[LØST] Maskinen har vært ustabil, ser det ut til å være noe gale her?

eivindhetalnd · 21. september 2008

Beklager alle de tomme postene, jeg forstår ikke hvorfor teksten ikke kommer med:(

Jeg har følgende logger:

Malwarebytes Anti-Malware

Malwarebytes' Anti-Malware 1.28
Database versjon: 1184

Windows 5.1.2600 Service Pack 3

21.09.2008 13:11:29

mbam-log-2008-09-21 (13-11-29).txt

Skanntype: Rask Skann

Objekter skannet: 47871

Tid tilbakelagt: 8 minute(s), 28 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 2

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 2

Filer infisert: 7

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

D:\Program Files\PeDevice (Adware.Popups) -> Quarantined and deleted successfully.

D:\Program Files\PeDevice\tmp (Adware.Popups) -> Quarantined and deleted successfully.

Filer infisert:

D:\Program Files\PeDevice\communication.xml (Adware.Popups) -> Quarantined and deleted successfully.

D:\Program Files\PeDevice\Domain.Watchlist.txt (Adware.Popups) -> Quarantined and deleted successfully.

D:\Program Files\PeDevice\pae-options.xml (Adware.Popups) -> Quarantined and deleted successfully.

D:\Program Files\PeDevice\pae_url.xml (Adware.Popups) -> Quarantined and deleted successfully.

D:\Program Files\PeDevice\search.watchlist.txt (Adware.Popups) -> Quarantined and deleted successfully.

D:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

Combofix

ComboFix 08-09-20.05 - Eivind 2008-09-21 13:15:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.198 [GMT 2:00]

Running from: D:\Documents and Settings\Eivind\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\lswmv.ini

D:\Program Files\Common Files\{34948~1

D:\Program Files\Common Files\{E4948~1

D:\Program Files\Common Files\uninstall information

D:\Program Files\Need2Find

D:\Program Files\Need2Find\bar\1.bin\N2FFXTBR.JAR

D:\Program Files\Need2Find\bar\1.bin\N2NTSTBR.JAR

D:\Program Files\Need2Find\bar\1.bin\PARTNER.DAT

D:\Program Files\Need2Find\bar\Cache\files.ini

D:\WINDOWS\smdat32m.sys

D:\WINDOWS\system32\_004144_.tmp.dll

D:\WINDOWS\system32\_004145_.tmp.dll

D:\WINDOWS\system32\_004146_.tmp.dll

D:\WINDOWS\system32\_004147_.tmp.dll

D:\WINDOWS\system32\_004154_.tmp.dll

D:\WINDOWS\system32\_004155_.tmp.dll

D:\WINDOWS\system32\_004156_.tmp.dll

D:\WINDOWS\system32\_004157_.tmp.dll

D:\WINDOWS\system32\_004159_.tmp.dll

D:\WINDOWS\system32\_004160_.tmp.dll

D:\WINDOWS\system32\_004163_.tmp.dll

D:\WINDOWS\system32\_004164_.tmp.dll

D:\WINDOWS\system32\_004167_.tmp.dll

D:\WINDOWS\system32\_004168_.tmp.dll

D:\WINDOWS\system32\_004170_.tmp.dll

D:\WINDOWS\system32\_004171_.tmp.dll

D:\WINDOWS\system32\_004173_.tmp.dll

D:\WINDOWS\system32\_004178_.tmp.dll

D:\WINDOWS\system32\_004180_.tmp.dll

D:\WINDOWS\system32\_004181_.tmp.dll

D:\WINDOWS\system32\_004183_.tmp.dll

D:\WINDOWS\system32\_004185_.tmp.dll

D:\WINDOWS\system32\_004186_.tmp.dll

D:\WINDOWS\system32\_004187_.tmp.dll

D:\WINDOWS\system32\_004188_.tmp.dll

D:\WINDOWS\system32\_004189_.tmp.dll

D:\WINDOWS\system32\_004192_.tmp.dll

D:\WINDOWS\system32\_004194_.tmp.dll

D:\WINDOWS\system32\_004195_.tmp.dll

D:\WINDOWS\system32\_004196_.tmp.dll

D:\WINDOWS\system32\_004200_.tmp.dll

D:\WINDOWS\system32\_004202_.tmp.dll

D:\WINDOWS\system32\maxd641.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NSESVC

-------\Service_nsesvc

((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))

.

