Problemer med trojaner.

[Carlgutt]

Har litt problemer med en trojan som jeg ikke får fjernet har kjørt Avira Antivir, SuperAntispyware og malware men får fortsatt denne meldingen opp vær gang jeg starter pcen:

 

 

 

Malware logg:

 

 

Malwarebytes' Anti-Malware 1.41

Databaseversjon: 3001

Windows 5.1.2600 Service Pack 3

 

20.10.2009 23:39:00

mbam-log-2009-10-20 (23-39-00).txt

 

Skanntype: Rask Skann

Objekter skannet: 137587

Tid tilbakelagt: 19 minute(s), 45 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 7

Registerverdier infisert: 1

Registerfiler infisert: 3

Mapper infisert: 1

Filer infisert: 3

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

 

Mapper infisert:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

 

Filer infisert:

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

 

 

Combofix logg:

 

"c:\\Programfiler\\iTunes\\iTunes.exe"=

"c:\\Programfiler\\Skype\\Phone\\skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"32538:TCP"= 32538:TCP:Trend Micro OfficeScan Listener

"63062:TCP"= 63062:TCP:Trend Micro OfficeScan Listener

 

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [16.10.2007 18:32 19504]

R1 SASDIFSV;SASDIFSV;c:\programfiler\SUPERAntiSpyware\sasdifsv.sys [22.12.2008 12:06 8944]

R1 SASKUTIL;SASKUTIL;c:\programfiler\SUPERAntiSpyware\SASKUTIL.SYS [22.12.2008 12:05 55024]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programfiler\Avira\AntiVir Desktop\sched.exe [08.06.2009 14:52 108289]

R2 TmFilter;Trend Micro Filter;c:\programfiler\Trend Micro\OfficeScan Client\tmxpflt.sys [25.06.2008 15:33 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\programfiler\Trend Micro\OfficeScan Client\tmpreflt.sys [25.06.2008 15:33 36368]

R3 SASENUM;SASENUM;c:\programfiler\SUPERAntiSpyware\SASENUM.SYS [22.12.2008 12:06 7408]

R3 TmProxy;OfficeScan NT Proxy Service;c:\programfiler\Trend Micro\OfficeScan Client\TmProxy.exe [25.06.2008 15:33 652552]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22.05.2007 14:59 30336]

R3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [17.10.2009 16:51 40448]

S2 ASKUpgrade;ASKUpgrade;c:\programfiler\AskBarDis\bar\bin\ASKUpgrade.exe [23.08.2009 14:18 234888]

S2 gupdate1c9e5ee24fff0a0;Google Update Service (gupdate1c9e5ee24fff0a0);c:\programfiler\Google\Update\GoogleUpdate.exe [05.06.2009 16:58 133104]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

 

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

 

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\programfiler\Google\Update\GoogleUpdate.exe [2009-06-05 14:58]

 

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\programfiler\Google\Update\GoogleUpdate.exe [2009-06-05 14:58]

 

2009-10-20 c:\windows\Tasks\Oppdater Ordnett Pluss.job

- c:\programfiler\Kunnskapsforlaget\Ordnett Pluss\updater.exe [2008-05-23 09:02]

 

2009-10-20 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-06-25 23:30]

.

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.ask.com/?o=13928&l=dis

uInternet Settings,ProxyServer = kva-ped-inet:8080

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

DPF: DirectEdit - hxxp://support.itsolutions.no/BROWSERTEST/components/DirectEdit.CAB

FF - ProfilePath - c:\documents and settings\cama\Programdata\Mozilla\Firefox\Profiles\dh42vo5s.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=

FF - component: c:\programfiler\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\programfiler\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\programfiler\Google\Update\1.2.183.7\npGoogleOneClick8.dll

 

---- FIREFOX POLICIES ----

c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-20 23:58

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- LÅSTE REGISTERNØKLER ---------------------

 

[HKEY_USERS\S-1-5-21-2921463048-102503783-724836745-19006\‹‹õ*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"PNPComplete"=dword:00000001

DUMPHIVE0.003 (REGF)

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(1020)

c:\programfiler\ThinkPad\ConnectUtilities\ACNotify.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\programfiler\ThinkPad\ConnectUtilities\ACHelper.dll

c:\programfiler\Lenovo\HOTKEY\tphklock.dll

 

- - - - - - - > 'lsass.exe'(1076)

c:\programfiler\ThinkPad\ConnectUtilities\ACGina.dll

c:\programfiler\ThinkPad\ConnectUtilities\ACHelper.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\programfiler\ThinkPad\ConnectUtilities\ACON.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcPrfMgr.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcCryptHlpr.dll

c:\programfiler\ThinkPad\ConnectUtilities\ACTurinSupport.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll

c:\programfiler\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

 

- - - - - - - > 'explorer.exe'(3572)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Tidspunkt ferdig: 2009-10-20 23:59

ComboFix-quarantined-files.txt 2009-10-20 21:59

 

Pre-Run: 15 588 442 112 byte ledig

Post-Run: 16 654 200 832 byte ledig

 

WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - 25B61B1F5C32C070E5D536D045F87467

 

 

 

Setter pris på hjelp, takk.

[norbat]

Det mangler litt av Combofix-loggen. Kunne du ha postet hele loggen?

[TuNsBeRg]

Det absolutt beste hadde å formatert hele dritten, da er det i alle fall vekke, mmen hvis du ikke har os og andre cd'er til programvare så ser jeg deg.