Funn av trojan (2x serauth.dll)

[Gjest Slettet+127836]

Hei!

 

Sitter på en bærbar nå, som har vært treig i det siste. Har kjørt malwarebytes, den fant 2 .dll filer(nevnt i tittelemne) og jeg fjernet disse. Deretter kjørte jeg combofix.

Her er logg fra combofix:

 

 

ComboFix 10-03-10.05 - Oppgavepc 11.03.2010 10:00:10.1.1 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.47.1044.18.1917.1121 [GMT 1:00]

Kjører fra: c:\users\Oppgavepc\Desktop\ComboFix.exe

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

* Opprettet nytt gjenopprettingspunkt

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\$recycle.bin\S-1-5-21-3026536038-3935883823-1286954553-500

c:\$recycle.bin\S-1-5-21-349111809-2567388203-2673728989-500

c:\windows\system32\nsprs.dll

c:\windows\system32\oem9.inf

c:\windows\system32\ssprs.dll

 

.

((((((((((((((((((((((((((( Filer Opprettet Fra 2010-02-11 til 2010-03-11 )))))))))))))))))))))))))))))))))

.

 

2010-03-11 09:12 . 2010-03-11 09:12 -------- d-----w- c:\users\Oppgavepc\AppData\Local\temp

2010-03-11 09:12 . 2010-03-11 09:12 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-11 08:35 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVEX32A.DLL

2010-03-11 08:35 . 2010-02-16 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVENG.SYS

2010-03-11 08:35 . 2010-02-16 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVEX15.SYS

2010-03-11 08:35 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\EECTRL.SYS

2010-03-11 08:35 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\CCERASER.DLL

2010-03-11 08:35 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\ECMSVR32.DLL

2010-03-11 08:35 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\NAVENG32.DLL

2010-03-11 08:35 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100310.037\ERASER.SYS

2010-03-11 08:33 . 2010-03-11 08:33 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\Malwarebytes

2010-03-11 08:33 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-11 08:33 . 2010-03-11 08:33 -------- d-----w- c:\programdata\Malwarebytes

2010-03-11 08:33 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-11 08:33 . 2010-03-11 08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-11 08:30 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\SymIDSco.sys

2010-03-11 08:30 . 2009-11-20 03:02 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\Scxpx86.dll

2010-03-11 08:30 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\SymIDSI.dll

2010-03-11 08:30 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDSvix86.sys

2010-03-11 08:30 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDSxpx86.dll

2010-03-11 08:30 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDSviA64.sys

2010-03-11 08:30 . 2009-07-22 00:51 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100310.001\IDS9xx86.dll

2010-03-11 08:24 . 2010-03-11 08:48 -------- d-----w- c:\users\Oppgavepc\AppData\Local\Spotify

2010-03-11 08:24 . 2010-03-11 08:29 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\Spotify

2010-03-11 08:24 . 2010-03-11 08:24 -------- d-----w- c:\program files\Spotify

2010-03-11 08:20 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe

2010-03-09 12:29 . 2010-02-16 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVENG.SYS

2010-03-09 12:29 . 2010-02-16 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVEX15.SYS

2010-03-09 12:29 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\EECTRL.SYS

2010-03-09 12:29 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\CCERASER.DLL

2010-03-09 12:29 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\ECMSVR32.DLL

2010-03-09 12:29 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVENG32.DLL

2010-03-09 12:29 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\NAVEX32A.DLL

2010-03-09 12:29 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.057\ERASER.SYS

2010-03-09 08:29 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\SymIDSco.sys

2010-03-09 08:29 . 2009-11-20 03:02 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\Scxpx86.dll

2010-03-09 08:29 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDSvix86.sys

2010-03-09 08:29 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\SymIDSI.dll

2010-03-09 08:29 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDSxpx86.dll

2010-03-09 08:29 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDSviA64.sys

2010-03-09 08:29 . 2009-07-22 00:51 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100305.001\IDS9xx86.dll

2010-02-27 15:36 . 2010-02-27 15:36 48 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-02-24 14:16 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll

2010-02-24 14:15 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll

2010-02-24 14:15 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll

2010-02-24 14:15 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe

2010-02-24 14:15 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2010-02-24 14:15 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2010-02-24 14:15 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

2010-02-24 14:15 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll

2010-02-24 14:15 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll

2010-02-24 14:15 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe

2010-02-24 14:15 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll

2010-02-24 14:15 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

2010-02-24 14:15 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

2010-02-16 09:00 . 2010-02-16 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng.sys

2010-02-16 09:00 . 2010-02-16 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex15.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-11 09:04 . 2009-03-29 04:08 665648 ----a-w- c:\windows\system32\perfh01D.dat

2010-03-11 09:04 . 2009-03-29 04:08 150488 ----a-w- c:\windows\system32\perfc01D.dat

2010-03-11 09:04 . 2009-03-29 04:01 536460 ----a-w- c:\windows\system32\perfh014.dat

2010-03-11 09:04 . 2009-03-29 04:01 107028 ----a-w- c:\windows\system32\perfc014.dat

2010-03-11 09:04 . 2009-03-29 03:54 505846 ----a-w- c:\windows\system32\perfh00B.dat

2010-03-11 09:04 . 2009-03-29 03:54 116038 ----a-w- c:\windows\system32\perfc00B.dat

2010-03-11 09:04 . 2009-03-29 03:47 532672 ----a-w- c:\windows\system32\perfh006.dat

2010-03-11 09:04 . 2009-03-29 03:47 111226 ----a-w- c:\windows\system32\perfc006.dat

2010-03-11 08:54 . 2009-03-29 04:37 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-11 08:35 . 2009-08-26 07:57 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\EndNote

2010-03-11 08:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-03-11 08:21 . 2009-08-19 08:45 -------- d-----w- c:\programdata\Microsoft Help

2010-03-10 09:17 . 2009-10-08 14:19 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll

2010-03-02 13:22 . 2009-03-29 04:52 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-02 13:22 . 2009-03-29 04:47 -------- d-----w- c:\program files\Hewlett-Packard

2010-02-27 16:29 . 2009-08-19 09:00 108144 ----a-w- c:\users\Oppgavepc\AppData\Local\GDIPFONTCACHEV1.DAT

2010-02-24 08:16 . 2009-10-05 10:09 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-17 22:39 . 2009-03-29 06:26 588472 ----a-w- c:\windows\system32\ezsvc7x.dll

2010-02-14 07:45 . 2009-08-20 10:30 -------- d-----w- c:\program files\uTorrent

2010-02-13 08:20 . 2009-08-20 10:26 -------- d-----w- c:\users\Oppgavepc\AppData\Roaming\uTorrent

2010-02-13 08:18 . 2009-08-20 17:56 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-28 15:38 . 2010-01-28 15:38 -------- d-----w- c:\program files\MpD

2010-01-20 14:32 . 2009-08-19 17:19 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-06 15:38 . 2010-02-24 14:15 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll

2010-01-06 15:38 . 2010-02-24 14:15 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll

2010-01-06 15:38 . 2010-02-24 14:15 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll

2010-01-06 15:38 . 2010-02-24 14:15 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll

2010-01-02 06:38 . 2010-01-22 07:23 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32 . 2010-01-22 07:23 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-01-02 06:32 . 2010-01-22 07:23 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-01-02 04:57 . 2010-01-22 07:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2009-12-14 09:00 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\eeCtrl.sys

2009-12-14 09:00 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll

2009-12-14 09:00 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ecmsvr32.dll

2009-12-14 09:00 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng32.dll

2009-12-14 09:00 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex32a.dll

2009-12-14 09:00 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.sys

2009-12-11 11:43 . 2010-02-10 07:26 302080 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-11 11:43 . 2010-02-10 07:26 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys

2009-03-29 04:43 . 2009-03-29 04:10 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

2009-12-04 15:08 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\config.sys

2009-12-04 15:08 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6002.18005_none_fff8f2266fafa2e8\config.sys

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-10-22 3883856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-06-03 450652]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-11-17 258048]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(b):a9,69,99,bc,ff,4f,ca,01

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-349111809-2567388203-2673728989-1000]

"EnableNotificationsRef"=dword:00000001

 

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-08-19 721904]

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S1 IDSVix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20100310.001\IDSvix86.sys [2009-11-20 286768]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\aestsrv.exe [2009-03-02 81920]

S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-03-18 19456]

S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]

S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-12-23 365952]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-26 102448]

S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]

 

 

--- Andre tjenester/drivere lastet i minnet ---

 

*NewlyCreated* - COMHOST

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

bthsvcs REG_MULTI_SZ BthServ

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ezSharedSvc

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.dagbladet.no/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=91&bd=Pavilion&pf=cnnb

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send bilde til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send side til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-11 10:12

Windows 6.0.6002 Service Pack 2 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

Tidspunkt ferdig: 2010-03-11 10:17:55

ComboFix-quarantined-files.txt 2010-03-11 09:17

 

Pre-Run: 104 138 452 992 byte ledig

Post-Run: 104 111 865 856 byte ledig

 

- - End Of File - - 447D80916A4462BEDA71844CF5445663

 

 

 

 

Og her er malwarebytes log:

 

 

Malwarebytes' Anti-Malware 1.44

Databaseversjon: 3851

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

 

11.03.2010 09:48:05

mbam-log-2010-03-11 (09-48-05).txt

 

Skanntype: Rask Skann

Objekter skannet: 105196

Tid tilbakelagt: 12 minute(s), 2 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 2

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Windows\System32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

 

Veldig fint hvis noen kan se på disse to loggene, da jeg helst vil ha denne pcn fri for tull

Endret 11. mars 2010 av Slettet+127836

[norbat]

Det mangler noe av combofix-loggen...

[Gjest Slettet+127836]

beklager det, prøv nå

[norbat]

Loggene viser ikke noe malware, så det skulle ikke bli noe pc-tull