2008-09-21 12:54 . 2008-09-21 12:54 <DIR> d-------- D:\Documents and Settings\Eivind\Application Data\Malwarebytes

2008-09-21 12:53 . 2008-09-21 12:53 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-21 12:53 . 2008-09-10 00:04 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-21 12:53 . 2008-09-10 00:03 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys

2008-08-30 11:33 . 2008-08-30 11:33 <DIR> d-------- D:\WINDOWS\system32\scripting

2008-08-30 11:33 . 2008-08-30 11:33 <DIR> d-------- D:\WINDOWS\system32\en

2008-08-30 11:33 . 2008-08-30 11:33 <DIR> d-------- D:\WINDOWS\l2schemas

2008-08-30 10:59 . 2008-04-14 02:12 69,120 --------- D:\WINDOWS\system32\wlanapi.dll

2008-08-30 10:59 . 2008-04-14 02:12 53,248 --------- D:\WINDOWS\system32\tsgqec.dll

2008-08-30 10:59 . 2008-04-14 02:12 50,688 --------- D:\WINDOWS\system32\tspkg.dll

2008-08-30 10:58 . 2008-04-14 02:12 291,328 --------- D:\WINDOWS\system32\qagentrt.dll

2008-08-30 10:58 . 2008-04-14 02:12 290,304 --------- D:\WINDOWS\system32\rhttpaa.dll

2008-08-30 10:58 . 2008-04-14 02:12 150,528 --------- D:\WINDOWS\system32\qagent.dll

2008-08-30 10:58 . 2008-04-14 02:12 144,384 --------- D:\WINDOWS\system32\onex.dll

2008-08-30 10:58 . 2008-04-14 02:12 76,800 --------- D:\WINDOWS\system32\qutil.dll

2008-08-30 10:58 . 2008-04-14 02:12 62,464 --------- D:\WINDOWS\system32\qcliprov.dll

2008-08-30 10:58 . 2008-04-14 02:12 61,952 --------- D:\WINDOWS\system32\rasqec.dll

2008-08-30 10:58 . 2008-04-14 02:12 32,768 --------- D:\WINDOWS\system32\setupn.exe

2008-08-30 10:58 . 2008-04-13 20:40 10,240 --------- D:\WINDOWS\system32\drivers\sffp_mmc.sys

2008-08-30 10:57 . 2008-04-14 02:12 1,306,624 --------- D:\WINDOWS\system32\msxml6.dll

2008-08-30 10:57 . 2008-04-14 02:12 1,306,624 -----c--- D:\WINDOWS\system32\dllcache\msxml6.dll

2008-08-30 10:57 . 2008-04-14 02:12 193,024 --------- D:\WINDOWS\system32\napmontr.dll

2008-08-30 10:57 . 2008-04-14 02:12 176,640 --------- D:\WINDOWS\system32\napstat.exe

2008-08-30 10:57 . 2008-04-14 02:12 155,136 --------- D:\WINDOWS\system32\mssha.dll

2008-08-30 10:57 . 2008-04-13 19:27 79,872 --------- D:\WINDOWS\system32\msxml6r.dll

2008-08-30 10:57 . 2008-04-13 19:27 79,872 -----c--- D:\WINDOWS\system32\dllcache\msxml6r.dll

2008-08-30 10:57 . 2008-04-13 20:14 76,800 --------- D:\WINDOWS\system32\msshavmsg.dll

2008-08-30 10:57 . 2008-04-14 02:12 30,208 --------- D:\WINDOWS\system32\napipsec.dll

2008-08-30 10:56 . 2008-04-14 02:11 397,312 --------- D:\WINDOWS\system32\mmcex.dll

2008-08-30 10:56 . 2008-04-14 02:11 184,320 --------- D:\WINDOWS\system32\microsoft.managementconsole.dll

2008-08-30 10:56 . 2008-04-14 02:11 106,496 --------- D:\WINDOWS\system32\mmcfxcommon.dll

2008-08-30 10:56 . 2008-04-14 02:12 33,792 --------- D:\WINDOWS\system32\mmcperf.exe

2008-08-30 10:55 . 2008-04-14 02:10 102,912 -----c--- D:\WINDOWS\system32\dllcache\dpcdll.dll

2008-08-30 10:55 . 2008-04-14 02:11 61,440 --------- D:\WINDOWS\system32\kmsvc.dll

2008-08-30 10:55 . 2008-04-14 02:11 37,376 --------- D:\WINDOWS\system32\l2gpstore.dll

2008-08-30 10:55 . 2008-04-14 02:09 24,064 -----c--- D:\WINDOWS\system32\dllcache\pidgen.dll

2008-08-30 10:55 . 2008-04-14 02:09 6,144 --------- D:\WINDOWS\system32\kbdpash.dll

2008-08-30 10:55 . 2008-04-14 02:09 6,144 --------- D:\WINDOWS\system32\kbdnepr.dll

2008-08-30 10:55 . 2008-04-14 02:09 6,144 --------- D:\WINDOWS\system32\kbdiultn.dll

2008-08-30 10:55 . 2008-04-14 02:09 6,144 --------- D:\WINDOWS\system32\kbdbhc.dll

2008-08-30 10:53 . 2008-04-14 02:11 233,472 --------- D:\WINDOWS\system32\azroles.dll

2008-08-30 10:53 . 2008-04-14 02:11 136,192 --------- D:\WINDOWS\system32\aaclient.dll

2008-08-30 10:53 . 2008-04-14 02:11 12,800 --------- D:\WINDOWS\system32\credssp.dll

2008-08-30 10:53 . 2008-04-14 02:11 7,168 --------- D:\WINDOWS\system32\bitsprx4.dll

2008-08-25 19:06 . 2008-08-25 19:06 <DIR> d-------- D:\Program Files\Ipswitch

2008-08-25 19:06 . 2008-08-25 19:06 <DIR> d-------- D:\Documents and Settings\Eivind\Application Data\Ipswitch

2008-08-25 19:06 . 2008-08-25 19:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Ipswitch

2008-08-25 19:06 . 2007-01-31 02:05 1,060,864 --a------ D:\WINDOWS\system32\MFC71.dll

2008-08-25 19:06 . 2007-01-31 02:01 606,293 --a------ D:\WINDOWS\system32\wbocx.ocx

2008-08-25 19:06 . 2007-01-31 02:05 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll

2008-08-25 19:06 . 2007-01-31 02:01 50,688 --a------ D:\WINDOWS\system32\wbhelp2.dll

2008-08-22 21:36 . 2008-08-25 21:17 <DIR> d-------- D:\Documents and Settings\Eivind\Application Data\FileZilla

2008-08-22 21:35 . 2008-08-22 21:35 <DIR> d-------- D:\Program Files\FileZilla FTP Client

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-21 11:22 --------- d-----w D:\Program Files\Norman

2008-09-21 10:42 2,560 ----a-w D:\WINDOWS\system32\drivers\mchInjDrv.sys

2008-09-12 20:12 --------- d-----w D:\Documents and Settings\All Users\Application Data\pdf995

2008-09-12 19:39 --------- d-----w D:\Program Files\SUPERAntiSpyware

2008-09-02 10:48 19,512 ----a-w D:\WINDOWS\system32\drivers\nvcw32mf.sys

2008-08-31 11:14 --------- dcsh--w D:\Program Files\Common Files\WindowsLiveInstaller

