Trojaner + diverse.
Hej.Jeg har haft besøg af en trojaner + diverse vira, jeg prøver stadig at komme af med det, men der kommer konstant nogle pops samtidig med at F-Secure meddeler fejl samtidig med at windows bloker nogle startprogrammer, og responstiden er mega langsom(eks. skriver den handlingen returnerede fordi timeout-perioden udløb)... Den opfører sig meget underligt..
Her er logfilerne fra Combo,Hijackthis og Malwarebytes.
ComboFix 10-09-25.07 - Fam. Tanggaard Bille 26-09-2010 19:30:14.7.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.45.1030.18.766.301 [GMT 2:00]
Kører fra: c:\users\Fam. Tanggaard Bille\Desktop\ComboFix.exe
Kommandoer benyttet :: c:\users\Fam. Tanggaard Bille\Desktop\CFScript.txt
AV: F-Secure Client Security 7.10 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Client Security 7.10 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
SP: F-Secure Client Security 7.10 *disabled* (Updated) {0651C4B0-1D7E-4682-B965-2E9523C483A5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Fam. Tanggaard Bille\AppData\Local\TempDIR
c:\users\Fam. Tanggaard Bille\AUTORUN.INF
c:\users\Fam. Tanggaard Bille\Cookies.lnk
c:\users\Fam. Tanggaard Bille\fwtum.exe
c:\users\Fam. Tanggaard Bille\geakas.exe
c:\users\Fam. Tanggaard Bille\impro.exe
c:\users\Fam. Tanggaard Bille\lvpoy.exe
c:\users\Fam. Tanggaard Bille\raitip.exe
c:\users\Fam. Tanggaard Bille\sbpro.exe
c:\users\Fam. Tanggaard Bille\vapro.exe
c:\users\Fam. Tanggaard Bille\yeuemex.0xe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
.
((((((((((((((((((((((((((((( Filer skabt fra 2010-08-26 til 2010-09-26 )))))))))))))))))))))))))))))))))))
.
Ingen nye filer dannet i denne periode
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 10:14 . 2010-04-09 20:07 -------- d-----w- c:\program files\Common Files\Apple
2010-09-26 10:11 . 2008-07-14 17:48 -------- d-----w- c:\programdata\Apple Computer
2010-09-25 17:01 . 2007-09-14 04:32 13730 ----a-w- c:\users\Fam. Tanggaard Bille\AppData\Roaming\nvModes.dat
2010-09-25 14:17 . 2008-08-28 05:14 -------- d-----w- c:\program files\CCleaner
2010-09-19 07:00 . 2007-09-18 20:28 680 ----a-w- c:\users\Fam. Tanggaard Bille\AppData\Local\d3d9caps.dat
2010-09-16 17:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-16 13:05 . 2008-07-14 17:55 -------- d-----w- c:\users\Fam. Tanggaard Bille\AppData\Roaming\Apple Computer
2010-09-15 13:06 . 2007-06-12 22:31 84790 ----a-w- c:\windows\system32\perfc006.dat
2010-09-15 13:06 . 2007-06-12 22:31 483230 ----a-w- c:\windows\system32\perfh006.dat
2010-09-12 08:19 . 2006-12-09 13:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-12 07:06 . 2009-05-05 20:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-26 11:12 . 2008-08-27 18:27 548 ----a-w- c:\users\Fam. Tanggaard Bille\AppData\Roaming\wklnhst.dat
2010-08-08 07:30 . 2007-10-15 18:53 -------- d-----w- c:\program files\Common Files\Java
2010-08-08 07:29 . 2007-10-15 18:59 -------- d-----w- c:\program files\Java
2010-07-27 16:44 . 2010-07-27 16:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 16:44 . 2010-07-27 16:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-17 03:00 . 2010-05-11 19:42 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 09:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-08-27 39792]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-08-27 25200]
S1 F-Secure HIPS;F-Secure HIPS;c:\program files\F-Secure\HIPS\fshs.sys [2007-08-27 70768]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2007-08-27 34736]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2007-08-27 69136]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\F-Secure\Anti-Virus\minifilter\fsvista.sys [2007-08-27 12912]
S2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\users\Fam. Tanggaard Bille\Forefront UAG Remote Access Agent\rhsnetrhsdk\rhsdk1\uagqecsvc.exe [2010-08-10 149896]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-08-27 62064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Indhold af mappen 'Planlagte Opgaver'
2010-09-26 c:\windows\Tasks\User_Feed_Synchronization-{42C083EB-7F72-4279-B191-150D09048E0B}.job
- c:\windows\system32\msfeedssync.exe [2010-08-13 04:24]
.
- - - - TOMME GENVEJE FJERNET - - - -
HKCU-Run-fwtum - c:\users\Fam. Tanggaard Bille\fwtum.exe
HKCU-Run-lvpoy - c:\users\Fam. Tanggaard Bille\lvpoy.exe
SafeBoot-WinDefend
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-26 19:50
Windows 6.0.6002 Service Pack 2 NTFS
scanner skjulte processer ...
scanner skjulte autostarter ...
scanner skjulte filer ...
scanning gennemført med succes
skjulte filer: 0
**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Andre kørende processer ------------------------
.
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Common\FSMB32.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\F-Secure\Common\FCH32.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\program files\F-Secure\Common\FAMEH32.EXE
c:\program files\F-Secure\Anti-Virus\fsqh.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\F-Secure\Common\FNRB32.EXE
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Common\FIH32.EXE
c:\program files\F-Secure\FSAUA\program\fsaua.exe
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Acer\Acer Arcade\PCMService.exe
c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\F-Secure\common\FSM32.EXE
c:\windows\System32\LVCOMSX.EXE
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\rundll32.exe
c:\users\FAM~1.TAN\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\F-Secure\FSGUI\fsguidll.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Gennemført tid: 2010-09-26 20:09:55 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2010-09-26 18:09
ComboFix2.txt 2010-01-03 20:21
ComboFix3.txt 2009-12-24 13:50
ComboFix4.txt 2009-10-31 11:40
ComboFix5.txt 2010-09-26 17:23
Pre-Kørsel: 19.378.343.936 byte ledig
Post-Kørsel: 19.307.610.112 byte ledig
- - End Of File - - EE16F2CD4DE1CC7B0A5B79E331C24ED5
Malwarebytes' Anti-Malware 1.44
Database version: 3825
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
26-09-2010 18:21:09
mbam-log-2010-09-26 (18-21-09).txt
Skan type: Fuldstændig skanning (C:\|D:\|)
Objekter skannet: 246430
Tid tilbagelagt: 2 hour(s), 48 minute(s), 19 second(s)
Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 2
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 1
Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)
Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Nøgler:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)
Inficerede Mapper:
(Ingen mistænkelige filer fundet)
Inficerede Filer:
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.