[Løst][LØST] Malware på PCen! Treg internett

[NatroN]

Heisann! Har hatt problemer med PC før, så har programmene som trengs liggende på PCen! Husker ikke koden for å lage en log, men updater posten om noen kan legge det ved i første svar!

 

Problemet er dette! Internetten er GRISE treg. Dette startet for ca 2 dager siden, og jeg har ikke lasted ned noenting i mellomtiden.

Jeg kjører igjennom med SAS 3-4 ganger hver dag for å se, og jeg finner konstant det samme: 2-4 Tracking Cookies! Setter de i karantene, men internetten er like treg.

Om jeg rebooter, som jeg nå netopp har gjort, er internetten normal i ca 5 minutter før den blir grise treg. Et eksempel er blandt annet når jeg skulle lage denne posten.

Jeg brukte 10 minutter, uten overdriv, bare på å komme inn på HW, og 10 minutter til for hver side her inne.

 

Nå må jeg skrive fort så jeg får postet tråden før helvette bryter løs.

 

Håper noen kan hjelpe meg, og legger ved et bilde av en SAS scan for å vise dere hva jeg finner hver gang.

 

Tusen Takk på forhånd

 

NatroN

HJELP_.bmp

Endret 2. november 2008 av NatroN

[r2d290]

Har hatt problemer med PC før, så har programmene som trengs liggende på PCen! Husker ikke koden for å lage en log, men updater posten om noen kan legge det ved i første svar!

 

Vet ikke helt hvilke programmer du refererer til, og ei heller hva slags kode du snakker om...

 

Programmene du skal kjøre, er de som står i veiledningen (stickey) til norbat: Ccleaner, SAS (i veiledningen står det Malwarebytes, men hvis du har SAS, gjør den samme nytte), Combofix og til slutt HijackThis.

 

Hvis du har combofix fra før, vil jeg likavel at du først avinstallerer gammel versjon (start->kjør->skriv: combofix /u

 

og deretter laster ned ny versjon av combofix.

 

 

Legg ut alle loggene her på forumet. Du kan godt legge loggene i spoiler: [1spoiler]legg loggen her[1/spoiler]

FJERN "1"-tallet i koden ovenfor, så får du spoiler.

 

edit: tracking-cookies er normalt ikke noe du skal bry deg om. Mange sider lagrer tracking cookies på pc-en din, så det skal gå raskere å surfe på siden neste gang.

Endret 2. november 2008 av r2d290

[NatroN]

SAS, HijackThis, ComboFix og Ccleaner er de jeg har brukt! Av en eller annen merkelig grunn virker internetten helt fin igjen etter jeg tok ut batteriet på hovedkortet og resatte BIOS. Så lar denne tråden ligge til i morgen, og endrer topic om alt fungerer da!

 

 

Edit: Loggen er her SNIPPSAT!

 

 

ComboFix 08-11-01.05 - NatroN 2008-11-02 13:25:11.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1411 [GMT 1:00]

Running from: C:\Documents and Settings\NatroN\Skrivebord\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\NatroN\Start-meny\Programmer\Oppstart\lsass.exe

 

.

((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))

.

 

2008-11-01 19:51 . 2008-11-02 11:56 1,214 --a------ C:\WINDOWS\system\Cmicnfgp.ini

2008-11-01 19:50 . 2006-10-30 19:13 69,632 --a------ C:\WINDOWS\CmiPCIUninstall.exe

2008-11-01 18:05 . 2006-07-26 15:51 5,718,016 --a------ C:\WINDOWS\system\cmicnfgp.cpl

2008-11-01 18:05 . 2006-12-07 11:23 1,423,360 --a------ C:\WINDOWS\system32\drivers\cmudaxp.sys

2008-11-01 18:05 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\Audio3Dp.dll

2008-11-01 18:05 . 2006-08-09 17:13 253,952 --a------ C:\WINDOWS\system32\cmrmdrvp.exe

2008-11-01 18:05 . 2006-07-26 12:32 45,056 --a------ C:\WINDOWS\system32\cmudaxp.dll

2008-11-01 18:05 . 2003-02-18 18:26 28,672 --a------ C:\WINDOWS\system32\cmrmdrvp.dll

2008-11-01 18:05 . 2007-07-24 13:18 322 --a------ C:\WINDOWS\cmudaxp.ini

2008-11-01 18:02 . 2008-11-01 19:47 740,192 --a------ C:\WINDOWS\Cmicnfgp.ini.cfl

2008-11-01 18:02 . 2006-10-06 05:47 319,968 --a------ C:\WINDOWS\difxapi.dll

2008-11-01 18:02 . 2007-01-16 15:49 65,536 --a------ C:\WINDOWS\VMix.dll

2008-11-01 18:02 . 2007-04-23 11:16 65,536 --a------ C:\WINDOWS\system32\CmiInstallResAll.dll

2008-11-01 17:53 . 2008-11-01 17:53 <DIR> d-------- C:\Documents and Settings\NatroN\Programdata\vlc

2008-11-01 17:02 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2008-11-01 16:57 . 2008-11-01 16:57 <DIR> d-------- C:\Documents and Settings\NatroN\Programdata\Sony Setup

2008-11-01 16:15 . 2008-11-01 17:55 <DIR> d-------- C:\Programfiler\DivX

2008-10-28 12:56 . 2008-10-28 12:56 <DIR> d--h----- C:\WINDOWS\PIF

2008-10-21 22:47 . 2008-10-21 22:47 268 --ah----- C:\sqmdata00.sqm

2008-10-21 22:47 . 2008-10-21 22:47 244 --ah----- C:\sqmnoopt00.sqm

2008-10-15 15:58 . 2008-10-15 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Blizzard