2008-08-31 11:13 --------- d-----w D:\Program Files\Windows Live

2008-08-31 11:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\WLInstaller

2008-08-31 09:57 --------- d-----w D:\Program Files\Windows Live Toolbar

2008-08-25 17:10 --------- d--h--w D:\Program Files\InstallShield Installation Information

2008-08-22 19:30 --------- d-----w D:\Program Files\SmartFTP Client

2008-08-17 20:22 --------- d-----w D:\Program Files\Google

2008-07-14 20:58 49,960 -c--a-w D:\Documents and Settings\Eivind\Application Data\GDIPFONTCACHEV1.DAT

2007-10-30 20:24 1,422 -c--a-w D:\Documents and Settings\Eivind\clean.reg

2007-01-01 19:30 98,304 -c--a-w D:\Documents and Settings\Eivind\mac.exe

2005-09-26 16:04 3,775,584 -c--a-w D:\Program Files\Clue 3.0.rar

2006-10-15 13:11 5 -csha-w D:\WINDOWS\system32\ccafbceeaee_g.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-12 1576176]

"ccleaner"="D:\Program Files\CCleaner\ccleaner.exe" [2007-07-13 598656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2002-09-11 155648]

"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2005-10-10 7286784]

"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 86016]

"Norman ZANDA"="D:\Program Files\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]

"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"Logitech Utility"="Logi_MwX.Exe" [2003-06-30 D:\WINDOWS\LOGI_MWX.EXE]

"nwiz"="nwiz.exe" [2005-10-10 D:\WINDOWS\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2004-12-01 D:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "D:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-18 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-08-26 17:35 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.VQJK"= DC31DEC.dll

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"D:\\Program Files\\Messenger\\msmsgs.exe"=

"D:\\Program Files\\mIRC\\mirc.exe"=

"D:\\Program Files\\MSN Messenger\\msrr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 NDIS_RD;Norman Firewall NDIS driver;D:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-02-07 79752]

R1 mchInjDrv;madCodeHook DLL injection driver;D:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-09-21 2560]

R1 NPROSEC;Norman Security driver;D:\Program Files\Norman\Ngs\bin\nprosec.sys [2008-04-15 52792]

R1 TDI_RD;Norman Firewall TDI driver;D:\WINDOWS\system32\drivers\tdi_rd.sys [2008-02-07 74624]

R2 Ndiskio;Ndiskio;D:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 20448]

R2 NPFSvc32;Norman Personal Firewall Service;D:\Program Files\Norman\npf\bin\npfsvc32.exe [2008-09-19 597104]

R2 NPROSECSVC;Norman Security service;D:\Program Files\Norman\Ngs\bin\NPROSEC.EXE [2008-04-22 121912]

R2 NVOY;Norman's Very Own supplY of resources;D:\Program Files\Norman\npm\bin\nvoy.exe [2008-02-07 121912]

R3 NvcMFlt;NvcMFlt;D:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512]

R3 nvcoas;Norman Virus Control on-access component;D:\Program Files\Norman\Nvc\bin\nvcoas.exe [2008-04-30 191544]

R3 NVCScheduler;Norman Virus Control Scheduler;D:\Program Files\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 154680]

R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;D:\WINDOWS\system32\DRIVERS\SMC1211.SYS [2001-07-11 23153]

S2 MustekMA1908Driver;MustekMA1908Driver;D:\WINDOWS\system32\drivers\ma1908.sys [ ]

S3 KodakPPCAM;Kodak EZ200 DIGITAL CAMERA;D:\WINDOWS\system32\DRIVERS\DC31VID.sys [ ]

S3 MBAMSwissArmy;MBAMSwissArmy;D:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]

S3 NPF;NetGroup Packet Filter Driver;D:\WINDOWS\system32\drivers\npf.sys [2007-01-25 42000]

S3 PA7333I;Kodak Webcam Explorer Bulk Mode Device;D:\WINDOWS\system32\DRIVERS\DC31Bulk.sys [ ]

S3 SFC4;SFC4;D:\WINDOWS\system32\drivers\SFC4.sys [ ]

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-iTunesHelper - D:\Program Files\iTunes\iTunesHelper.exe

MSConfigStartUp-QuickTime Task - D:\Program Files\QuickTime\qttask.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - D:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\e1nak0k4.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.startsiden.no

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-21 13:31:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

D:\Program Files\Norman\Npm\Bin\elogsvc.exe

D:\Program Files\Norman\Npm\Bin\Zanda.exe

D:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\system32\wdfmgr.exe

D:\WINDOWS\system32\searchindexer.exe

D:\Program Files\Canon\CAL\CALMAIN.exe

D:\Program Files\Norman\Npm\Bin\Njeeves.exe

D:\WINDOWS\system32\WgaTray.exe

D:\Program Files\Norman\npf\bin\npfuser.exe

D:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE

D:\Program Files\Norman\NVC\bin\Nip.exe

D:\Program Files\Norman\NVC\bin\CClaw.exe

.

**************************************************************************

.

Completion time: 2008-09-21 13:36:11 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-21 11:36:01

Pre-Run: 1 163 481 088 bytes free

Post-Run: 892,432,384 bytes free

236 --- E O F --- 2008-09-10 18:43:31

HijackThis(HJT)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:57, on 21.09.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\Program Files\Norman\Npm\bin\ELOGSVC.EXE

D:\Program Files\Norman\Ngs\bin\NPROSEC.EXE

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Norman\Npm\Bin\Zanda.exe

D:\Program Files\Norman\npm\bin\nvoy.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\Norman\npf\bin\npfsvc32.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\wdfmgr.exe

D:\WINDOWS\system32\SearchIndexer.exe

D:\Program Files\Canon\CAL\CALMAIN.exe

D:\Program Files\Norman\Npm\bin\NVCSCHED.EXE

D:\Program Files\Norman\Npm\bin\NJEEVES.EXE

D:\WINDOWS\System32\alg.exe

D:\Program Files\Norman\Nvc\bin\nvcoas.exe

D:\WINDOWS\system32\WgaTray.exe

D:\Program Files\Norman\npf\bin\npfuser.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\Norman\Npm\Bin\ZLH.EXE

D:\Program Files\Logitech\MouseWare\system\em_exec.exe

D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

D:\Program Files\Norman\Nvc\Bin\Nip.exe

D:\Program Files\Norman\Nvc\Bin\cclaw.exe

D:\WINDOWS\explorer.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\SearchProtocolHost.exe

D:\WINDOWS\system32\SearchFilterHost.exe

D:\WINDOWS\System32\wbem\wmiprvse.exe

D:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe

C:\Program Files\Trend Micro\HijackThis\Test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Norman ZANDA] "D:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ccleaner] "D:\Program Files\CCleaner\ccleaner.exe" /AUTO

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - d:\program files\microsoft office\office10\excel.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} - http://quickfix2.chello.no/quickfix2/asp/chelloInstall.CAB

O16 - DPF: {274967E8-7BE3-4195-B719-CFE8878B2E39} - http://web01.ifi.fi/Webupload/ActiveX/FotolaboUploader.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - http://post.stud.his.no/iNotes6.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} - http://quickfix2.chello.no/quickfix2/asp/LaunchApp.CAB

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://nettbank.fokus.no/html/activex/e-Sa...K/e-Safekey.cab

O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp09.photoprintit.de/microsite/502...geUploader3.cab

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - D:\Program Files\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Norman NJeeves - Norman ASA - D:\Program Files\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - D:\Program Files\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - D:\Program Files\Norman\npf\bin\npfsvc32.exe

O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - D:\Program Files\Norman\Ngs\bin\NPROSEC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - D:\Program Files\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - D:\Program Files\Norman\Npm\bin\NVCSCHED.EXE

O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - D:\Program Files\Norman\npm\bin\nvoy.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe

--

End of file - 8431 bytes

Endret 9. oktober 2008 av eivindhetalnd

norbat · 21. september 2008

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

Gå derette til nettstedet http://virusscan.jotti.org/. Øverst på siden kan du laste opp filer for sjekk. Gjør det med følgende fil:

D:\WINDOWS\system32\ccafbceeaee_g.dll

eivindhetalnd · 21. september 2008

Takker

Da har jeg slettet dem. I tillegg tok jeg en sjekk på filen på det nettstedet, jeg fikk "Found nothing" på alle punkt.

norbat · 21. september 2008

Da skulle alt være i orden.

Er pc'n fortsatt ustabil?

eivindhetalnd · 21. september 2008

Takker:)

Nei, virker bra nå

Men det gjorde den delvis før også. Det kunne gå timer mellom hver gang "alt låste seg". Men jeg tror at denne oppryddingen har hjulpet godt på .

norbat · 21. september 2008

Du får si i fra om problemet fortsatter.

Det kan være greit å fjerne combofix, skriv combofix /u i kjør-feltet (start->kjør).

Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

r2d290 · 21. september 2008

Dersom du mener at problemet med maskinen din er løst, kan du endre emnetittelen din, ved å trykke på i førsteposten din, og velge full endring. Øverst der emnetittelen din er, skriver du:

[LØST]

foran emnetittelen din.

Eks: [LØST] Har fått virus på maskinen

Dette vil være med på å holde forumet mer oversiktlig for supporterne, samt at nye folk som får samme problemet lettere vil finne en passende tråd å se i.

-Surf trygt-

eivindhetalnd · 21. september 2008

Hei

Det med combofix /u får jeg ikke til. Når jeg skriver det i kjør feltet kommer det bare opp en melding om at Windows ikke finner Combofix...

norbat · 21. september 2008

Du hadde mellomrom mellom combofix og /u?

Hvis, så kan du prøve å sette inn hele stien:

D:\Documents and Settings\Eivind\Desktop\ComboFix.exe /u

eivindhetalnd · 21. september 2008

Ja, jeg har tatt kopi av det du har skrevet og limt det inn. Fikk det samme nå

r2d290 · 21. september 2008

Ja, det er fordi du har windows osv. på d-disken (tror jeg).

Tror du da må skrive den nøyaktige adressen, noe sånt som:

D:\Documents and Settings\Eivind\Desktop\ComboFix.exe /u

Er ikke helt sikker, men prøv

eivindhetalnd · 21. september 2008

Får samme meldingen enda:(

Jeg lurer på om den kommer pga mellomrommet mellom Document og and, men ikke sikker...

eivindhetalnd · 29. september 2008

Etter en uke på HV øvelse, så ser jeg at problemene fremdeles er der

Mulig det er noe annet som kan være feil. Det som skjer er at Internett Explorer, Opera, MSN osv plutselig "låser seg", det blir helt hvitt. Dersom jeg er heldig klarer jeg ved hjelp av Ctrl + Alt + Delete lukke ned noen av programmene. Ellers må jeg ta restart på maskinen, jeg klarer ikke å skru av maskinen på vanlig måte. Dette innreffer plutselig, jeg ser ingen fellesnevener. Etter å ha ventet litt klarer jeg ofte å åpne nye Internett Explorer og surfe videre.

Er det noen som vet hva som kan forårsake slike hendelser?

norbat · 29. september 2008

Kjør gjennom veiledningen en gang til og post loggene.

eivindhetalnd · 5. oktober 2008

Nå fikk jeg følgende logger:

Malwarebytes' Anti-Malware 1.28

Database versjon: 1184

Windows 5.1.2600 Service Pack 3

05.10.2008 19:03:34

mbam-log-2008-10-05 (19-03-34).txt

Skanntype: Rask Skann

Objekter skannet: 47709

Tid tilbakelagt: 8 minute(s), 5 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

Minneprosesser infisert: