Gå til innhold

Trojan downloader.xs - [LØST]


Anbefalte innlegg

Skrevet (endret)

Jeg har fått denne dritten og jeg får ikke fjernet ugresset. Kjører AVG Anti-Spyware, men det går så umenneskelig treit at jeg vet ikke hva jeg skal gjøre, og i mellomtiden popper det opp popups hele tiden, og skrivebordet er jo helt maltraksert.

Endret av FlowerEye
Videoannonse
Annonse
Skrevet

avg anti-spyware er en bra scanner. Burde finne og fjerne det meste av malware.

 

Uansett, du kan gjøre følgende:

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

 

Post loggfilen fra combofix (c:\combofix.txt)

Skrevet

Kjørte AVG i hele natt og i dag slettet den visstnok alt av virus, men så fikk jeg beskjed om å restarte dataen, og nå har jeg verken desktop eller startmeny eller noenting. Bare flaks at msn poppet opp sånn at jeg kunne åpne mailen å gå videre inn her.

Skrevet

Desktopen kan du forsøke å få tilbake ved å åpne oppgavebehandlingen: ctrl + alt + del

Velg å starte ny prosess, skriv explorer.exe

Problemet skyldes malware, så du må kjøre combofix slik at vi kan få fjernet de infiserte filene. Om det er problemer å få gjort dette i normal modus, kan du starte opp i sikker modus m/nettverk (trykk F8 under oppstart, velg sikker modus med nettverk.)

Skrevet

Prøvde å kjøre combofix da maskinen slettet hele programmet. Jeg laster ned på nytt og prøver. Har kjørt antivirusprogram om og om igjen men blir ikke kvitt det. Skal komme med logg senere i kveld. Tusen takk for hjelp :)

Skrevet

Prøver med HijackThis da.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:51:51, on 05.07.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\Programfiler\QuickTime\QTTask.exe

C:\WINDOWS\System32\igfxtray.exe

C:\Programfiler\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\MagicDisc\MagicDisc.exe

C:\Programfiler\HPQ\shared\hpqwmi.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://norwegian.ircfast2.com/index.php?rvs=hompag

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)

O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)

O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)

O2 - BHO: (no name) - {24E5C61A-5A81-4E68-BFBB-BC340D5FE2EE} - C:\WINDOWS\system32\khfCtqqp.dll (file missing)

O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)

O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)

O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)

O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)

O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)

O2 - BHO: (no name) - {7D8F380F-E933-4E5E-8646-CF8CD05AB32D} - C:\WINDOWS\system32\tuvUKDVL.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)

O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)

O2 - BHO: (no name) - {BBEA7B49-9889-479D-9407-A3313E0DE74A} - C:\WINDOWS\system32\vtUooNFY.dll (file missing)

O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)

O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)

O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)

O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Programfiler\MagicDisc\MagicDisc.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179924975546

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179924950593

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\shared\hpqwmi.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

 

--

End of file - 7478 bytes

Skrevet

Lukk nettleseren

 

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix chekced:

O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)

O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)

O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)

O2 - BHO: (no name) - {24E5C61A-5A81-4E68-BFBB-BC340D5FE2EE} - C:\WINDOWS\system32\khfCtqqp.dll (file missing)

O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)

O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)

O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)

O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)

O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)

O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)

O2 - BHO: (no name) - {7D8F380F-E933-4E5E-8646-CF8CD05AB32D} - C:\WINDOWS\system32\tuvUKDVL.dll (file missing)

O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)

O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)

O2 - BHO: (no name) - {BBEA7B49-9889-479D-9407-A3313E0DE74A} - C:\WINDOWS\system32\vtUooNFY.dll (file missing)

O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)

O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)

O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)

O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)

 

Last ned ny combofix og prøv å kjør programmet (enten fra normal eller sikker modus). Post loggen den lager.

Skrevet

Ny logg :)

 

Klikk for å se/fjerne innholdet nedenfor
ComboFix 08-07-04.6 - Daniel lindter 2008-07-05 23:28:24.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.202 [GMT 2:00]

Running from: C:\Documents and Settings\Daniel lindter\Skrivebord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))

.