2008-10-15 15:52 . 2008-08-14 14:48 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2008-10-15 15:52 . 2008-08-14 14:48 2,138,112 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2008-10-15 15:52 . 2008-08-14 14:48 2,059,520 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2008-10-15 15:52 . 2008-08-14 14:48 2,017,792 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

2008-10-05 21:19 . 2008-10-05 21:19 <DIR> d-------- C:\Documents and Settings\NatroN\Programdata\dvdcss

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-02 12:26 --------- d-----w C:\Documents and Settings\NatroN\Programdata\Skype

2008-11-02 10:56 --------- d-----w C:\Programfiler\Steam

2008-11-02 10:54 --------- d-----w C:\Documents and Settings\NatroN\Programdata\uTorrent

2008-11-02 09:33 --------- d--h--w C:\Documents and Settings\All Users\Programdata\ActiveSMART

2008-11-01 18:50 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2008-11-01 18:50 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2008-11-01 18:50 --------- d-----w C:\Programfiler\Razer Barracuda AC-1 Gaming Audio Card

2008-11-01 18:46 --------- d-----w C:\Documents and Settings\NatroN\Programdata\skypePM

2008-10-30 18:51 --------- d-----w C:\Documents and Settings\NatroN\Programdata\mIRC

2008-10-30 18:33 --------- d-----w C:\Programfiler\mIRC

2008-10-22 12:00 --------- d-----w C:\Programfiler\World of Warcraft

2008-10-16 12:10 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-09-16 00:11 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-09-15 15:42 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys

2008-09-04 13:59 --------- d-----w C:\Programfiler\Skype

2008-09-02 18:53 --------- d-----w C:\Programfiler\Fellesfiler\Skype

2008-09-02 18:53 --------- d-----w C:\Documents and Settings\All Users\Programdata\Skype

2008-08-20 05:38 658,944 ----a-w C:\WINDOWS\system32\wininet.dll

2008-08-14 13:48 2,138,112 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 13:48 2,017,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-08-06 13:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-08-06 13:27 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll

2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-29 15360]

"EVEREST AutoStart"="C:\Documents and Settings\NatroN\Mine dokumenter\SORTER\Everest Ultimate Edition v4.20.1291 beta(NEW-with serial key)\Everest Ultimate Edition v4.20.1291 beta\Everest Ultimate Edition v4.20.1291 beta\everestultimate_build_1291_gvdh3z0axrt\everest.exe" [2008-02-10 2070112]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-26 1576176]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Steam"="C:\Programfiler\Steam\Steam.exe" [2008-10-08 1410296]

"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-08-12 21741864]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-12-10 1412608]

"CPU Power Monitor"="C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2008-01-09 627200]

"Cpu Level Up help"="C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-11-30 881152]

"ASUS Energy Saving"="C:\Program Files\ASUS\Ai Suite\EnergySaving\PwSave.exe" [2008-01-24 1352192]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-07-26 13570048]

"DeathAdder"="C:\Programfiler\Razer\DeathAdder\razerhid.exe" [2007-05-07 159744]

"RivaTunerStartupDaemon"="C:\Programfiler\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 2707456]

"WinampAgent"="C:\Programfiler\Winamp\winampa.exe" [2007-10-10 36352]

"PWRISOVM.EXE"="C:\Programfiler\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"egui"="C:\Programfiler\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]

"DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" [2006-11-12 157592]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-07-26 86016]

"nwiz"="nwiz.exe" [2008-07-26 C:\WINDOWS\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-29 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-08-26 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-08-26 11:46 352256 C:\Programfiler\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"C:\\Programfiler\\Steam\\steamapps\\major_fredde\\counter-strike\\hl.exe"=

"C:\\Programfiler\\World of Warcraft\\BackgroundDownloader.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\COD 4\\iw3mp.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"C:\\Delta Force Black Hawk Down\\Delta Force Black Hawk Down NoCD CRACK.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

 

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]

R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;C:\WINDOWS\system32\drivers\cmudaxp.sys [2006-12-07 1423360]

R3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys [2007-04-12 10880]

R3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Documents and Settings\NatroN\Mine dokumenter\SORTER\Everest Ultimate Edition v4.20.1291 beta(NEW-with serial key)\Everest Ultimate Edition v4.20.1291 beta\Everest Ultimate Edition v4.20.1291 beta\everestultimate_build_1291_gvdh3z0axrt\kerneld.wnt [2007-12-14 22640]

S2 ActiveSMART Service;ActiveSMART Service;C:\Programfiler\ActiveSMART 2.62\ASmartService.exe [2008-07-25 520192]

S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-09-29 3584]

 

*Newly Created Service* - EVERESTDRIVER

*Newly Created Service* - PROCEXP90

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-Cmaudio8788 - cmicnfgp.cpl

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\NatroN\Programdata\Mozilla\Firefox\Profiles\vuvd09j2.default\

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-02 13:26:46

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\C:\Documents and Settings\NatroN\Mine dokumenter\SORTER\Everest Ultimate Edition v4.20.1291 beta(NEW-with serial key)\Everest Ultimate Edition v4.20.1291 beta\Everest Ultimate Edition v4.20.1291 beta\everestultimate_build_1291_gvdh3z0axrt\kerneld.wnt"

.

Completion time: 2008-11-02 13:27:46

ComboFix-quarantined-files.txt 2008-11-02 12:27:43

 

Pre-Run: 22 824 374 272 byte ledig

Post-Run: 24,280,936,448 byte ledig

 

151 --- E O F --- 2008-10-24 22:04:57

 

 

Endret 2. november 2008 av NatroN

[snippsat]

Kan du poste loggen combofix lager.

Søk på combofix.txt

[snippsat]

Ja loggen ser bra ut.

 

Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc.

 

Surf trygt.