Spywarefri Forum | Trojanere

Trojanere

[ Ignorer ] tooms
27.03.2012 14:01:52 Antal indlæg: 104	Hejsa Jeg har været inficeret med trojaner. Computeren er langsom og den vil ikke gå på google eller andre søgemaskiner. Derudover vil den gerne gå på andre sider. Her er logs fra Eset og Malwarebytes, Superantispyware mistede jeg desværre. Gider i kigge det igennem, så vil jeg blive meget glad Vh. Thomas ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=077b4648fa7ba8408bf649174207997c # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-03-22 01:19:32 # local_time=2012-03-22 02:19:32 (+0100, Rom, normaltid) # country=“Denmark” # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1024 16777175 100 0 62465326 62465326 0 0 # compatibility_mode=8192 67108863 100 0 3762 3762 0 0 # scanned=81610 # found=5 # cleaned=4 # scan_time=7217 C:\Documents and Settings\MASK1\fb940290-5807.exe Win32/Agent.TFL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\MASK1\Lokale indstillinger\temp\6df52617-5807.tmp Win32/Agent.TFL trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\MASK1\Lokale indstillinger\temp\85f2d138-5807.tmp Win32/Agent.TFL trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{31DB94B3-EEBC-430E-B32D-C09AD0EAA742}\RP1633\A0105340.exe Win32/Agent.TFL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C ${Memory} a variant of Win32/Agent.TFL trojan 00000000000000000000000000000000 I esets_scanner_update returned -1 esets_gle=53251 Malwarebytes Anti-Malware 1.60.1.1000 http://www.malwarebytes.org Database version: v2012.03.22.02 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 MASK1 :: MASK1 [administrator] 22-03-2012 12:07:02 mbam-log-2012-03-22 (12-07-02).txt Skanningstype: Fuldstændig skanning Skanningsmuligheder valgt: Hukommelse \| Opstart \| Registreringsdatabasen \| Filsystem \| Heuristics/Ekstra \| Heuristics/Shuriken \| PUP \| PUM Skanningsmuligheder som er deaktiverede: P2P Objekter skannet: 277728 Tid gået: 1 time(e), 24 minut(ter), 19 sekund(er) Hukommelses Processorer Inficeret: 0 (Ingen skadelige objekter blev fundet) Hukommelses Moduler Inficeret: 0 (Ingen skadelige objekter blev fundet) Registreringsdatabasenøgler Inficeret: 0 (Ingen skadelige objekter blev fundet) Registreringsdatabaseværdier Inficeret: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Windows Update Server (Trojan.Agent.H) -> Data: C:\Documents and Settings\MASK1\fb940290-5807.exe -> Bliver slettet ved genstart. Registreringsdatabasedata Objekter Inficeret: 0 (Ingen skadelige objekter blev fundet) Inficerede Mapper: 0 (Ingen skadelige objekter blev fundet) Inficerede Filer: 2 C:\Documents and Settings\MASK1\fb940290-5807.exe (Trojan.Agent.H) -> Sat i karantæne og slettet succesfuldt. C:\System Volume Information\_restore{31DB94B3-EEBC-430E-B32D-C09AD0EAA742}\RP1633\A0105340.exe (Trojan.Agent.H) -> Sat i karantæne og slettet succesfuldt. (færdig)
[ Ignorer ] [ # 1 ] tooms
27.03.2012 15:13:50 Antal indlæg: 104	Prøvede lige Combofix.. her er log ComboFix 12-03-27.02 - MASK1 27-03-2012 14:45:27.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.2039.1492 [GMT 2:00] Kører fra: c:\documents and settings\MASK1\Skrivebord\ComboFix.exe AV: AVG Anti-Virus Free Enabled/Updated {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Avira Desktop Disabled/Updated {AD166499-45F9-482A-A743-FDD3350758C7} . advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !! . . ((((((((((((((((((((((((((((((((((((((( Andet, der er slettet ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\MASK1\WINDOWS c:\windows\IsUn0406.exe . . ((((((((((((((((((((((((((((((((((((((( Drivers/Tjenester ))))))))))))))))))))))))))))))))))))))))))))))))) . . ———-\Legacy_SSHNAS ———-\Service_SSHNAS . . ((((((((((((((((((((((((((((( Filer skabt fra 2012-02-27 til 2012-03-27 ))))))))))))))))))))))))))))))))))) . . 2012-03-27 10:53 . 2012-03-27 10:54 ———— d——-w- c:\programmer\UltraVNC 2012-03-27 10:53 . 2012-03-27 10:53 ———— d——-w- c:\documents and settings\LocalService\Menuen Start 2012-03-27 10:50 . 2012-03-27 10:50 ———— d——-w- c:\programmer\QuickTime 2012-03-27 10:49 . 2012-03-27 10:49 ———— d——-w- c:\documents and settings\All Users\Application Data\Apple Computer 2012-03-27 10:47 . 