Vinnaren i pepparkakshustävlingen!
  1. Dator och IT
  2. Programvara: Windows

Tokfel! Virus? Hjälp a.s.a.p.

Svara
  • 1
  • 2
2009-02-03, 02:38
  #13
927
Medlem
927s avatar
ang dll filen så ligger finns det en en registernyckel under run som är associerad med den filen. du borde hitta nåt skumt under msconfig/autostart

hade varit kul att se loggen från mbam och när man har kraftiga infektioner kan det va bra att köra två snabba scanningar
Citera
2009-02-03, 02:49
  #14
PeeGee
Medlem
PeeGees avatar
Citat:
Ursprungligen postat av 927
ang dll filen så ligger finns det en en registernyckel under run som är associerad med den filen. du borde hitta nåt skumt under msconfig/autostart

hade varit kul att se loggen från mbam och när man har kraftiga infektioner kan det va bra att köra två snabba scanningar

Hittade faktiskt inget konstigt alls i msconfig/autostart vad jag såg...

Den första loggen:

Malwarebytes' Anti-Malware 1.33
Databasversion: 1718
Windows 6.0.6001 Service Pack 1

2009-02-03 02:04:30
mbam-log-2009-02-03 (02-04-30).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 42371
Förfluten tid: 3 minute(s), 46 second(s)

Infekterade minnesprocesser: 1
Infekterade minnesmoduler: 0
Infekterade registernycklar: 2
Infekterade registervärden: 7
Infekterade registerdataposter: 4
Infekterade mappar: 2
Infekterade filer: 18

Infekterade minnesprocesser:
C:\Windows\System32\ntos.exe (Backdoor.Bot) -> Unloaded process successfully.

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

Infekterade registervärden:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\msserver (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\msserver (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\regcom32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\settings (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Windows Update (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\userinit (Spyware.Banker) -> Quarantined and deleted successfully.

Infekterade registerdataposter:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe "C:\Windows\system32\svchost.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\syste m32\ntos.exe,"C:\Windows\system32\svchost.exe",) Good: (userinit.exe) -> Quarantined and deleted successfully.

Infekterade mappar:
C:\Windows\System32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\Users\Pierre\AppData\Roaming\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Infekterade filer:
C:\Users\Pierre\AppData\Local\Temp\khfFYSIX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nnnliGaA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\crypts.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Pierre\AppData\Local\Temp\19ED.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Pierre\AppData\Local\Temp\ljJBrQij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Pierre\AppData\Local\Temp\~nsu.tmp\Au_.ex e (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\Pierre\AppData\Roaming\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Pierre\AppData\Roaming\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\nvaux32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\inf\xccefb090131.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\xccdf16_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\xccdf32_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\system\xccef090131.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\System32\inf\xccdfb16_090131.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\System32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\Users\Pierre\AppData\Roaming\ntos.exe (Spyware.Banker) -> Quarantined and deleted successfully.
Citera
2009-02-03, 02:56
  #15
927
Medlem
927s avatar
det var en hel del skit som spridits ut....
du kan posta en hijackthis logg så ser man om det finns något problem.
spara HJTInstall.exe på skrivbordet >klicka på filen >välj install och klicka på: "do a system scan and save logfile".
posta innehållet från txt filen som visas då.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
__________________
Senast redigerad av 927 2009-02-03 kl. 02:59.
Citera
2009-02-03, 03:09
  #16
927
Medlem
927s avatar
Total Video Converter 3.20.090104.exe (10340891 bytes)
tvc.exe (10002456 bytes) hämtad från hemsidan
Citera
2009-02-03, 03:18
  #17
PeeGee
Medlem
PeeGees avatar
sry för sent svar.. *gäsp*
Citat:
Ursprungligen postat av 927
det var en hel del skit som spridits ut....
du kan posta en hijackthis logg så ser man om det finns något problem.
spara HJTInstall.exe på skrivbordet >klicka på filen >välj install och klicka på: "do a system scan and save logfile".
posta innehållet från txt filen som visas då.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe


Logg:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:17:34, on 2009-02-03
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\lg_swupdate\GiljabiStart.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\UnibetpokerMPP\MPPoker.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.ex e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lge.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\Windows\system32\inf\rundll33.exe C:\Windows\xccdf16_090131a.dll xccd16
O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\Windows\system32\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Program Files\UnibetpokerMPP\MPPoker.exe
O13 - Gopher Prefix:
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O20 - AppInit_DLLs: nvaux32
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4767 bytes
Citera
2009-02-03, 03:49
  #18
927
Medlem
927s avatar
gör en ny scan med HJT, bocka för och fixa dessa rader
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\Windows\system32\inf\rundll33.exe C:\Windows\xccdf16_090131a.dll xccd16
O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\Windows\system32\svchost.exe
Citera
Svara
  • 1
  • 2

Skapa ett konto eller logga in för att kommentera

Du måste vara medlem för att kunna kommentera

Skapa ett konto

Det är enkelt att registrera ett nytt konto

Bli medlem

Logga in

Har du redan ett konto? Logga in här

Logga in