Jump to content
Sign in to follow this  
Guest Slettet+127836

Funn av trojan (2x serauth.dll)

Recommended Posts

Guest Slettet+127836

Hei!

 

Sitter på en bærbar nå, som har vært treig i det siste. Har kjørt malwarebytes, den fant 2 .dll filer(nevnt i tittelemne) og jeg fjernet disse. Deretter kjørte jeg combofix.

Her er logg fra combofix:

 

 

ComboFix 10-03-10.05 - Oppgavepc 11.03.2010 10:00:10.1.1 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.47.1044.18.1917.1121 [GMT 1:00]

Kjører fra: c:\users\Oppgavepc\Desktop\ComboFix.exe

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

* Opprettet nytt gjenopprettingspunkt

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\$recycle.bin\S-1-5-21-3026536038-3935883823-1286954553-500

c:\$recycle.bin\S-1-5-21-349111809-2567388203-2673728989-500

c:\windows\system32\nsprs.dll

c:\windows\system32\oem9.inf

c:\windows\system32\ssprs.dll

 

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2010-02-11 til 2010-03-11 )))))))))))))))))))))))))))))))))

.

 

2010-03-11 09:12 . 2010-03-11 09:12 -------- d-----w- c:\users\Oppgavepc\AppData\Local\temp

2010-03-11 09:12 . 2010-03-11 09:12 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-11 08:35 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVEX32A.DLL

2010-03-11 08:35 . 2010-02-16 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVENG.SYS

2010-03-11 08:35 . 2010-02-16 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVEX15.SYS

2010-03-11 08:35 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\EECTRL.SYS

2010-03-11 08:35 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\CCERASER.DLL

2010-03-11 08:35 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\ECMSVR32.DLL

2010-03-11 08:35 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVENG32.DLL

2010-03-11 08:35 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\ERASER.SYS

2010-03-11 08:33 . 2010-03-11 08:33 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\Malwarebytes

2010-03-11 08:33 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-11 08:33 . 2010-03-11 08:33 -------- d-----w- c:\programdata\Malwarebytes

2010-03-11 08:33 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-11 08:33 . 2010-03-11 08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-11 08:30 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\SymIDSco.sys

2010-03-11 08:30 . 2009-11-20 03:02 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\Scxpx86.dll

2010-03-11 08:30 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\SymIDSI.dll

2010-03-11 08:30 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDSvix86.sys

2010-03-11 08:30 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDSxpx86.dll

2010-03-11 08:30 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDSviA64.sys

2010-03-11 08:30 . 2009-07-22 00:51 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDS9xx86.dll

2010-03-11 08:24 . 2010-03-11 08:48 -------- d-----w- c:\users\Oppgavepc\AppData\Local\Spotify

2010-03-11 08:24 . 2010-03-11 08:29 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\Spotify

2010-03-11 08:24 . 2010-03-11 08:24 -------- d-----w- c:\program files\Spotify

2010-03-11 08:20 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe

2010-03-09 12:29 . 2010-02-16 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVENG.SYS

2010-03-09 12:29 . 2010-02-16 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVEX15.SYS

2010-03-09 12:29 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\EECTRL.SYS

2010-03-09 12:29 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\CCERASER.DLL

2010-03-09 12:29 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\ECMSVR32.DLL

2010-03-09 12:29 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVENG32.DLL

2010-03-09 12:29 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVEX32A.DLL

2010-03-09 12:29 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\ERASER.SYS

2010-03-09 08:29 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\SymIDSco.sys

2010-03-09 08:29 . 2009-11-20 03:02 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\Scxpx86.dll

2010-03-09 08:29 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDSvix86.sys

2010-03-09 08:29 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\SymIDSI.dll

2010-03-09 08:29 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDSxpx86.dll

2010-03-09 08:29 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDSviA64.sys

2010-03-09 08:29 . 2009-07-22 00:51 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDS9xx86.dll

2010-02-27 15:36 . 2010-02-27 15:36 48 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-02-24 14:16 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll

2010-02-24 14:15 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll

2010-02-24 14:15 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll

2010-02-24 14:15 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe

2010-02-24 14:15 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2010-02-24 14:15 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2010-02-24 14:15 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

2010-02-24 14:15 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll

2010-02-24 14:15 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll

2010-02-24 14:15 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe

2010-02-24 14:15 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll

2010-02-24 14:15 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

2010-02-24 14:15 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

2010-02-16 09:00 . 2010-02-16 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng.sys

2010-02-16 09:00 . 2010-02-16 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex15.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-11 09:04 . 2009-03-29 04:08 665648 ----a-w- c:\windows\system32\perfh01D.dat

2010-03-11 09:04 . 2009-03-29 04:08 150488 ----a-w- c:\windows\system32\perfc01D.dat

2010-03-11 09:04 . 2009-03-29 04:01 536460 ----a-w- c:\windows\system32\perfh014.dat

2010-03-11 09:04 . 2009-03-29 04:01 107028 ----a-w- c:\windows\system32\perfc014.dat

2010-03-11 09:04 . 2009-03-29 03:54 505846 ----a-w- c:\windows\system32\perfh00B.dat

2010-03-11 09:04 . 2009-03-29 03:54 116038 ----a-w- c:\windows\system32\perfc00B.dat

2010-03-11 09:04 . 2009-03-29 03:47 532672 ----a-w- c:\windows\system32\perfh006.dat

2010-03-11 09:04 . 2009-03-29 03:47 111226 ----a-w- c:\windows\system32\perfc006.dat

2010-03-11 08:54 . 2009-03-29 04:37 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-11 08:35 . 2009-08-26 07:57 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\EndNote

2010-03-11 08:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-03-11 08:21 . 2009-08-19 08:45 -------- d-----w- c:\programdata\Microsoft Help

2010-03-10 09:17 . 2009-10-08 14:19 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll

2010-03-02 13:22 . 2009-03-29 04:52 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-02 13:22 . 2009-03-29 04:47 -------- d-----w- c:\program files\Hewlett-Packard

2010-02-27 16:29 . 2009-08-19 09:00 108144 ----a-w- c:\users\Oppgavepc\AppData\Local\GDIPFONTCACHEV1.DAT

2010-02-24 08:16 . 2009-10-05 10:09 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-17 22:39 . 2009-03-29 06:26 588472 ----a-w- c:\windows\system32\ezsvc7x.dll

2010-02-14 07:45 . 2009-08-20 10:30 -------- d-----w- c:\program files\uTorrent

2010-02-13 08:20 . 2009-08-20 10:26 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\uTorrent

2010-02-13 08:18 . 2009-08-20 17:56 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-28 15:38 . 2010-01-28 15:38 -------- d-----w- c:\program files\MpD

2010-01-20 14:32 . 2009-08-19 17:19 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-06 15:38 . 2010-02-24 14:15 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll

2010-01-06 15:38 . 2010-02-24 14:15 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll

2010-01-06 15:38 . 2010-02-24 14:15 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll

2010-01-06 15:38 . 2010-02-24 14:15 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll

2010-01-02 06:38 . 2010-01-22 07:23 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32 . 2010-01-22 07:23 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-01-02 06:32 . 2010-01-22 07:23 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-01-02 04:57 . 2010-01-22 07:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2009-12-14 09:00 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\eeCtrl.sys

2009-12-14 09:00 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll

2009-12-14 09:00 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ecmsvr32.dll

2009-12-14 09:00 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng32.dll

2009-12-14 09:00 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex32a.dll

2009-12-14 09:00 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.sys

2009-12-11 11:43 . 2010-02-10 07:26 302080 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-11 11:43 . 2010-02-10 07:26 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys

2009-03-29 04:43 . 2009-03-29 04:10 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

2009-12-04 15:08 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\config.sys

2009-12-04 15:08 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6002.18005_none_fff8f2266fafa2e8\config.sys

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-10-22 3883856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-06-03 450652]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-11-17 258048]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(b):a9,69,99,bc,ff,4f,ca,01

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-349111809-2567388203-2673728989-1000]

"EnableNotificationsRef"=dword:00000001

 

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-08-19 721904]

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S1 IDSVix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20100310.001\IDSvix86.sys [2009-11-20 286768]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\aestsrv.exe [2009-03-02 81920]

S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-03-18 19456]

S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]

S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-12-23 365952]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-26 102448]

S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]

 

 

--- Andre tjenester/drivere lastet i minnet ---

 

*NewlyCreated* - COMHOST

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

bthsvcs REG_MULTI_SZ BthServ

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ezSharedSvc

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.dagbladet.no/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=91&bd=Pavilion&pf=cnnb

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send bilde til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send side til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-11 10:12

Windows 6.0.6002 Service Pack 2 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

Tidspunkt ferdig: 2010-03-11 10:17:55

ComboFix-quarantined-files.txt 2010-03-11 09:17

 

Pre-Run: 104 138 452 992 byte ledig

Post-Run: 104 111 865 856 byte ledig

 

- - End Of File - - 447D80916A4462BEDA71844CF5445663

 

 

 

 

Og her er malwarebytes log:

 

 

Malwarebytes' Anti-Malware 1.44

Databaseversjon: 3851

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

 

11.03.2010 09:48:05

mbam-log-2010-03-11 (09-48-05).txt

 

Skanntype: Rask Skann

Objekter skannet: 105196

Tid tilbakelagt: 12 minute(s), 2 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 2

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Windows\System32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

 

Veldig fint hvis noen kan se på disse to loggene, da jeg helst vil ha denne pcn fri for tull

Edited by Slettet+127836

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...