 11:38 8576]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2008 23:41 20560]

R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [31.10.2008 23:22 33408]

S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [27.01.2009 13:48 10752]

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.google.no/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} - hxxp://www.navigram.com/engine/v911/Navigram.cab

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k7mnqzyf.default\

FF - prefs.js: browser.startup.homepage - hxxp://twohundredsitups.com/complete.html|http://www.finn.no/finn/job/object?finnkode=16732746

FF - plugin: c:\documents and settings\User\Local Settings\Application Data\myVRnpapi\npmyvr.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-30 22:37

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'explorer.exe'(3060)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Tidspunkt ferdig: 2009-06-30 22:38

ComboFix-quarantined-files.txt 2009-06-30 20:38

 

Pre-Run: 198 505 766 912 bytes free

Post-Run: 199 126 519 808 bytes free

 

136 --- E O F --- 2009-06-13 01:04

 

 

 

Malwarebytes logg:

 

 

Malwarebytes' Anti-Malware 1.38

Database version: 2356

Windows 5.1.2600 Service Pack 3

 

30.06.2009 22:21:26

mbam-log-2009-06-30 (22-21-26).txt

 

Scan type: Quick Scan

Objects scanned: 119148

Time elapsed: 11 minute(s), 50 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\glaide32 (Rootkit.Rustok) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\documents and settings\User\local settings\temp\~TM662.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\wpv751243627542.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\User\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

 

 

 

 

Har jeg fremdeles noe spyware på pcen min?

På forhånd takk for hjelp.

Videoannonse
Annonse
Skrevet

Loggene ser greie ut.

Får du fortsatt noen meldinge fra Avast?

 

Hvis ikke, avinstallerer du combofix ved å skrive combofix /u i kjør-feltet (start->kjør)

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
  • Hvem er aktive   0 medlemmer

    • Ingen innloggede medlemmer aktive
×
×
  • Opprett ny...