LockBreaker Skrevet 28. januar 2009 Rapporter Del Skrevet 28. januar 2009 (endret) Hei. Jeg kjørte en scan med SAS her nå og fant et Adware program, Adware.SeekSuggest kaller SAS det. Problemet er at det ser ikke ut til at SAS klarer å fjerne det, kjører nye scanner men det kommer bare igjen. Har ikke hatt noe lignende før. PCen har vært borte til reperasjon i en uke ca. Fikk den tilbake i dag. Så har ikke vært inne på noe uvanelig tror jeg. Det ble bare med lekser og de vanlige sidene i dag. Kjører en scan med SAS nå for å se om det klarer å fjerne det. Deretter prøver jeg med MBAM, visst ikke SAS klarer det. Noen som kan hjelpe meg med dette? Summary : Adware.SeekSuggest.Process Company : Unknown Description : Adware.SeekSuggest.Process Threat Level (1-10) : 5 Processes : JESTERTB.DLL Nå ser det ut til at SAS har blitt kvitt dette her, men jeg oppdaget noe annet rart. rundll32 kjører ikke fra SYSTEM men fra brukeren min. Har to stk. rundll32 og begge kjører fra brukeren. Ingen som kjører på SYSTEM. Endret 28. januar 2009 av LockBreaker Lenke til kommentar
snippsat Skrevet 28. januar 2009 Rapporter Del Skrevet 28. januar 2009 Last ned MBAM til skrivebordet. Velg Norsk språkdrakt-->kjør hurtig systemskann. Når MBAM er ferdig åpner den en logg,den poster du. Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programmet kjører. post logg C:\combofix.txt Lenke til kommentar
LockBreaker Skrevet 28. januar 2009 Forfatter Rapporter Del Skrevet 28. januar 2009 Har kjørt en scan med MBAM nå. Den fant ikke noe, så laster ikke opp logg av den grunn. Skal laste opp logg fra combofix når jeg får lastet ned og innstallert det. Lenke til kommentar
LockBreaker Skrevet 28. januar 2009 Forfatter Rapporter Del Skrevet 28. januar 2009 Combofix log: ComboFix 09-01-21.04 - John Ola Haugom 2009-01-28 22:44:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1237 [GMT 1:00] Running from: c:\documents and settings\John Ola Haugom\My Documents\Nyttige programmer\ComboFix.exe AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) FW: Trend Micro Personal Firewall *enabled* * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 ))))))))))))))))))))))))))))))) . 2009-01-28 19:41 . 2009-01-28 19:42 <DIR> d-------- c:\program files\iTunes 2009-01-28 19:41 . 2009-01-28 19:41 <DIR> d-------- c:\program files\iPod 2009-01-28 19:41 . 2009-01-28 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-28 19:40 . 2009-01-28 19:40 <DIR> d-------- c:\program files\QuickTime 2009-01-15 15:15 . 2009-01-15 15:15 <DIR> d-------- c:\program files\Google 2009-01-05 16:18 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx 2009-01-05 16:18 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-28 18:41 --------- d-----w c:\program files\Common Files\Apple 2009-01-28 18:37 --------- d-----w c:\documents and settings\John Ola Haugom\Application Data\Apple Computer 2009-01-28 15:38 --------- d-----w c:\program files\SUPERAntiSpyware 2009-01-18 22:33 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-01-18 22:31 --------- d-----w c:\documents and settings\All Users\Application Data\OrdnettPluss 2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-13 20:43 --------- d-----w c:\program files\CCleaner 2009-01-07 11:30 --------- d-----w c:\documents and settings\John Ola Haugom\Application Data\OpenOffice.org2 2008-12-29 13:27 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-12-29 13:26 201,352 ----a-w c:\windows\system32\PnkBstrB.exe 2008-12-26 14:10 --------- d-----w c:\program files\Bonjour 2008-12-25 10:04 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-24 12:26 --------- d-----w c:\program files\Paint.NET 2008-12-24 11:44 --------- d-----w c:\documents and settings\John Ola Haugom\Application Data\ROCCAT 2008-12-24 11:42 --------- d-----w c:\program files\ROCCAT 2008-12-24 11:42 --------- d-----w c:\program files\DIFX 2008-12-24 11:42 --------- d-----w c:\documents and settings\All Users\Application Data\ROCCAT 2008-12-18 13:50 --------- d-----w c:\program files\CDBurnerXP 2008-12-18 13:50 --------- d-----w c:\documents and settings\John Ola Haugom\Application Data\Canneverbe_Limited 2008-12-16 11:25 --------- d-----w c:\program files\Opera 2008-12-12 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-12-12 10:11 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 07:18 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic 2008-12-07 19:38 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-12-07 19:38 --------- d-----w c:\program files\Java 2008-12-06 16:08 --------- d-----w c:\program files\Microsoft Hardware 2008-12-05 13:18 66,872 ----a-w c:\windows\system32\PnkBstrA.exe 2008-12-05 10:46 --------- d-----w c:\program files\EA GAMES 2008-12-04 12:40 348,160 ----a-w c:\windows\system32\msvcr71.dll 2008-12-04 12:40 --------- d-----w c:\program files\Real 2008-12-04 12:40 --------- d-----w c:\program files\Common Files\xing shared 2008-12-04 12:40 --------- d-----w c:\program files\Common Files\Real . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-28 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-08-28 714024] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-04 185872] "SideWinderTrayV4"="c:\progra~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 24649] "Kone"="c:\program files\ROCCAT\Kone Mouse\KoneHID.EXE" [2008-10-06 151552] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "NVHotkey"="nvHotkey.dll" [2008-02-22 c:\windows\system32\nvhotkey.dll] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2008-02-22 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-01-01 14:28 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Kunnskapsforlaget\\Ordnett Pluss\\lib\\IeEmbed.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4637:UDP"= 4637:UDP:Windows Media Format SDK (opera.exe) "4636:UDP"= 4636:UDP:Windows Media Format SDK (opera.exe) "12345:TCP"= 12345:TCP:Trend Micro OfficeScan Listener R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-08-19 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-08-19 55024] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-28 335888] R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [2008-08-28 488768] R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-30 203280] R4 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2008-08-28 205328] R4 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2008-08-28 36368] S3 KoneFltr;ROCCAT Kone;c:\windows\system32\drivers\Kone.sys [2008-12-24 12672] S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [2008-10-17 40672] S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2005-04-24 13225] S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2008-12-06 3968] S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-08-28 652552] S4 0154781225360726mcinstcleanup;McAfee Application Installer Cleanup (0154781225360726);c:\windows\TEMP\015478~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\015478~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09918686-c04c-11dd-aa56-001302ac02eb}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winupdate.exe \Shell\menu\command - winupdate.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55afeed2-8f84-11dd-aa19-0015c53dfc53}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winupdate.exe \Shell\menu\command - winupdate.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e26e1506-c752-11dd-aa61-0015c53dfc53}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winupdate.exe \Shell\menu\command - winupdate.exe . Contents of the 'Scheduled Tasks' folder 2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-01-28 c:\windows\Tasks\Oppdater Ordnett Pluss.job - c:\program files\Kunnskapsforlaget\Ordnett Pluss\updater.exe [2008-11-14 15:58] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://casinband1.opplandvgs.no/auth/CCALogin.CAB FF - ProfilePath - c:\documents and settings\John Ola Haugom\Application Data\Mozilla\Firefox\Profiles\7fwewv8a.default\ FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\program files\Mozilla FireFox\plugins\npfronter_oes2.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla FireFox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-28 22:46:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1336) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . Completion time: 2009-01-28 22:47:17 ComboFix-quarantined-files.txt 2009-01-28 21:47:15 Pre-Run: 80 380 874 752 bytes free Post-Run: 80,560,869,376 bytes free 177 --- E O F --- 2009-01-14 09:39:16 Lenke til kommentar
snippsat Skrevet 28. januar 2009 Rapporter Del Skrevet 28. januar 2009 (endret) Ser greit ut. JESTERTB.DLL er den på systemet finner du den og scanner den her Virustotal Endret 28. januar 2009 av SNIPPSAT Lenke til kommentar
LockBreaker Skrevet 28. januar 2009 Forfatter Rapporter Del Skrevet 28. januar 2009 Så jeg ble ikke kvitt den med SAS? Lenke til kommentar
snippsat Skrevet 28. januar 2009 Rapporter Del Skrevet 28. januar 2009 Jo mulig det ser den ikke i loggen. Min datamskin verktøy->mappealternativer->vis-> Sett hake på "vis skjulte filer og mapper" Fjern hake på "skjul beskyttede oprativsystem filer" Sånn da ser du alle filer. %Windir%\jestertb.dll Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. Pluss at du søker. Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør og register-renser"svar ja til og reparere"-->backup svar ja når du blir spørt. Kjør register-renser et par ganger til alle feil er borte. Oppdater og ny scann med SAS. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå