lasseruud Skrevet 26. februar 2008 Forfatter Skrevet 26. februar 2008 Nå har jeg kun Vista-maskinen å teste med. XP-maskinen ble hentet da kunden trengte tilgang til e-post (som faktisk fungerer på maskinen). En kort oppdatering før jeg prøver mer med Vista-maskinen: XP-maskinen fikk jeg til å fungere på nett i safe-mode. Er dessverre usikker på hva som utløste det, da jeg prøver flere ting på en gang. På Vista-maskinen er det status quo i normal mode. I safe-mode er saken slik: FUNGERER: Nettverkshares, f.eks. \\server\share FUNGERER: Pinge IP-adresser FUNGERER: nslookup -> f.eks. www.vg.no FUNGERER IKKE: Pinge hosts, f.eks. www.vg.no FUNGERER IKKE: Browse nettsider. Driver å kjører SmithFraudFix og ComboFix nå. Poster logger snart.
lasseruud Skrevet 26. februar 2008 Forfatter Skrevet 26. februar 2008 (endret) Boot trykk f8 sikkerhetmodusKjør Smitfraudfix, velg valg 2. Post loggen C:\rapport.txt Her er logggen fra SmithFraudFix i safe-mode: SmitFraudFix v2.296 Scan done at 9:52:25,86, 26.02.2008 Run from C:\Users\Marte\Desktop\!Tools\SmitfraudFix OS: Microsoft Windows [Versjon 6.0.6000] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost ::1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller DNS Server Search Order: 10.10.0.2 HKLM\SYSTEM\CCS\Services\Tcpip\..\{2F4ADC06-5AA3-4866-92BF-FC531136F0BB}: DhcpNameServer=10.10.0.2 HKLM\SYSTEM\CCS\Services\Tcpip\..\{F9445C19-3F64-4AFF-9CDF-2BB7D1F0D6E1}: DhcpNameServer=10.10.0.2 HKLM\SYSTEM\CS1\Services\Tcpip\..\{2F4ADC06-5AA3-4866-92BF-FC531136F0BB}: DhcpNameServer=10.10.0.2 HKLM\SYSTEM\CS1\Services\Tcpip\..\{F9445C19-3F64-4AFF-9CDF-2BB7D1F0D6E1}: DhcpNameServer=10.10.0.2 HKLM\SYSTEM\CS3\Services\Tcpip\..\{2F4ADC06-5AA3-4866-92BF-FC531136F0BB}: DhcpNameServer=10.10.0.2 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.10.0.2 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.10.0.2 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.10.0.2 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Endret 26. februar 2008 av lasseruud
lasseruud Skrevet 26. februar 2008 Forfatter Skrevet 26. februar 2008 I normalmodus.Ikke klikk på vindu mens programet kjører. post logg C:\combofix.txt Her er ComboFix loggen: ComboFix 08-02-25.3 - Marte 2008-02-26 10:27:07.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1044.18.1276 [GMT 1:00] Running from: C:\Users\Marte\Desktop\!Tools\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-20 11:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-02-20 10:15 421,888 ----a-w C:\putty.exe 2008-02-19 13:44 27,335 ----a-w C:\Users\Marte\AppData\Roaming\nvModes.dat 2008-02-19 13:43 --------- d-----w C:\Program Files\Google 2008-02-18 17:52 --------- d-----w C:\Program Files\Java 2008-02-13 21:14 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys 2008-02-13 21:12 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys 2008-02-13 21:12 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys 2008-02-13 21:12 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys 2008-02-13 21:12 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys 2008-02-13 21:12 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys 2008-02-13 21:12 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys 2008-02-13 21:12 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys 2008-02-13 21:10 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys 2008-02-13 21:10 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys 2008-02-13 21:10 216,632 ----a-w C:\Windows\system32\drivers\netio.sys 2008-02-13 21:10 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys 2008-02-13 21:10 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys 2008-02-13 21:10 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys 2008-02-13 21:10 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys 2008-02-13 21:09 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-02-13 21:09 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-02-13 21:09 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-02-13 21:09 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-02-13 21:07 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-01-21 18:07 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF 2008-01-21 18:07 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT 2008-01-15 19:21 --------- d-----w C:\Users\Marte\AppData\Roaming\HP 2008-01-15 19:21 --------- d-----w C:\Users\Marte\AppData\Roaming\CyberLink 2008-01-15 19:21 --------- d-----w C:\PROGRA~2\HP 2008-01-15 18:35 174 --sha-w C:\Program Files\desktop.ini 2008-01-15 18:25 --------- d-----w C:\Program Files\Windows Sidebar 2008-01-15 18:25 --------- d-----w C:\Program Files\Windows Mail 2008-01-15 18:25 --------- d-----w C:\Program Files\Windows Calendar 2008-01-15 18:18 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys 2008-01-15 18:18 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys 2008-01-15 18:18 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys 2008-01-15 18:18 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys 2008-01-15 18:18 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys 2008-01-15 18:16 28,344 ----a-w C:\Windows\system32\drivers\battc.sys 2008-01-15 18:16 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys 2008-01-15 18:16 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys 2008-01-15 18:16 2,923,520 ----a-w C:\Windows\explorer.exe 2008-01-15 18:16 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys 2008-01-15 18:16 11,264 ----a-w C:\Windows\system32\drivers\wmiacpi.sys 2008-01-15 18:11 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys 2008-01-15 18:11 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys 2008-01-15 18:11 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS 2008-01-15 18:06 73,216 ----a-w C:\Windows\system32\drivers\usbccgp.sys 2008-01-15 18:06 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys 2008-01-15 18:06 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys 2008-01-15 18:06 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys 2008-01-15 18:06 193,536 ----a-w C:\Windows\system32\drivers\usbhub.sys 2008-01-15 18:06 19,456 ----a-w C:\Windows\system32\drivers\usbohci.sys 2008-01-15 18:05 --------- d-----w C:\Program Files\MSN Messenger 2008-01-15 18:03 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys 2008-01-15 17:58 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys 2008-01-15 17:58 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys 2008-01-15 17:55 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys 2008-01-15 17:55 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys 2008-01-15 17:55 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys 2008-01-15 17:55 12,800 ----a-w C:\Windows\system32\drivers\fs_rec.sys 2008-01-15 17:55 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys 2008-01-15 17:55 --------- d-----w C:\Program Files\MSXML 4.0 2008-01-15 17:25 --------- d-----w C:\Program Files\Bioscrypt 2008-01-15 17:24 --------- d-----w C:\Program Files\Fingerprint Sensor 2008-01-15 17:23 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv6500 Notebook PC_Y5335KV_0U_QCNF74843PZ_E445841-DH3_4A_I30CF_SQuanta_V85.17_F.07_T070809_WV3-0_L414_M1983_J160_7AMD_8F82_91.90_#080115_N10DE054C_(KB343EA#UUW)_XMOBILE_CN10_Z_2Rev 1.MRK 2008-01-15 17:19 --------- d-----w C:\Users\Marte\AppData\Roaming\Hewlett-Packard . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-15 18:58 1232896] "LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 12:26 484904] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-20 20:09 1006264] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 04:36 827392] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 17:11 176128] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 10:38 159744] "HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 10:54 50696] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-09 03:57 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-09 03:57 8433664] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-09 03:57 81920] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 12:18 472776] "WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 15:12 317128] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 19:12 17920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="%WINDIR%\SMINST\launcher.exe" [ ] C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\ Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50 734872] Hurtigstart for Adobe Reader.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=APSHook.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{D70330E2-D1A3-45A3-97D9-3AD79BB22275}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)|Edge=TRUE| "{A9657AAC-DCF4-47C5-B8C7-62536937CA8A}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play|Desc=Quick Play "{89504251-DB4A-4956-8363-FA84C141CB48}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program|Desc=Quick Play Resident Program "{1581C6C8-0DB9-4953-9634-67F125DA39B8}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)|Edge=TRUE| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2006-11-02 10:45] R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2006-11-02 10:45] R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 17:44] R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-17 00:50] S2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [] S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-01-03 16:43] S3 DUBE100B;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\Windows\system32\DRIVERS\DUBE100B.sys [2007-04-04 15:53] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel GPSvcGroup REG_MULTI_SZ GPSvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-26 10:36:08 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe C:\Windows\system32\conime.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe . ************************************************************************** . Completion time: 2008-02-26 10:38:16 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-26 09:38:11 ComboFix2.txt 2008-02-26 09:12:25 . 2008-02-18 17:54:49 --- E O F --- På denne maskinen (Vista), har følgende skjedd etter SmithFraudFix og ComboFix: Pinge hosts, f.eks. www.vg.no, fungerer IKKE lenger. Dette fungerte før. (nslookup, f.eks. www.vg.no fungerer) Nettverkshares fungerer, dette fungerte ikke før.
lasseruud Skrevet 26. februar 2008 Forfatter Skrevet 26. februar 2008 Har nå kjørt sfc /scannow. Denne kom opp med følgende: Windows Ressurs beskyttelse fant skadede filer, men kunne ikke reparere noen av dem. Loggen er for lang til å paste her... Loggfila ble faktisk på 15mb. Har kjørt CCleaner, restartet, men fortsatt like dødt..
snippsat Skrevet 26. februar 2008 Skrevet 26. februar 2008 (endret) Installere drivere på nytt er en ting jeg ville ha prøvd. http://h20000.www2.hp.com/bizsupport/TechS...eriesId=3369402 Installere win på nytt er vel noe du har tenkt på. Nå har vel hp en recovery programm som skal lage speilbilde. Dette er vel ikke gjort regner jeg med. http://h10025.www1.hp.com/ewfrf/wc/fastFaq...cname=c00809678 Endret 26. februar 2008 av SNIPPSAT
lasseruud Skrevet 27. februar 2008 Forfatter Skrevet 27. februar 2008 Installere drivere på nytt er en ting jeg ville ha prøvd. Jeg har ikke prøvd å reinstallere driverne til de interne kortene, men jeg har prøvd et 3. parts USB nettverkskort, og samme problem her... Installere win på nytt er vel noe du har tenkt på. Ja, det har jeg tenkt på og dette løser helt sikkert problemet, men jeg har veldig lyst til å finne ut hva dette er. Reinstallasjon er amatør-løsningen.
fenderebest Skrevet 27. februar 2008 Skrevet 27. februar 2008 (endret) Sjekk at alle tredjeparts Ikke-plug and play drivere er deaktivert i oppstarten. (Ihvertfall de som kan påvirke Nettverkskommunikasjon) Endret 27. februar 2008 av fenderebest
Jarmo Skrevet 27. februar 2008 Skrevet 27. februar 2008 Reinstallasjon er amatør-løsningen. That`s my man Sjekk ut også Active-X listen...
lasseruud Skrevet 4. mars 2008 Forfatter Skrevet 4. mars 2008 Pga. at kundene forståelig nok ville ha igjen maskinene sine og pga. tidsmangel, ble jeg nødt til å kjøre amatør-løsningen på disse to maskinene. De er nå reinstallert, og fungerer (selvfølgelig) fint. Har på følelsen at jeg vil komme borti disse problemene på et senere tidspunkt.
lasseruud Skrevet 19. april 2008 Forfatter Skrevet 19. april 2008 Bumper denne. Har fått inn en maskin til med samme problemet. Jeg hadde dårlig tid til feilsøking, men denne fikk jeg til å gå igjen etter systemgjenoppretting. Det virker som dette skjedde etter installering av en av disse oppdateringene via Windows Update, da det var de eneste endringenen som var skjedd på maskinen: KB905866 KB948881 KB941693 KB948590 KB890830 KB945553 KB947864 (disse kom samtidig) Jeg hadde som nevnt ikke tid til å feilsøke mer, derfor fant jeg ikke ut hvilken av dem det var. Dette til informasjon.
lasseruud Skrevet 7. mai 2008 Forfatter Skrevet 7. mai 2008 Nå har jeg fått konstatert at det er KB947864 som forårsaket dette på en av maskinene. Om det var denne på de to første maskinene, kan jeg ikke bekrefte.
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå