Helvetes Trojaner som ikke vil bort!

[raWrz]

spørsmål;

 

Combofix sier at jeg må deaktivere Norton før jeg begynner.

Hvordan gjør jeg det skikkelig?

 

høyere klikk på norton ikonet på "baren" nederst til høyere og der skal det stå Disable Antivirus Auto-Protect eller noe lignende

[medlem-124997]

Naah. når jeg høyreklikker får jeg tre alternativer; Åpne norton protection center, endre alternativer for varsling og vis Norton Status i systemstatusfeltet..

[raWrz]

Åpne norton protection center og se om det er et valg som lar deg skru av norton litt

[medlem-124997]

Det har jeg gjort. Klikka innpå alt som klikkes kan.

Men finner ikke noe.

[DaddyYankee]

installer om pcn, så trenger vi ikke å diskutere saken

[norbat]

Mulig at Norton finner malwaren i systemgjenopprettingsmappa. Sier Norton HVOR fila ligger?

 

NÅ kan du godt forsøke å kjøre combofix selv om det sier at Norton kjører. Grunnen er at Norton kan blokkere enkelte prosesser i combofix.

 

Alternativ:

Last ned dds.scr til skrivebordet og kjør fila. Post dds.txt-loggen.

[medlem-124997]

installer om pcn, så trenger vi ikke å diskutere saken

 

Say what?

[norbat]

Du nevner at SAS fjernet malwaren. SAS lager en logg. Kunne du ha kopiert den og postet den her inne?

(Start SAS->Preferences->Statistics/logs)

Endret 8. februar 2009 av norbat

[medlem-124997]

Nei jeg gir faen å kjører combofix mens norton er på.

Går d til helvete så går det til helvete.

Endret 8. februar 2009 av medlem-124997

[medlem-124997]

Ok her er loggen til combofix;

 

ComboFix 09-02-06.04 - Eier 2009-02-08 15:31:45.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.143 [GMT 1:00]

Kjører fra: c:\documents and settings\Eier\Desktop\ComboFix.exe

AV: Norton Internet Security Online *On-access scanning enabled* (Updated)

FW: Norton Internet Security Online *enabled*

* Opprettet nytt gjenopprettingspunkt

.

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-01-08 til 2009-02-08 )))))))))))))))))))))))))))))))))

.

 

2009-02-01 16:55 . 2009-02-01 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-01 16:54 . 2009-02-01 16:54 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-01 16:54 . 2009-02-01 16:54 <DIR> d-------- c:\documents and settings\Eier\Application Data\SUPERAntiSpyware.com

2009-02-01 16:51 . 2009-02-01 16:51 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-08 14:35 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-08 14:28 --------- d-----w c:\documents and settings\Eier\Application Data\DNA

2009-02-08 12:36 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-02-08 10:57 --------- d-----w c:\program files\DNA

2009-02-01 15:39 --------- d-----w c:\program files\MioNet

2009-01-24 00:02 --------- d-----w c:\documents and settings\Eier\Application Data\BitTorrent

2008-12-14 15:30 --------- d-----w c:\program files\Java

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2007-02-08 18:29 0 ----a-w c:\documents and settings\Eier\Application Data\wklnhst.dat

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-08-05 1335386]

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"SiSRaid"="c:\program files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2004-12-22 892928]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"BtcMaestro"="c:\program files\KMaestro\KMaestro.exe" [2004-05-07 237568]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-07-12 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-07-12 729088]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-09-14 28739]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-02-20 115816]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-02-20 771704]

"Telenorhjelpen"="c:\program files\Telenor\Telenorhjelpen\Telenor.exe" [2008-02-07 189120]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 c:\windows\AGRSMMSG.exe]

"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ATI CATALYST-systemstatusfelt.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 61440]

FreeventsSchedule.lnk - c:\philips\FreeventsSchedule.exe [2007-02-27 16384]

Hurtigstart for Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2007-02-26 602112]

TrayMin300.exe.lnk - c:\program files\Philips\SPC 200NC PC Camera\TrayMin200.exe [2006-08-27 278528]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.iv41"= ir41_32.dll

"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

"VIDC.MJPG"= pvmjpg21.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Telenor\\Telenorhjelpen\\Telenor.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2007-02-26 11970]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2007-07-15 554352]

R2 MioNet;MioNet Service;c:\program files\MioNet\MioNetManager.exe [2005-07-15 139264]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]

R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2007-02-26 130112]

R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2007-02-26 296259]

R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2007-02-26 137793]

R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2007-02-26 611444]

R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2007-02-26 27984]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

 

--- Andre tjenester/drivere lastet i minnet ---

 

*NewlyCreated* - COMHOST

*Deregistered* - NDISRD

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

 

2009-02-02 c:\windows\Tasks\Norton Internet Security Online - Kjør fullstendig systemsøk - Eier.job

- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-02-20 13:19]

 

2009-02-08 c:\windows\Tasks\Se etter oppdateringer for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

.

- - - - TOMME PEKERE FJERNET - - - -

 

HKCU-Run-Error Safe - c:\program files\Error Safe Free\ers.exe

HKLM-Run-Telenor Online Start - c:\program files\Telenor\Online Start\Telenor.exe

HKLM-Run-Cmaudio - cmicnfg.cpl

 

 

.

------- Tilleggsskanning -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Åpne i ny bakgrunnsflik - c:\program files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?143430d908824f6485f424caa8479eca

IE: Åpne i ny forgrunnsflik - c:\program files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?143430d908824f6485f424caa8479eca

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-08 15:35:53

Windows 5.1.2600 Service Pack 2 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(768)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

.

Tidspunkt ferdig: 2009-02-08 15:38:37

ComboFix-quarantined-files.txt 2009-02-08 14:38:32

 

Pre-Run: 110 546 309 120 bytes free

Post-Run: 111,945,977,856 byte ledig

 

WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

 

171 --- E O F --- 2009-01-13 22:43:18

[medlem-124997]

Good news.

Norton søkte igjen nå å fant bare en tracking cookie.

 

Ser ut til at problemet er løst da.

 

Tusen takk for hjelpa gutter!

[r2d290]

Loggen ser også ren ut. Fint at problemet er løst

 

Jeg ser du har Limewire installert. Husk at ukritisk bruk av dette programmet lett kan føre til nye virus.

 

Combofix må avinstalleres.

 

Gå til Start > Kjør

Skriv følgende i boksen:

• ComboFix /u
  

PS: legg merke til mellomrommet mellom X og /u

 

Du skal nå ha noe som tilsvarer bildet nedenfor:

 

Trykk Enter.

 

Denne kommandoen vil:

• Fjerne følgende:
  • ComboFix og dets tilhørende filer og mapper.
    VundoFix backups, hvis de eksisterer.
    Mappen C:\Deckard, hvis den eksisterer
    Mappen C:\OtMoveIt, hvis den eksisterer
    

  [*] Nullstille klokke-instillingene.

   

  [*] Skjule filetternavn hvis det er nødvendig.

   

  [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig.

   

  [*] Nullstille systemgjennoprettingspunkter.

 

Sørg forøvrig for at Java, Flash player og Adobe reader er oppdatert, i tillegg til Windows.

 

-Surf trygt-