ecko Skrevet 22. august 2008 Del Skrevet 22. august 2008 SAS fant den ikke oss meg, heller ikke avast tror jeg, men norman maste hele tiden om at den fant Tibs.gen222. den ligger i ei fil som heter _c0069416.dat slik jeg forstod det, og fila ligger i Windows\system32\. jeg prøvde å slette fila, men det funket ikke. men nå maser norman om smalltroj.FYPZ den ligger i samme fila. så hvordan blir jeg kvitt den? Lenke til kommentar
norbat Skrevet 22. august 2008 Del Skrevet 22. august 2008 Punkt 1: Last ned Malwarebytes Anti-Malware til skrivebordet. Kjør og installer programmet. Velg Norsk-språk La programmet oppdatere seg og velg å kjør en 'hurtig systemscan', klikk Skann. Det kommer en meldingsboks om at scannen er ferdig, klikk Ok Klikk på 'Vis resultat'-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet. Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet. Det vil deretter åpnes en logg i notisblokk. Den kopiere du og poster senere. Punkt 2: Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix (c:\combofix.txt) + loggen fra MBAM Lenke til kommentar
ecko Skrevet 22. august 2008 Forfatter Del Skrevet 22. august 2008 Malwarebytes' Anti-Malware 1.25 Database versjon: 1062 Windows 5.1.2600 Service Pack 2 19:18:41 22.08.2008 mbam-log-08-22-2008 (19-18-41).txt Skanntype: Rask Skann Objekter skannet: 44889 Tid tilbakelagt: 5 minute(s), 25 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 1 Registerverdier infisert: 2 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: C:\WINDOWS\system32\__c0069416.dat (Trojan.Zlob) -> Delete on reboot. Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0069416 (Trojan.Agent) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1593ed.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f56d57.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\WINDOWS\system32\__c0069416.dat (Trojan.Agent) -> Delete on reboot. jeg fikk beskjed om at akkurat den fila jeg sliter med ikke kunne fjernes, men skal bli fjernet ved restart. Lenke til kommentar
norbat Skrevet 22. august 2008 Del Skrevet 22. august 2008 Ja, du følger bare veiledningen som gis av programmet, dvs. restart pc'n. Fortsett deretter med combofix. Lenke til kommentar
ecko Skrevet 22. august 2008 Forfatter Del Skrevet 22. august 2008 ComboFix 08-08-21.02 - ***** 2008-08-22 19:30:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.158 [GMT 2:00] Running from: C:\Documents and Settings\*****\Skrivebord\FireFox downloads\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . E:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NSESVC -------\Service_nsesvc ((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 ))))))))))))))))))))))))))))))) . 2008-08-22 19:33 . 2008-08-22 19:33 <DIR> dr-h----- C:\Documents and Settings\*****\Siste 2008-08-22 18:35 . 2008-08-22 18:36 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-08-22 18:35 . 2008-08-22 18:35 <DIR> d-------- C:\Documents and Settings\*****\Programdata\Malwarebytes 2008-08-22 18:35 . 2008-08-22 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-08-22 18:35 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-22 18:35 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-22 14:37 . 2008-08-22 14:37 <DIR> d-------- C:\Programfiler\Alwil Software 2008-08-04 20:06 . 2008-08-04 20:06 <DIR> d-------- C:\Programfiler\iPod 2008-08-04 20:05 . 2008-08-04 20:06 <DIR> d-------- C:\Programfiler\iTunes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-22 17:34 --------- d-----w C:\Programfiler\Norman 2008-08-20 13:59 --------- d-----w C:\Documents and Settings\*****\Programdata\uTorrent 2008-08-18 20:45 --------- d-----w C:\Programfiler\Apple Software Update 2008-08-12 10:31 --------- d-----w C:\Programfiler\Java 2008-07-14 17:26 --------- d-----w C:\Programfiler\QuickTime 2008-07-10 12:23 --------- d-----w C:\Programfiler\YouTube Downloader 2007-07-23 13:33 32 ----a-r C:\Documents and Settings\All Users\hash.dat . ------- Sigcheck ------- 2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys 2007-02-05 23:01 360576 c5e8c53a50767f016b539d946ed8b121 C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-04 14:52 1506544] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-08-04 00:15 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 09:08 143360] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "Norman ZANDA"="C:\Programfiler\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 09:47 277616] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "AppleSyncNotifier"="C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040] "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064] "bcmwltry"="bcmwltry.exe" [2003-07-26 01:28 462848 C:\WINDOWS\system32\bcmwltry.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 10:06 12451] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-31 16:29 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Programfiler\\uTorrent\\utorrent.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "44337:TCP"= 44337:TCP:anerikke "6999:TCP"= 6999:TCP:ann "18983:TCP"= 18983:TCP:BitComet 18983 TCP "18983:UDP"= 18983:UDP:BitComet 18983 UDP R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-02-07 13:12] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R1 NPROSEC;Norman Security driver;C:\Programfiler\Norman\Ngs\bin\nprosec.sys [2008-04-15 15:57] R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\tdi_rd.sys [2008-02-07 13:12] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] R2 Ndiskio;Ndiskio;C:\Programfiler\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 11:55] R2 NPFSvc32;Norman Personal Firewall Service;C:\Programfiler\Norman\npf\bin\npfsvc32.exe [2008-05-06 09:16] R2 NPROSECSVC;Norman Security service;C:\Programfiler\Norman\Ngs\bin\NPROSEC.EXE [2008-04-22 09:36] R2 NVOY;Norman's Very Own supplY of resources;C:\Programfiler\Norman\npm\bin\nvoy.exe [2008-02-07 11:07] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Programfiler\Norman\Nvc\bin\nvcoas.exe [2008-04-30 13:28] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 12:41] S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [] S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 20:07] . Contents of the 'Scheduled Tasks' folder 2008-08-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2008-07-21 C:\WINDOWS\Tasks\iTunes.job - E:\OnklP NOIA.mp3 [2008-03-28 23:34] . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKLM-Run-removecpl - RemoveCpl.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\*****\Programdata\Mozilla\Firefox\Profiles\1925lsi7.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.no/ . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-22 19:35:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Norman\Npm\Bin\elogsvc.exe C:\Programfiler\Norman\Npm\Bin\Zanda.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\MICROS~2\Office12\GROOVE~3.EXE C:\PROGRA~1\ANALOG~1\SoundMAX\SMTray.exe C:\PROGRA~1\Norman\Npm\Bin\Zlh.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programfiler\Bonjour\mDNSResponder.exe C:\Programfiler\Norman\npf\bin\npfuser.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\QUICKT~1\QTTask.exe C:\PROGRA~1\iTunes\ITUNES~1.EXE C:\PROGRA~1\MSNMES~1\msnmsgr.exe C:\PROGRA~1\SUPERA~1\SUPERA~1.EXE C:\Programfiler\Norman\Npm\Bin\Njeeves.exe C:\PROGRA~1\MESSEN~1\msmsgs.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\Norman\NVC\bin\Nip.exe C:\Programfiler\Norman\NVC\bin\CClaw.exe . ************************************************************************** . Completion time: 2008-08-22 19:45:15 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-22 17:45:04 Pre-Run: 29,203,116,032 byte ledig Post-Run: 29,117,206,528 byte ledig 163 norman maser ikke mer nå. men disse trojanerne eller hva det var for noe, hva gjorde de? må også si tusen takk til deg, jeg tror du har hjulpet meg flere ganger før. Lenke til kommentar
norbat Skrevet 22. august 2008 Del Skrevet 22. august 2008 Hva denne/disse trojaneren gjør, vet jeg ikke, men generelt så har de ofte en bakdørfunksjon som kan åpne pc'n for angrep. Trojanerene kan også starte nedlasting av annen malware som fyller pc'n med 'dritt'. Du bør nå fjerne combofix ved å skrive combofix /u fra kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Har du ikke oppdaterte med SP3, så gjør du det ved å gå til Windows Update (start->alle programmer->windows update) Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå