Hjælp! Vira fundet: W32.Tenga + W32.Cutwail-H
Hej Ekspert-folks.Jeg har fået virus. Avast Antivirus poppede op og sagde at jeg var blevet inficeret med en virus. Nu er der konstant en "Jonas.exe" (det samme som mit username) som hopper op og ned på process-listen. Jeg tog en boot scan og den fandt W32.Tenga, hvorefter den flyttede dem til "chest".
Hvordan får jeg det fjernet med de rette programmer? Jeg har scannet med Malware Antibytes, SuperAntiSpyware og Hijack This, og I får lige nogle logs:
——————MALWARE-log——————-
Malwarebytes' Anti-Malware 1.36
Database version: 2157
Windows 5.1.2600 Service Pack 3
20-05-2009 18:13:34
mbam-log-2009-05-20 (18-13-29).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 175013
Time elapsed: 53 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digiwet.dll -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Jonas\Local Settings\Temp\pdfupd.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\digiwet.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\wpv011241292389.exe (Trojan.Agent) -> No action taken.
—————SUPER ANTISPYWARE-LOG————-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Genereret 05/20/2009 at 06:49 PM
Applikation Version : 4.26.1002
Kerne Regler Database Version : 3902
Spore Regler Database Version: 1848
Scan type : Komplet Skan
Total skanningstid : 00:25:07
Skannet poster i hukommelse : 606
Trusler i hukommelse fundet : 0
Registrerings poster skannet : 5864
Registrerings trusler fundet : 0
Fil poster skannet : 20300
Fil trusler fundet : 0
—————HIJACK THIS-LOG—————-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:21, on 20-05-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Alwil Software\Avast423\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast423\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\PROGRA~1\ALWILS~1\Avast423\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
D:\Program Files\VOIPlay\voiplay.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Jonas\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Alwil Software\Avast423\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast423\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jonas\My Documents\Downloads\HiJackThis (1).exe
C:\Documents and Settings\Jonas\Jonas.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 83.140.176.146 thepiratebay.org http://www.thepiratebay.org
O1 - Hosts: 83.140.176.148 static.thepiratebay.org
O1 - Hosts: 83.140.176.150 upload.thepiratebay.org
O1 - Hosts: 83.140.176.149 rss.thepiratebay.org
O1 - Hosts: 83.140.176.157 captcha.thepiratebay.org
O1 - Hosts: 83.140.176.156 torrents.thepiratebay.org
O1 - Hosts: 77.247.176.134 tracker.thepiratebay.org open.tracker.thepiratebay.org
O1 - Hosts: 77.247.176.151 tpb.tracker.thepiratebay.org
O1 - Hosts: 77.247.176.153 eztv.tracker.thepiratebay.org vtv.tracker.thepiratebay.org a.tracker.thepiratebay.org
O1 - Hosts: 77.247.176.154 vip.tracker.thepiratebay.org tv.tracker.thepiratebay.org
O1 - Hosts: 88.80.6.166 mx.thepiratebay.org ns1.thepiratebay.org
O1 - Hosts: 83.140.176.159 ns0.thepiratebay.org
O1 - Hosts: 85.17.40.33 ns2.thepiratebay.org
O1 - Hosts: 217.75.120.120 ns3.thepiratebay.org
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast423\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [VOIPlay] "D:\Program Files\VOIPlay\voiplay.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\Jonas\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Jonas] C:\Documents and Settings\Jonas\Jonas.exe /i
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport; to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools' menuitem: S&end; to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast423\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast423\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast423\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast423\ashWebSv.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
—
End of file - 8186 bytes
På forhånd tak!
MVH
Jonas