2012-03-27 10:47 ———— d——-w- c:\documents and settings\Default User\Lokale indstillinger\Application Data\Apple Computer 2012-03-27 09:10 . 2012-03-27 09:10 ———— d——-w- c:\documents and settings\MASK1\Lokale indstillinger\Application Data\Secunia PSI 2012-03-27 09:10 . 2012-03-27 09:10 ———— d——-w- c:\programmer\Secunia 2012-03-27 09:06 . 2012-03-27 09:06 ———— d——-w- c:\documents and settings\MASK1\Application Data\Avira 2012-03-27 09:00 . 2012-01-31 06:57 74640 ——a-w- c:\windows\system32\drivers\avgntflt.sys 2012-03-27 09:00 . 2012-01-31 06:57 137416 ——a-w- c:\windows\system32\drivers\avipbb.sys 2012-03-27 09:00 . 2011-09-16 14:09 36000 ——a-w- c:\windows\system32\drivers\avkmgr.sys 2012-03-27 09:00 . 2012-03-27 09:00 ———— d——-w- c:\programmer\Avira 2012-03-27 09:00 . 2012-03-27 09:00 ———— d——-w- c:\documents and settings\All Users\Application Data\Avira 2012-03-22 11:22 . 2012-03-22 11:22 ———— d——-w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2012-03-22 11:16 . 2012-03-22 11:16 ———— d——-w- c:\programmer\ESET . . . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-03-14 06:50 . 2011-05-18 05:52 414368 ——a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-02-03 09:57 . 2004-08-27 12:00 1860096 ———w- c:\windows\system32\win32k.sys 2012-01-11 19:07 . 2012-02-17 07:02 3072 ———w- c:\windows\system32\iacenc.dll 2012-01-09 16:20 . 2005-02-23 10:06 139784 ———w- c:\windows\system32\drivers\rdpwd.sys . . ((((((((((((((((((((((((((((((((((( Start steder i reg.basen )))))))))))))))))))))))))))))))))))))))))))))))) . . Bemærk tomme linier & lovlige standard linier vises ikke REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WMPNSCFG”=“c:\programmer\Windows Media Player\WMPNSCFG.exe” [2006-11-15 204288] “updateMgr”=“c:\programmer\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 313472] “SUPERAntiSpyware”=“c:\programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2012-03-07 3905920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Genvej til egenskabsside for High Definition Audio”=“HDAudPropShortcut.exe” [2004-08-12 61952] “SoundMan”=“SOUNDMAN.EXE” [2004-10-21 77824] “AlcWzrd”=“ALCWZRD.EXE” [2004-10-21 2744832] “IgfxTray”=“c:\windows\system32\igfxtray.exe” [2004-11-02 155648] “HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2004-11-02 126976] “RemoteControl”=“c:\programmer\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 32768] “hcenter”=“c:\programmer\Support.com\bin\tgcmd.exe” [2005-04-08 1757184] “BrStsWnd”=“c:\programmer\Brownie\BrstsWnd.exe” [2009-06-11 3618104] “SunJavaUpdateSched”=“c:\programmer\Fælles filer\Java\Java Update\jusched.exe” [2011-04-08 254696] “avgnt”=“c:\programmer\Avira\AntiVir Desktop\avgnt.exe” [2012-01-31 258512] “QuickTime Task”=“c:\programmer\QuickTime\QTTask.exe” [2011-10-24 421888] . c:\documents and settings\All Users\Menuen Start\Programmer\Start\ Adobe Reader Hurtigstart.lnk - c:\programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Secunia PSI Tray.lnk - c:\programmer\Secunia\PSI\psi_tray.exe [2011-10-14 291896] Windows Search.lnk - c:\programmer\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] “{56F9679E-7826-4C84-81F3-532071A8BCC5}”= “c:\programmer\Windows Desktop Search\MSNLNamespaceMgr.dll” [2009-05-24 304128] “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\programmer\SUPERAntiSpyware\SASSEH.DLL” [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54 551296 ——a-w- c:\programmer\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @=”“ . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\\system32\\sessmgr.exe”= “c:\\Programmer\\Danware Data\\NetOp Remote Control\\Host\\NHSTW32.EXE”= “c:\\Programmer\\Support.com\\bin\\tgcmd.exe”= “c:\\Programmer\\Messenger\\msmsgs.exe”= “%windir%\\Network Diagnostic\\xpnetdiag.exe”= “c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe”= “c:\\Programmer\\UltraVNC\\vncviewer.exe”= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “5900:TCP”= 5900:TCP:vnc5900 “5800:TCP”= 5800:TCP:vnc5800 . R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [27-03-2012 11:00 36000] R1 NHostNT1;NetOp Driver 1 ver. 8.00 (2005061);c:\windows\system32\drivers\NHOSTNT1.SYS [18-06-2005 10:49 65808] R1 SASDIFSV;SASDIFSV;c:\programmer\SUPERAntiSpyware\sasdifsv.sys [22-07-2011 18:27 12880] R1 SASKUTIL;SASKUTIL;c:\programmer\SUPERAntiSpyware\SASKUTIL.SYS [12-07-2011 23:55 67664] R2 !SASCORE;SAS Core Service;c:\programmer\SUPERAntiSpyware\SASCore.exe [12-08-2011 01:38 116608] R2 AntiVirSchedulerService;Avira Scheduler;c:\programmer\Avira\AntiVir Desktop\sched.exe [27-03-2012 11:00 86224] R2 NetOp Host for NT Service;NetOp Helper ver. 8.00 (2005061);c:\programmer\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE [18-06-2005 10:49 1184016] R2 Secunia PSI Agent;Secunia PSI Agent;c:\programmer\Secunia\PSI\PSIA.exe—start-service—> c:\programmer\Secunia\PSI\PSIA.exe—start-service [?] R2 Secunia Update Agent;Secunia Update Agent;c:\programmer\Secunia\PSI\sua.exe—start-service—> c:\programmer\Secunia\PSI\sua.exe—start-service [?] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11-10-2004 16:34 32640] R3 NHOSTNT3;NetOp Driver 3 ver. 8.00 (2005061) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [18-06-2005 10:49 3216] R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01-09-2010 10:30 15544] S2 gupdate;Tjenesten Google Update (gupdate);c:\programmer\Google\Update\GoogleUpdate.exe [07-10-2010 14:25 136176] S3 gupdatem;Google Update Tjeneste (gupdatem);c:\programmer\Google\Update\GoogleUpdate.exe [07-10-2010 14:25 136176] . —- Andre Services/Drivers i Hukommelsen—- . NewlyCreated - JAVAQUICKSTARTERSERVICE NewlyCreated - SECUNIA_UPDATE_AGENT NewlyCreated - SSMDRV . Indhold af mappen ‘Planlagte Opgaver’ . 2010-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\programmer\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:57] . 2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\programmer\Google\Update\GoogleUpdate.exe [2010-10-07 12:25] . 2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\programmer\Google\Update\GoogleUpdate.exe [2010-10-07 12:25] . 2011-03-30 c:\windows\Tasks\Total.job - c:\programmer\Sonic\Backup MyPC 6\System\sbestart.exe [2004-10-15 02:10] . . ———- Yderligere scanning———- . uStart Page = hxxp://www.google.dk/ uInternet Settings,ProxyOverride = <local> Trusted Zone: danid.dk Trusted Zone: oeb.dk Trusted Zone: oestjydskbank.dk Trusted Zone: danid.dk TCP: DhcpNameServer = 192.168.1.1 DPF: {92EB6641-286A-11D2-A68E-00A0C996A6DD} - hxxp://www.kps.dk/codebase/jfsignature.cab DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe . - - - - TOMME GENVEJE FJERNET - - - - . Toolbar-Locked - (no file) Notify-avgrsstarter - avgrsstx.dll AddRemove-Vendsyssel Data C5_is1 - f:\c5win\unins000.exe . . . ************************************************************************ . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-03-27 14:54 Windows 5.1.2600 Service Pack 3 NTFS . scanner skjulte processer ... . scanner skjulte autostarter ... . scanner skjulte filer ... . scanning gennemført med succes skjulte filer: 0 . ************************************************************************ . ——————————- DLLs startet under kørende Processer——————————- . - - - - - - - > ‘winlogon.exe’(696) c:\programmer\SUPERAntiSpyware\SASWINLO.DLL . Gennemført tid: 2012-03-27 14:59:33 ComboFix-quarantined-files.txt 2012-03-27 12:59 . Pre-Kørsel: 64.775.794.688 byte ledig Post-Kørsel: 64.798.777.344 byte ledig . - - End Of File - - FCF1E020F0DD3B867E006D13E4385C8E
[ Ignorer ] [ # 2 ] f-arn TeamSpywarefri
28.03.2012 10:19:23 Administrator Team Spywarefri Antal indlæg: 7045	Hej Thomas Jeg vil fraråde dig at bruge CommboFx på egen hånd, men hvordan er situationen nu Signatur Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !
[ Ignorer ] [ # 3 ] f-arn TeamSpywarefri
03.04.2012 09:14:02 Administrator Team Spywarefri Antal indlæg: 7045	Er du stadig med, eller har du opgivet Denne tråd kan blive lukket om tre dage. Signatur Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !
[ Ignorer ] [ # 4 ] f-arn TeamSpywarefri
06.04.2012 10:18:05 Administrator Team Spywarefri Antal indlæg: 7045	Lukket på grund af manglende respons. Hvis tråden ønskes genåbnet, kan opretteren af tråden klikke på mit brugernavn -> Send privat besked. Alle andre bør lave deres egen tråd. Signatur Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !