Gå til innhold

Spyware/virus på jobb pc(Hijack this)

Cloud

Av Cloud
i IKT-drift og sikkerhet

Anbefalte innlegg

Cloud

Cloud

Skrevet
Skrevet (endret)

Fått virus på en pc på jobben.

 

Får ikke kjørt SAS, men kjørt Comobix, CCleaner og HiJack This.

 

 

Combifix

Klikk for å se/fjerne innholdet nedenfor
ComboFix 08-04-22.5 - Administrator 2008-04-24 16:17:08.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.227 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator.XXL\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Programfiler\akl

C:\Programfiler\akl\akl.dll

C:\Programfiler\akl\akl.exe

C:\Programfiler\akl\uninstall.exe

C:\Programfiler\akl\unsetup.exe

C:\Programfiler\Inet Delivery

C:\Programfiler\Inet Delivery\inetdl.exe

C:\Programfiler\Inet Delivery\intdel.exe

C:\WINDOWS\a.bat

C:\WINDOWS\base64.tmp

C:\WINDOWS\bdn.com

C:\WINDOWS\FVProtect.exe

C:\WINDOWS\iTunesMusic.exe

C:\WINDOWS\mslagent

C:\WINDOWS\mslagent\2_mslagent.dll

C:\WINDOWS\mslagent\mslagent.exe

C:\WINDOWS\mslagent\uninstall.exe

C:\WINDOWS\mssecu.exe

C:\WINDOWS\system32\bsva-egihsg52.exe

C:\WINDOWS\system32\emesx.dll

C:\WINDOWS\userconfig9x.dll

C:\WINDOWS\Web\def.htm

C:\WINDOWS\winsystem.exe

C:\WINDOWS\zip1.tmp

C:\WINDOWS\zip2.tmp

C:\WINDOWS\zip3.tmp

C:\WINDOWS\zipped.tmp

 

.

((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))

.

 

2008-04-24 16:15 . 2008-04-24 16:15 98,304 --a------ C:\WINDOWS\system32\dofcxcju.exe

2008-04-24 15:41 . 2008-04-24 15:41 <DIR> d-------- C:\Programfiler\CCleaner

2008-04-24 15:33 . 2008-04-24 15:33 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-04-24 15:32 . 2008-04-24 15:32 <DIR> d-------- C:\Programfiler\Opera

2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\TmpRecentIcons

2008-04-24 15:10 . 2008-04-23 20:46 7,168 --a------ C:\Documents and Settings\Administrator.XXL\cftmon.exe

2008-04-23 22:18 . 2008-04-23 22:18 <DIR> d-------- C:\Documents and Settings\geni\Programdata\TmpRecentIcons

2008-04-23 20:57 . 2008-04-23 20:46 7,168 --a------ C:\Documents and Settings\LocalService\cftmon.exe

2008-04-23 20:46 . 2008-04-23 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ehkzovwl

2008-04-23 20:46 . 2008-04-23 20:46 7,168 --a------ C:\Documents and Settings\geni\cftmon.exe

2008-04-17 12:55 . 2008-04-17 12:55 <DIR> d-------- C:\Documents and Settings\geni\Programdata\DVMS

2008-04-17 12:53 . 2008-04-17 12:53 <DIR> d-------- C:\Programfiler\DVMS

2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\DVMS

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-24 13:54 3,420 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP

2008-04-24 13:39 --------- d-----w C:\Programfiler\Trend Micro

2008-04-24 08:27 --------- d-----w C:\Programfiler\Google

2008-04-23 18:46 98,304 ----a-w C:\WINDOWS\system32\wledargv.exe

2008-04-23 18:46 65,536 ----a-w C:\epnhxax.exe

2008-04-23 18:46 61,874 ----a-w C:\WINDOWS\ydhqzop.sys

2008-04-23 12:19 94,208 ----a-w C:\WINDOWS\olgdqarf.exe

2008-04-23 12:19 81,920 ----a-w C:\WINDOWS\wxvgsdbq.exe

2008-04-23 12:19 217,088 ----a-w C:\WINDOWS\qnmargolewk.dll

2008-04-23 12:19 212,992 ----a-w C:\WINDOWS\wdpoefan.dll

2008-04-23 12:19 188,416 ----a-w C:\WINDOWS\vadokmxt.dll

2008-04-23 12:19 155,648 ----a-w C:\WINDOWS\dpevflbg.dll

2008-04-14 09:13 --------- d-----w C:\Documents and Settings\geni\Programdata\ICAClient

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-03-01 16:35 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-29 08:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-02-29 08:58 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:52 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:39 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:39 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-04-24_16.16.13.94 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\hoproxy.dll

+ 2008-04-24 14:15:37 4,096 ----a-w C:\WINDOWS\system32\hoproxy.dll

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.dat

+ 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.dat

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.exe

+ 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.exe

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\mwin32.exe

+ 2008-04-24 14:15:37 4,096 ----a-w C:\WINDOWS\system32\mwin32.exe

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\sncntr.exe

+ 2008-04-24 14:15:37 4,096 ----a-w C:\WINDOWS\system32\sncntr.exe

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\taack.dat

+ 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\taack.dat

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\taack.exe

+ 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\taack.exe

- 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\winlogonpc.exe

+ 2008-04-24 14:15:38 4,096 ----a-w C:\WINDOWS\system32\winlogonpc.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2513A321-CB50-4C5F-91C5-80342AFACFB1}]

C:\WINDOWS\system32\adobepnl.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62E2E094-F989-48C6-B947-6E79DA2294F9}]

C:\WINDOWS\system32\winapi32.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}]

2008-04-23 14:19 217088 --a------ C:\WINDOWS\qnmargolewk.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CE66268D-0208-4D9E-8BC7-12D91072A34D}"= "C:\WINDOWS\dpevflbg.dll" [2008-04-23 14:19 155648]

 

[HKEY_CLASSES_ROOT\clsid\{ce66268d-0208-4d9e-8bc7-12d91072a34d}]

[HKEY_CLASSES_ROOT\dpevflbg.1]

[HKEY_CLASSES_ROOT\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}]

[HKEY_CLASSES_ROOT\dpevflbg]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360]

"bganywkl"="C:\WINDOWS\system32\dofcxcju.exe" [2008-04-24 16:15 98304]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 17:52 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 17:48 118784]

"Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 10:08 143360]

"SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-13 13:08 218240]

"SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]

"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:00 143360]

"OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-04-19 00:52 335872]

"Transponder"="C:\WINDOWS\system32\susp.exe" [ ]

"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"SaVTXtKNcI"= C:\Documents and Settings\All Users\Programdata\ehkzovwl\cvshidcp.exe

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= file:///C:\WINDOWS\privacy_danger\index.htm

FriendlyName= Privacy Protection

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"vadokmxt"= {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll [2008-04-23 14:19 188416]

"wdpoefan"= {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll [2008-04-23 14:19 212992]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutndu]

awtuTNDU.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MSACM.CEGSM"= mobilev.acm

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Microsoft ActiveSync\\wcescomm.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

S2 HZQBWMCX;HZQBWMCX;C:\WINDOWS\system32\hzqbwmcx.uvs []

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-22 00:19:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Programfiler\Windows Defender\MpCmdRun.exe

"2008-04-23 18:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Programfiler\Symantec\LiveUpdate\NDetect.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-24 16:18:14

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HZQBWMCX]

"ImagePath"="\??\C:\WINDOWS\system32\hzqbwmcx.uvs"

.

Completion time: 2008-04-24 16:19:04

ComboFix-quarantined-files.txt 2008-04-24 14:18:45

ComboFix2.txt 2008-04-24 14:16:28

 

Pre-Run: 31,359,721,472 byte ledig

Post-Run: 31,352,070,144 byte ledig

 

181 --- E O F --- 2008-04-19 01:40:40

 

 

HiJack This

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:27, on 2008-04-24

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Programdata\ehkzovwl\cvshidcp.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\dofcxcju.exe

C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jucheck.exe

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll (file missing)

O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: DVA Gate - {AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3} - C:\WINDOWS\qnmargolewk.dll

O3 - Toolbar: dpevflbg - {CE66268D-0208-4D9E-8BC7-12D91072A34D} - C:\WINDOWS\dpevflbg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bganywkl] C:\WINDOWS\system32\dofcxcju.exe

O4 - HKLM\..\Policies\Explorer\Run: [saVTXtKNcI] C:\Documents and Settings\All Users\Programdata\ehkzovwl\cvshidcp.exe

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bravida.no

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no

O17 - HKLM\Software\..\Telephony: DomainName = xxl.no

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no

O20 - Winlogon Notify: awtutndu - awtuTNDU.dll (file missing)

O21 - SSODL: vadokmxt - {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll

O21 - SSODL: wdpoefan - {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

 

--

End of file - 6815 bytes

 

 

EDIT: Fått instalert SAS etter at combofix hadde gjort sitt.

Kommer med update etter hvert.

Endret av Cloud
Lenke til kommentar

Videoannonse

Videoannonse
Annonse
Cloud

Cloud

Skrevet
  • Forfatter
Skrevet

HiJack this:

 

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:59, on 2008-04-24

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\TEMP\ABB027.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe

C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\userinit.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [wruwzyvo] C:\WINDOWS\system32\tcnsjkzw.exe

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bravida.no

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no

O17 - HKLM\Software\..\Telephony: DomainName = xxl.no

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no

O20 - Winlogon Notify: !saswinlogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: awtutndu - awtuTNDU.dll (file missing)

O21 - SSODL: vadokmxt - {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll (file missing)

O21 - SSODL: wdpoefan - {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll (file missing)

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

 

--

End of file - 6628 bytes

 

 

Combofix:

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-04-22.5 - administrator 2008-04-24 17:00:22.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.204 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator.XXL\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\rs.txt

 

.

((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))

.

 

2008-04-24 16:36 . 2008-04-24 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\SUPERAntiSpyware.com

2008-04-24 15:41 . 2008-04-24 15:41 <DIR> d-------- C:\Programfiler\CCleaner

2008-04-24 15:33 . 2008-04-24 15:33 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-04-24 15:32 . 2008-04-24 15:32 <DIR> d-------- C:\Programfiler\Opera

2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\TmpRecentIcons

2008-04-23 22:18 . 2008-04-23 22:18 <DIR> d-------- C:\Documents and Settings\geni\Programdata\TmpRecentIcons

2008-04-23 20:46 . 2008-04-24 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ehkzovwl

2008-04-23 20:46 . 2008-04-23 20:46 65,536 --a------ C:\epnhxax.exe

2008-04-23 20:46 . 2008-04-23 20:46 61,874 --a------ C:\WINDOWS\ydhqzop.sys

2008-04-23 20:46 . 2008-04-23 20:46 2 --a------ C:\871140395

2008-04-17 12:55 . 2008-04-17 12:55 <DIR> d-------- C:\Documents and Settings\geni\Programdata\DVMS

2008-04-17 12:53 . 2008-04-17 12:53 <DIR> d-------- C:\Programfiler\DVMS

2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\DVMS

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-24 15:00 3,420 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP

2008-04-24 13:39 --------- d-----w C:\Programfiler\Trend Micro

2008-04-24 08:27 --------- d-----w C:\Programfiler\Google

2008-04-14 09:13 --------- d-----w C:\Documents and Settings\geni\Programdata\ICAClient

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-03-01 16:35 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-29 08:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-02-29 08:58 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:52 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:39 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:39 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-04-24_16.16.13.94 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-24 13:49:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-24 14:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-24 14:34:29 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62E2E094-F989-48C6-B947-6E79DA2294F9}]

C:\WINDOWS\system32\winapi32.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

"wruwzyvo"="C:\WINDOWS\system32\tcnsjkzw.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 17:52 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 17:48 118784]

"Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 10:08 143360]

"SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-13 13:08 218240]

"SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]

"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:00 143360]

"OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-04-19 00:52 335872]

"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= file:///C:\WINDOWS\privacy_danger\index.htm

FriendlyName= Privacy Protection

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"vadokmxt"= {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll [ ]

"wdpoefan"= {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutndu]

awtuTNDU.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MSACM.CEGSM"= mobilev.acm

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Microsoft ActiveSync\\wcescomm.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

S2 HZQBWMCX;HZQBWMCX;C:\WINDOWS\system32\hzqbwmcx.uvs []

 

*Newly Created Service* - catchme

.

Contents of the 'Scheduled Tasks' folder

"2008-04-22 00:19:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Programfiler\Windows Defender\MpCmdRun.exe

"2008-04-23 18:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Programfiler\Symantec\LiveUpdate\NDetect.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-24 17:01:37

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HZQBWMCX]

"ImagePath"="\??\C:\WINDOWS\system32\hzqbwmcx.uvs"

.

Completion time: 2008-04-24 17:03:14

ComboFix-quarantined-files.txt 2008-04-24 15:03:03

ComboFix2.txt 2008-04-24 14:19:05

ComboFix3.txt 2008-04-24 14:16:28

 

Pre-Run: 31,282,667,520 byte ledig

Post-Run: 31,277,428,736 byte ledig

 

129 --- E O F --- 2008-04-19 01:40:40

 

 

SAS fjernet ca 150 filer som ikke skulle være der..

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll (file missing)

O4 - HKCU\..\Run: [wruwzyvo] C:\WINDOWS\system32\tcnsjkzw.exe

O20 - Winlogon Notify: awtutndu - awtuTNDU.dll (file missing)

O21 - SSODL: vadokmxt - {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll (file missing)

O21 - SSODL: wdpoefan - {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll (file missing)

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

 

 

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen.

File::

C:\epnhxax.exe

C:\WINDOWS\ydhqzop.sys

C:\WINDOWS\TEMP\ABB027.EXE

 

Folder::

C:\Documents and Settings\All Users\Programdata\ehkzovwl

C:\871140395

 

Driver::

HZQBWMCX

 

Post combofix-loggen + ny hjt-logg. Ønsker også å se loggen fra SAS (preferences->statistics/logs)

Lenke til kommentar
Cloud

Cloud

Skrevet
  • Forfatter
Skrevet

Da var det gjort.

 

Combofix:

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-04-22.5 - administrator 2008-04-25 14:06:21.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.224 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator.XXL\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrator.XXL\Skrivebord\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\epnhxax.exe

C:\WINDOWS\TEMP\ABB027.EXE

C:\WINDOWS\ydhqzop.sys

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\871140395\

C:\Documents and Settings\All Users\Programdata\ehkzovwl

C:\epnhxax.exe

C:\WINDOWS\ydhqzop.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_HZQBWMCX

-------\Service_HZQBWMCX

-------\Service_ydhqzop

 

 

((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))

.

 

2008-04-24 16:36 . 2008-04-24 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\SUPERAntiSpyware.com

2008-04-24 15:41 . 2008-04-24 15:41 <DIR> d-------- C:\Programfiler\CCleaner

2008-04-24 15:33 . 2008-04-24 15:33 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-04-24 15:32 . 2008-04-24 15:32 <DIR> d-------- C:\Programfiler\Opera

2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\TmpRecentIcons

2008-04-23 22:18 . 2008-04-23 22:18 <DIR> d-------- C:\Documents and Settings\geni\Programdata\TmpRecentIcons

2008-04-23 20:46 . 2008-04-23 20:46 2 --a------ C:\871140395

2008-04-17 12:55 . 2008-04-17 12:55 <DIR> d-------- C:\Documents and Settings\geni\Programdata\DVMS

2008-04-17 12:53 . 2008-04-17 12:53 <DIR> d-------- C:\Programfiler\DVMS

2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\DVMS

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-24 13:39 --------- d-----w C:\Programfiler\Trend Micro

2008-04-24 08:27 --------- d-----w C:\Programfiler\Google

2008-04-14 09:13 --------- d-----w C:\Documents and Settings\geni\Programdata\ICAClient

.

 

((((((((((((((((((((((((((((( snapshot@2008-04-24_16.16.13.94 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-24 13:49:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-25 12:09:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-24 14:34:29 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe

+ 2005-03-15 15:52:48 172,099 ----a-w C:\WINDOWS\TEMP\TLB027.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 17:52 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 17:48 118784]

"Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 10:08 143360]

"SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-13 13:08 218240]

"SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]

"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:00 143360]

"OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-04-19 00:52 335872]

"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MSACM.CEGSM"= mobilev.acm

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Microsoft ActiveSync\\wcescomm.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-22 00:19:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Programfiler\Windows Defender\MpCmdRun.exe

"2008-04-23 18:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Programfiler\Symantec\LiveUpdate\NDetect.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-25 14:11:30

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\TEMP\TLB027.EXE

.

**************************************************************************

.

Completion time: 2008-04-25 14:16:21 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-25 12:16:16

ComboFix2.txt 2008-04-24 15:03:15

ComboFix3.txt 2008-04-24 14:19:05

ComboFix4.txt 2008-04-24 14:16:28

 

Pre-Run: 31,247,052,800 byte ledig

Post-Run: 31,250,022,400 byte ledig

 

126 --- E O F --- 2008-04-19 01:40:40

 

HiJack This:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:17, on 2008-04-25

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\TEMP\TLB027.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe

C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bravida.no

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no

O17 - HKLM\Software\..\Telephony: DomainName = xxl.no

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no

O20 - Winlogon Notify: !saswinlogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe

 

--

End of file - 6232 bytes

 

SAS: (første scan)

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 04/24/2008 at 04:54 PM

 

Application Version : 4.0.1154

 

Core Rules Database Version : 3446

Trace Rules Database Version: 1438

 

Scan type : Complete Scan

Total Scan Time : 00:15:41

 

Memory items scanned : 340

Memory threats detected : 3

Registry items scanned : 4957

Registry threats detected : 47

File items scanned : 11451

File threats detected : 96

 

Trojan.Unclassified/Multi-Dropper (Packed)

C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\EHKZOVWL\CVSHIDCP.EXE

[saVTXtKNcI] C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\EHKZOVWL\CVSHIDCP.EXE

C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\EHKZOVWL\CVSHIDCP.EXE

C:\WINDOWS\Prefetch\CVSHIDCP.EXE-11BFA788.pf

 

Adware.Vundo-Variant/J

C:\WINDOWS\VADOKMXT.DLL

C:\WINDOWS\VADOKMXT.DLL

C:\WINDOWS\WDPOEFAN.DLL

C:\WINDOWS\WDPOEFAN.DLL

 

Trojan.Unclassified/Multi-Dropper

[bganywkl] C:\WINDOWS\SYSTEM32\DOFCXCJU.EXE

C:\WINDOWS\SYSTEM32\DOFCXCJU.EXE

C:\WINDOWS\SYSTEM32\TCNSJKZW.EXE

C:\WINDOWS\SYSTEM32\WLEDARGV.EXE

C:\WINDOWS\Prefetch\WLEDARGV.EXE-03C67F4A.pf

 

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\Implemented Categories

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\InprocServer32

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\InprocServer32#ThreadingModel

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\ProgID

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\Programmable

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\TypeLib

HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\VERSION

C:\WINDOWS\SYSTEM32\ADOBEPNL.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2513A321-CB50-4C5F-91C5-80342AFACFB1}

 

Adware.SXGAdvisor-A

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\InprocServer32

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\InprocServer32#ThreadingModel

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\ProgID

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\Programmable

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\TypeLib

HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\VersionIndependentProgID

C:\WINDOWS\QNMARGOLEWK.DLL

 

Trojan.Unclassified/GTS

HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CE66268D-0208-4D9E-8BC7-12D91072A34D}

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\InprocServer32

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\InprocServer32#ThreadingModel

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\ProgID

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\Programmable

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\TypeLib

HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\VersionIndependentProgID

HKCR\dpevflbg.1

HKCR\dpevflbg

HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}

HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0

HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0

HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0\win32

HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0\FLAGS

HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0\HELPDIR

C:\WINDOWS\DPEVFLBG.DLL

 

Adware.Tracking Cookie

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@1071761544[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@tradedoubler[2].txt

C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@57028022[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@cgi-bin[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@gomyhit[3].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@atwola[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@doubleclick[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@systemerrorfixer[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@gomyhit[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@advertising[1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@hitbox[2].txt

C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt

C:\Documents and Settings\Administrator.XXL\Cookies\administrator@adnetserver[1].txt

C:\Documents and Settings\geni\Cookies\[email protected][1].txt

C:\Documents and Settings\geni\Cookies\[email protected][1].txt

C:\Documents and Settings\geni\Cookies\[email protected][2].txt

C:\Documents and Settings\oyha\Cookies\oyha@2o7[2].txt

C:\Documents and Settings\oyha\Cookies\[email protected][1].txt

C:\Documents and Settings\oyha\Cookies\oyha@doubleclick[2].txt

C:\Documents and Settings\oyha\Cookies\oyha@mediaplex[2].txt

C:\Documents and Settings\oyha\Cookies\[email protected][2].txt

C:\Documents and Settings\oyha\Cookies\oyha@tradedoubler[2].txt

 

Trojan.Painter

HKCR\winapi32.MyBHO

HKCR\winapi32.MyBHO\Clsid

 

Trojan.Malware

C:\WINDOWS\bg.gif

 

Trojan.Unknown Origin

C:\WINDOWS\system32\smp\msrc.exe

C:\WINDOWS\system32\smp

C:\WINDOWS\BG_BG.GIF

 

Adware.Admess

HKCR\AppId\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}

HKCR\AppId\WStart.DLL

HKCR\AppId\WStart.DLL#WStart

 

Browser Hijacker.Internet Explorer Settings Hijack

HKU\s-1-5-21-583907252-1614895754-682003330-500\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

 

Trojan.SUSP/Transponder

HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Transponder [ C:\WINDOWS\system32\susp.exe ]

 

Trojan.Unclassified/CFTMon-Fake

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.XXL\CFTMON.EXE

C:\DOCUMENTS AND SETTINGS\GENI\CFTMON.EXE

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\CFTMON.EXE

C:\WINDOWS\Prefetch\CFTMON.EXE-28DDC928.pf

 

Trojan.Unclassified/Dropper-Packed

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP569\A0101667.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP570\A0101698.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP570\A0102695.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP572\A0102725.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP572\A0102733.EXE

 

Trojan.Downloader-Gen/Win

C:\WINDOWS\OLGDQARF.EXE

C:\WINDOWS\WXVGSDBQ.EXE

 

Trojan.Laguna Media

C:\WINDOWS\SPACER.GIF'

 

Trojan.Fake-Drop/Gen

C:\WINDOWS\SYSTEM32\AKTTZN.EXE

C:\WINDOWS\SYSTEM32\ANTICIPATOR.DLL

C:\WINDOWS\SYSTEM32\AWTOOLB.DLL

C:\WINDOWS\SYSTEM32\BDN.COM

C:\WINDOWS\SYSTEM32\CWS_IESTART.EXE

C:\WINDOWS\SYSTEM32\H@TKEYSH@@K.DLL

C:\WINDOWS\SYSTEM32\HOPROXY.DLL

C:\WINDOWS\SYSTEM32\HXIWLGPM.DAT

C:\WINDOWS\SYSTEM32\HXIWLGPM.EXE

C:\WINDOWS\SYSTEM32\MEDUP012.DLL

C:\WINDOWS\SYSTEM32\MEDUP020.DLL

C:\WINDOWS\SYSTEM32\MSGP.EXE

C:\WINDOWS\SYSTEM32\MSNBHO.DLL

C:\WINDOWS\SYSTEM32\MSSECU.EXE

C:\WINDOWS\SYSTEM32\MSVCHOST.EXE

C:\WINDOWS\SYSTEM32\MTR2.EXE

C:\WINDOWS\SYSTEM32\MWIN32.EXE

C:\WINDOWS\SYSTEM32\NETODE.EXE

C:\WINDOWS\SYSTEM32\NEWSD32.EXE

C:\WINDOWS\SYSTEM32\PS1.EXE

C:\WINDOWS\SYSTEM32\REGC64.DLL

C:\WINDOWS\SYSTEM32\REGM64.DLL

C:\WINDOWS\SYSTEM32\RUNDL1.EXE

C:\WINDOWS\SYSTEM32\SSURF022.DLL

C:\WINDOWS\SYSTEM32\SSVCHOST.COM

C:\WINDOWS\SYSTEM32\SSVCHOST.EXE

C:\WINDOWS\SYSTEM32\SYSREQ.EXE

C:\WINDOWS\SYSTEM32\TAACK.DAT

C:\WINDOWS\SYSTEM32\TAACK.EXE

C:\WINDOWS\SYSTEM32\TEMP#01.EXE

C:\WINDOWS\SYSTEM32\THUN.DLL

C:\WINDOWS\SYSTEM32\THUN32.DLL

C:\WINDOWS\SYSTEM32\VBIEWER.OCX

C:\WINDOWS\SYSTEM32\VBSYS2.DLL

C:\WINDOWS\SYSTEM32\VCATCHPI.DLL

C:\WINDOWS\SYSTEM32\WINLOGONPC.EXE

C:\WINDOWS\SYSTEM32\WINSYSTEM.EXE

C:\WINDOWS\SYSTEM32\WINWGPX.EXE

 

Dpcproxy

C:\WINDOWS\SYSTEM32\DPCPROXY.EXE

 

Adware.Mirar/NetNucleus

C:\WINDOWS\SYSTEM32\MIRARSEARCH_TOOLBAR.EXE

 

Unclassified.Unknown Origin/System

C:\WINDOWS\SYSTEM32\PSOF1.EXE

 

Adware.Pacer D

C:\WINDOWS\SYSTEM32\PSOFT1.EXE

 

Trojan.Dluca-I

C:\WINDOWS\SYSTEM32\SNCNTR.EXE

 

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Du har en prosess kjørende fra TEMP-mappa, C:\WINDOWS\TEMP\TLB027.EXE, som jeg ikke vet hva er. Du kunne ha sjekket fila på http://virusscan.jotti.org/.

 

Ut over dette er det ikke noe særlig mer å fixe :)

Du kan oppdatere Java: http://java.com/en/download/index.jsp

 

Når alt kjøre ok, så kan du avinstallere Combofix ved å skrive combofix /u fra kjør-feltet (Start->Kjør).

Dette fjerner programmet, karantenefilene + nullstiller systemgjenopprettingen slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste
×
×
  • Opprett ny...