 

2008-07-05 22:51 . 2008-07-05 22:51 <DIR> d-------- C:\Programfiler\Trend Micro

2008-07-05 15:37 . 2008-07-05 17:21 <DIR> dr-h----- C:\Documents and Settings\Daniel lindter\Siste

2008-07-03 21:47 . 2008-07-03 21:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-07-02 22:38 . 2008-07-02 22:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

2008-07-02 22:34 . 2008-07-03 07:54 <DIR> d--hs---- C:\WINDOWS\ZGFuaWVs

2008-07-02 22:34 . 2008-07-03 07:38 <DIR> d-------- C:\WINDOWS\system32\yrt

2008-07-02 22:34 . 2008-07-02 22:34 <DIR> d-------- C:\WINDOWS\system32\pRI

2008-07-02 22:34 . 2008-07-02 22:34 <DIR> d-------- C:\WINDOWS\system32\modtrux18

2008-07-02 22:34 . 2008-07-02 22:34 <DIR> d-------- C:\Temp\syschk3

2008-07-02 22:34 . 2008-07-05 22:19 <DIR> d-------- C:\Temp

2008-06-20 16:22 . 2008-06-30 14:37 <DIR> d-------- C:\Programfiler\PhotomatixPro3

2008-06-20 05:40 . 2008-06-20 05:40 90,073 --a------ C:\WINDOWS\system32\iftuyszv.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-05 20:28 --------- d-----w C:\Documents and Settings\Daniel lindter\Programdata\WTablet

2008-07-05 20:25 --------- d-----w C:\Documents and Settings\LocalService\Programdata\WTablet

2008-07-03 19:47 --------- d-----w C:\Programfiler\SUPERAntiSpyware

2008-07-02 22:11 --------- d-----w C:\Programfiler\LimeWire

2008-07-02 20:38 --------- d-----w C:\Documents and Settings\Daniel lindter\Programdata\LimeWire

2008-06-30 10:06 --------- d-----w C:\Programfiler\Macromedia

2008-06-30 10:00 --------- d-----w C:\Documents and Settings\Daniel lindter\Programdata\dvdcss

2008-06-25 12:12 --------- d-----w C:\Documents and Settings\All Users\Programdata\SmartSound Software Inc

2008-06-25 12:06 --------- d-----w C:\Programfiler\Fellesfiler\Macromedia

2008-06-25 12:01 --------- d-----w C:\Programfiler\BitLord

2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 04:22 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 13:54 253952]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-01-22 20:36 155648]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-01-22 20:31 126976]

"Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2004-11-05 13:52 233534]

"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

 

C:\Documents and Settings\Daniel lindter\Start-meny\Programmer\Oppstart\

MagicDisc.lnk - C:\Programfiler\MagicDisc\MagicDisc.exe [2008-04-03 22:55:05 546816]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel lindter^Start-meny^Programmer^Oppstart^Adobe Gamma.lnk]

path=C:\Documents and Settings\Daniel lindter\Start-meny\Programmer\Oppstart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-09-18 16:16 171464 C:\Programfiler\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\WINDOWS\\Installer\\{C169D3BB-9A27-43F5-9979-09A0D65FE95C}\\Icon_SmartFTP.exe"=

"C:\\Programfiler\\Opera\\Opera.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"=

 

R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 21:12]

R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 20:30]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-28 05:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

.

- - - - ORPHANS REMOVED - - - -

 

ShellExecuteHooks-{7D8F380F-E933-4E5E-8646-CF8CD05AB32D} - (no file)

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-05 23:30:30

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe?????????2?7?2?4??????? ?,?B?????????????hLC????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-07-05 23:31:57

ComboFix-quarantined-files.txt 2008-07-05 21:31:22

ComboFix2.txt 2008-07-05 20:33:10

ComboFix3.txt 2008-03-31 10:47:16

 

Pre-Run: 63,446,872,064 byte ledig

Post-Run: 63,435,034,624 byte ledig

 

107 --- E O F --- 2008-06-22 08:35:33

Skrevet

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen.

 

 

File::

C:\WINDOWS\system32\vbzip10.dll

C:\WINDOWS\system32\iftuyszv.exe

 

Folder::

C:\WINDOWS\ZGFuaWVs

C:\WINDOWS\system32\yrt

C:\WINDOWS\system32\pRI

C:\WINDOWS\system32\modtrux18

C:\Temp

Skrevet

Du er bare så flink da :) Ny logg.

 

Klikk for å se/fjerne innholdet nedenfor
ComboFix 08-07-04.6 - Daniel lindter 2008-07-06 0:31:48.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.136 [GMT 2:00]

Running from: C:\Documents and Settings\Daniel lindter\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Daniel lindter\Skrivebord\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINDOWS\system32\iftuyszv.exe

C:\WINDOWS\system32\vbzip10.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Temp

C:\Temp\syschk3\tdirp5.log

C:\WINDOWS\system32\iftuyszv.exe

C:\WINDOWS\system32\modtrux18

C:\WINDOWS\system32\modtrux18\modtrux182328.exe

C:\WINDOWS\system32\pRI

C:\WINDOWS\system32\pRI\kscomdll3.exe

C:\WINDOWS\system32\vbzip10.dll

C:\WINDOWS\system32\yrt

C:\WINDOWS\ZGFuaWVs

 

.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))

.

 

2008-07-06 00:13 . 2008-07-06 00:30 <DIR> dr-h----- C:\Documents and Settings\Daniel lindter\Siste

2008-07-05 22:51 . 2008-07-05 22:51 <DIR> d-------- C:\Programfiler\Trend Micro

2008-07-03 21:47 . 2008-07-03 21:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-06-20 16:22 . 2008-06-30 14:37 <DIR> d-------- C:\Programfiler\PhotomatixPro3

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-05 20:28 --------- d-----w C:\Documents and Settings\Daniel lindter\Programdata\WTablet

2008-07-05 20:25 --------- d-----w C:\Documents and Settings\LocalService\Programdata\WTablet

2008-07-03 19:47 --------- d-----w C:\Programfiler\SUPERAntiSpyware

2008-07-02 22:11 --------- d-----w C:\Programfiler\LimeWire

2008-07-02 20:38 --------- d-----w C:\Documents and Settings\Daniel lindter\Programdata\LimeWire

2008-06-30 10:06 --------- d-----w C:\Programfiler\Macromedia

2008-06-30 10:00 --------- d-----w C:\Documents and Settings\Daniel lindter\Programdata\dvdcss

2008-06-25 12:12 --------- d-----w C:\Documents and Settings\All Users\Programdata\SmartSound Software Inc

2008-06-25 12:06 --------- d-----w C:\Programfiler\Fellesfiler\Macromedia

2008-06-25 12:01 --------- d-----w C:\Programfiler\BitLord

2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 04:22 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 13:54 253952]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-01-22 20:36 155648]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-01-22 20:31 126976]

"Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2004-11-05 13:52 233534]

"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

 

C:\Documents and Settings\Daniel lindter\Start-meny\Programmer\Oppstart\

MagicDisc.lnk - C:\Programfiler\MagicDisc\MagicDisc.exe [2008-04-03 22:55:05 546816]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel lindter^Start-meny^Programmer^Oppstart^Adobe Gamma.lnk]

path=C:\Documents and Settings\Daniel lindter\Start-meny\Programmer\Oppstart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-09-18 16:16 171464 C:\Programfiler\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\WINDOWS\\Installer\\{C169D3BB-9A27-43F5-9979-09A0D65FE95C}\\Icon_SmartFTP.exe"=

"C:\\Programfiler\\Opera\\Opera.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Programfiler\\SmartFTP Client\\SmartFTP.exe"=

 

R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 21:12]

R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 20:30]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-28 05:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

.

- - - - ORPHANS REMOVED - - - -

 

ShellExecuteHooks-{7D8F380F-E933-4E5E-8646-CF8CD05AB32D} - (no file)

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-06 00:33:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe?????????2?7?2?4??????? ?,?B?????????????hLC????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-07-06 0:35:14

ComboFix-quarantined-files.txt 2008-07-05 22:34:35

ComboFix2.txt 2008-07-05 21:31:59

ComboFix3.txt 2008-07-05 20:33:10

ComboFix4.txt 2008-03-31 10:47:16

 

Pre-Run: 63,428,263,936 byte ledig

Post-Run: 63,415,013,376 byte ledig

 

118 --- E O F --- 2008-06-22 08:35:33

Skrevet

Loggen ser fin ut.

 

Du kan avslutte med følgende:

 

Last ned CCleaner.

Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "Bare slett midlertidige filer som er eldre enn 48 timer" Klikk på 'Renser' og deretter 'Kjør CCleaner'.

 

 

Fjern combofix ved å skrive combofix /u i kjør-feltet.

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
  • Hvem er aktive   0 medlemmer

    • Ingen innloggede medlemmer aktive
×
×
  • Opprett ny...