Kan noen hjelpe med med HIJACKLog fra min PC?

[norbat]

Edit: Vi kunne ha sjekke for rootkit: Last ned Rootchk. Kjør programmet og etter noen strakser, vil det dukke opp en logg. Hvis den forteller at den har funnet noe, post gjerne loggen.

 

Se også info fra windows support: http://support.microsoft.com/?kbid=894391

[steinage]

Her er loggen...

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh

18.10.2007 22:32:22,46

 

The rootkits that are detected by this tool were not found.

 

********************************* ROOTCHK-LOG-end

 

 

catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-18 22:32:23

Windows 5.1.2600 Service Pack 2

scanning hidden processes ...

 

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

 

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25E142F8-CA88-E4E2-EB9B-A4A8F8C2B53D}]

"dbnhkidbdaddjfjmemglijpaoenimfoijneogjlk"=hex:6a,61,6a,64,68,6e,63,6a,6c,6d,6e,63,6a,6e,6f,6b,61,6e,61,66,00,..

"cbhiehghohcoojhghgclnjijbdpfkiebknlnof"=hex:6a,61,69,64,63,6e,65,6a,65,65,68,6e,6e,6a,6c,66,6f,6a,64,6f,00,..

"ianhkidbdaddjfjmem"=hex:61,61,00,00

"hahiehghohcoojhg"=hex:61,61,00,00

"iajfklccmnhcjfnbfn"=hex:61,61,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E4CC390-063E-1562-F400-364074410CFE}]

"dbghlbamiffehhdccjlckmgacaiajpijijdmgmop"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,..

"cbihnamgjmeajbgdfhfehcgedeljlbjdgpoecf"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,..

"iaghlbamiffehhdccj"=hex:61,61,00,01

"haihnamgjmeajbgd"=hex:61,61,00,01

"iacidgeimmhkchcmag"=hex:61,61,00,01

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2F2CEBC-EDB5-AFB3-F9A0-57B38EACA0A9}]

"dbipjpnbkdhicbnlfiifnmineoaddpaiogleibjn"=hex:6a,61,6d,6f,63,68,64,68,69,64,62,6d,66,65,6e,6f,64,6d,6a,66,00,..

"cbcpcgapafdgkkddcigmfjhlpikalebemnhiof"=hex:6a,61,6e,6f,6a,63,6f,61,69,64,6c,65,68,68,6e,61,70,6f,6b,6a,00,..

"iaipjpnbkdhicbnlfi"=hex:61,61,00,00

"hacpcgapafdgkkdd"=hex:61,61,00,00

"iamamihiamijkmjfbd"=hex:61,61,00,00

"abmamhhmecfjkgjmceimkkkkednebaiepo"=hex:61,61,00,00

"malaphhlmohmbnodkengefeifl"=hex:61,61,00,00

 

scanning hidden files ...

 

hidden processes: 0

hidden services: 0

hidden files: 0

[norbat]

Kjør en scan med AVG antirootkit og gi tilbakemelding på om den finner noe.

Endret 18. oktober 2007 av norbat

[steinage]

Ingen feil funnet.... se bilde

[norbat]

Ok,

vi gjør allikevel dette:

 

Vi skal prøve å slette noen registeroppføringer, men vi tar en backup først:

 

Klikk: Start->Kjør

Skriv: regedit

 

Gå til følgende sti:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

 

Høyreklikk på Approved og velg Eksporter.

Dette vil lage en backup. Legg den en plass som du evt. finner igjen.

 

Lukk regedit.

 

Åpne Notisblokk og lim inn det som er i fet tekst under. Lagre fila som regfix.reg og legg den på skrivebordet.

Dobbeltklikk på fila og si ja til å legge til informasjonen.

Windows Registry Editor Version 5.00

 

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25E142F8-CA88-E4E2-EB9B-A4A8F8C2B53D}]

 

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E4CC390-063E-1562-F400-364074410CFE}]

 

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2F2CEBC-EDB5-AFB3-F9A0-57B38EACA0A9}]

 

Restart PC-en og lag en ny logg med rootchk.

[steinage]

HER kommer loggen..... gjort som du skrev.... sjekket med rootkit også (null funn der)

 

 

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh

18.10.2007 23:56:06,67

 

The rootkits that are detected by this tool were not found.

 

********************************* ROOTCHK-LOG-end

 

 

catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-18 23:56:07

Windows 5.1.2600 Service Pack 2

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25E142F8-CA88-E4E2-EB9B-A4A8F8C2B53D}]

"dbnhkidbdaddjfjmemglijpaoenimfoijneogjlk"=hex:6a,61,6a,64,68,6e,63,6a,6c,6d,6e,63,6a,6e,6f,6b,61,6e,61,66,00,..

"cbhiehghohcoojhghgclnjijbdpfkiebknlnof"=hex:6a,61,69,64,63,6e,65,6a,65,65,68,6e,6e,6a,6c,66,6f,6a,64,6f,00,..

"ianhkidbdaddjfjmem"=hex:61,61,00,00

"hahiehghohcoojhg"=hex:61,61,00,00

"iajfklccmnhcjfnbfn"=hex:61,61,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E4CC390-063E-1562-F400-364074410CFE}]

"dbghlbamiffehhdccjlckmgacaiajpijijdmgmop"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,..

"cbihnamgjmeajbgdfhfehcgedeljlbjdgpoecf"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,..

"iaghlbamiffehhdccj"=hex:61,61,00,01

"haihnamgjmeajbgd"=hex:61,61,00,01

"iacidgeimmhkchcmag"=hex:61,61,00,01

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2F2CEBC-EDB5-AFB3-F9A0-57B38EACA0A9}]

"dbipjpnbkdhicbnlfiifnmineoaddpaiogleibjn"=hex:6a,61,6d,6f,63,68,64,68,69,64,62,6d,66,65,6e,6f,64,6d,6a,66,00,..

"cbcpcgapafdgkkddcigmfjhlpikalebemnhiof"=hex:6a,61,6e,6f,6a,63,6f,61,69,64,6c,65,68,68,6e,61,70,6f,6b,6a,00,..

"iaipjpnbkdhicbnlfi"=hex:61,61,00,00

"hacpcgapafdgkkdd"=hex:61,61,00,00

"iamamihiamijkmjfbd"=hex:61,61,00,00

"abmamhhmecfjkgjmceimkkkkednebaiepo"=hex:61,61,00,00

"malaphhlmohmbnodkengefeifl"=hex:61,61,00,00

 

scanning hidden files ...

 

hidden processes: 0

hidden services: 0

hidden files: 0

[norbat]

Vi prøver en annen vri:

 

Last ned Look2Me-destroyer. Legg det på skrivebordet.

 

Start programmet, sett hake i 'Run this program as a task'

Du vil få en melding om at programmet vil reåpne seg. Du kan klikke ok

Etter 'reåpning', klikker du på Scan for L2M.

Skrivebordsikoner vil forsvinne midlertidig.

 

Når scanningen er ferdig, klikker du på Remove L2M

Pc vil bli slått av. Om den ikke slår seg på autom. slår du den bare på selv

Det vil ligge en logg på skrivebordet som forteller hva som har skjedd. Post den.

[steinage]

HEI

PC-en har jeg nå levert til dataavdelingen på jobben... så for vi se..hva som skjer etterhvert...

 

De hadde også mistanke om at det kunne være noe med memorykortet....

 

Takk så mye for hjelpen så langt....

 

Kommer sikkert tilbake til deg, men problemene på hjemmePCn...

[steinage]

HEI

 

Her kommer logg fra combofix angående min datters PC.... Kjørte MSNfix først, og den fant "virus"...

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56]

"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16:58 C:\WINDOWS\RTHDCPL.EXE]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 20:58]

"nwiz"="nwiz.exe" [2006-07-20 20:58 C:\WINDOWS\system32\nwiz.exe]

"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 20:44]

"P1370Mon.exe"="C:\WINDOWS\P1370Mon.exe" [2006-06-20 02:00]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 14:38]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38]

HP Image Zone Hurtigstart.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36]

Hurtigstart for Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys

R3 P1370Aud;Creative WebCam Audio Control;\??\C:\WINDOWS\system32\Drivers\P1370Aud.sys

R3 P1370Aul;PD1370 Lower Filter Driver;\??\C:\WINDOWS\system32\Drivers\P1370Aul.sys

S3 P1370Vfx;P1370Vfx;C:\WINDOWS\system32\DRIVERS\P1370Vfx.sys

S3 P1370VID;Live! Cam Voice;C:\WINDOWS\system32\DRIVERS\P1370Vid.sys

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-19 22:14:43

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-10-19 22:15:05

C:\ComboFix2.txt ... 2007-10-19 22:02

.

--- E O F ---

[norbat]

HEI

PC-en har jeg nå levert til dataavdelingen på jobben... så for vi se..hva som skjer etterhvert...

 

De hadde også mistanke om at det kunne være noe med memorykortet....

 

Takk så mye for hjelpen så langt....

 

Kommer sikkert tilbake til deg, men problemene på hjemmePCn...

 

Var det en firma-pc?

Hvis det var det burde du ha opplyst om det (men det kunne jo ikke du vite), da firmapc'er gjerne kan ha installert egne program som i noen tilfeller kan virke 'suspecte' eller bli slettet ved bruke av enkelte fix'er.

 

Kunne du også ha postet en HJT-logg?

[steinage]

Ingen spesielle firma installasjoner... kun enbruker programvare , og kun terminalserver løsning for e-post...

 

Har du link til Hijack..programmet... har ikke den gamle...dessverre... sorry for maset....

 

Fant en link...fra ett annet tema..fra deg... burde jo ha sjekke det først ...

 

Her er loggen fra HJ

 

Logfile of HijackThis v1.99.1

Scan saved at 22:57:10, on 19.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\WINDOWS\P1370Mon.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\DOCUME~1\STEING~1\LOCALS~1\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nelfo.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [P1370Mon.exe] C:\WINDOWS\P1370Mon.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: http://login.nho.no

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.labussa.no/Remote/msrdp.cab

O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[norbat]

Loggen ser fin ut

 

Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Kontrollpanel->system->systemgjenoppretting .

Sett merke framfor "Slå av Systemgjenopprettingen .....",

restart pc,

fjern merket igjen for å aktivere funksjonen.

[steinage]

OK

 

Takk for hjelpen...igjen...

[steinage]

HEI

Sjekka den gamle bærbare som dattera også hadde brukt.... den hadde også MSN virus - som ble funnet og rettet med MSNfix...

 

Kjørte Combofix og Hijack , samt CCleaner på den....

Legger ved Hijack loggen her..... ( og Combofix loggen nedenfor) Ser denne grei ut da ?

 

Logfile of HijackThis v1.99.1

Scan saved at 12:35:11, on 20.10.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe

C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE

C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlservr.exe

C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe

C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe

C:\Programfiler\Iomega\REV System Software\RevUDF.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlagent.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe

C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe

C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe

C:\WINDOWS\LTSMMSG.exe

C:\Programfiler\Eicon\Diva\DiTask.exe

C:\Programfiler\Eicon\Diva\Divamon.exe

C:\Programfiler\Eicon\Diva\watch.exe

C:\WINDOWS\system32\PRISMSTA.EXE

C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe

C:\Programfiler\Microsoft IntelliPoint\point32.exe

C:\Programfiler\HP\Digital Imaging\HP Print Screen\PrnSys.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe

C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe

C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\Iomega\REV System Software\imiconxp.exe

C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE

C:\Programfiler\MSN Messenger\msnmsgr.exe

C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe

C:\Programfiler\FotoStation Easy\FotoStation Easy AutoLaunch.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe

C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe

C:\Programfiler\Nikon\NkView4\NkVwMon.exe

C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Programfiler\Mamut Online Services\Mamut Online Backup\Mamut Online Backup.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\explorer.exe

C:\DOCUME~1\SGRANL~1\LOKALE~1\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe

C:\Programfiler\Messenger\msmsgs.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nelfo.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [indicatorUtility] C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [DiTask.exe] "C:\Programfiler\Eicon\Diva\DiTask.exe"

O4 - HKLM\..\Run: [Divamon.exe] "C:\Programfiler\Eicon\Diva\Divamon.exe"

O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Programfiler\Eicon\Diva\watch.exe"

O4 - HKLM\..\Run: [CGServer] "C:\Programfiler\Eicon\Diva\cgserver.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [PrnSys Executable] C:\Programfiler\HP\Digital Imaging\HP Print Screen\PrnSys.exe

O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iomega ImIconXP] C:\Programfiler\Iomega\REV System Software\imiconxp.exe

O4 - HKLM\..\Run: [Connect Update Agent] "C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe"

O4 - HKLM\..\RunServices: [DJSNetCN] C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [iSUSPM] C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe -scheduler

O4 - Startup: Mamut Online Backup.lnk = ?

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: D-Link AirPlus.lnk = ?

O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe

O4 - Global Startup: NkVwMon.exe.lnk = C:\Programfiler\Nikon\NkView4\NkVwMon.exe

O4 - Global Startup: Service Manager.lnk = C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Konverter koblingsmål til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Konverter koblingsmål til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Konverter til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konverter til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Konverter valgte koblinger til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Konverter valgte koblinger til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Konverterer utvalg til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konverterer utvalg til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?5a13ab5bdc8544d8907f85ce26ac3ab0

O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?5a13ab5bdc8544d8907f85ce26ac3ab0

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe

O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE

O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe

O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing)

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RevUDFService - Iomega Corp - C:\Programfiler\Iomega\REV System Software\RevUDF.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

 

 

COMBOFIX

ComboFix 07-10-12.4 - sgranlund 2007-10-20 11:34:39.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.159 [GMT 2:00]

Running from: C:\Admin\Virussjekk program\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\cfx32.ocx

 

.

((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))

.

 

2007-10-20 11:33 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-14 21:14 <DIR> d-------- C:\Documents and Settings\sgranlund\Programdata\ArcSoft

2007-10-10 15:01 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2007-10-09 15:27 <DIR> d-------- C:\WINDOWS\system32\DaisyWare

2007-10-09 15:27 <DIR> d-------- C:\Programfiler\TPB Reader

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-12 18:55 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2007-10-03 09:24 --------- d-----w C:\Programfiler\MSN Messenger

2007-10-01 11:52 --------- d-----w C:\Programfiler\Java

2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll

2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2006-05-02 21:25 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLec.DAT

2006-03-13 11:26 43,184 ----a-w C:\Documents and Settings\sgranlund\Programdata\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-01-09 01:12]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-01-09 01:04]

"LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2001-12-10 11:37]

"LoadBtnHnd"="C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe" [2001-12-07 16:39]

"IndicatorUtility"="C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe" [2002-03-19 20:41]

"LTSMMSG"="LTSMMSG.exe" [2001-12-17 15:50 C:\WINDOWS\LTSMMSG.exe]

"Apoint"="C:\Programfiler\Apoint2K\Apoint.exe" [2002-04-05 07:46]

"DiTask.exe"="C:\Programfiler\Eicon\Diva\DiTask.exe" [2003-02-13 16:38]

"Divamon.exe"="C:\Programfiler\Eicon\Diva\Divamon.exe" [2003-02-17 10:01]

"Eicon TechnologyLAN_DAEMON"="C:\Programfiler\Eicon\Diva\watch.exe" [2003-02-17 09:59]

"CGServer"="C:\Programfiler\Eicon\Diva\cgserver.exe" [2003-02-17 09:58]

"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50]

"PRISMSTA.EXE"="PRISMSTA.EXE" [2002-02-06 19:39 C:\WINDOWS\system32\PRISMSTA.exe]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

"IntelliPoint"="C:\Programfiler\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50]

"PrnSys Executable"="C:\Programfiler\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2004-05-28 23:47]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-02-21 17:24]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-07-10 21:20]

"Acrobat Assistant 7.0"="C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52]

"ISUSPM Startup"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" [2006-09-11 04:56]

"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2006-09-11 04:56]

"HP Component Manager"="C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2006-02-17 07:53]

"Iomega ImIconXP"="C:\Programfiler\Iomega\REV System Software\imiconxp.exe" [2005-12-07 15:08]

"Connect Update Agent"="C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe" [2006-10-06 16:31]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]

"H/PC Connection Agent"="C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 16:27]

"msnmsgr"="C:\Programfiler\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

"ISUSPM"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" [2006-09-11 04:56]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"DJSNetCN"=C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe

 

C:\Documents and Settings\sgranlund\Start-meny\Programmer\Oppstart\

Mamut Online Backup.lnk - C:\Documents and Settings\sgranlund\Programdata\Microsoft\Installer\{3FC8AB9F-49EF-47E9-8807-DBAF3B3E958D}\_46572c49.exe [2005-06-29 15:04:52]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1044-F000-7760-000000000002}\SC_Acrobat.exe [2005-06-10 19:12:57]

D-Link AirPlus.lnk - C:\Programfiler\D-Link AirPlus\AirPlus.exe [2003-10-04 23:37:36]

FotoStation Easy AutoLaunch.lnk - C:\Programfiler\FotoStation Easy\FotoStation Easy AutoLaunch.exe [2003-06-27 07:34:37]

HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38]

HP Image Zone Hurtigstart.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36]

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]

NkbMonitor.exe.lnk - C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe [2006-02-17 07:54:25]

NkVwMon.exe.lnk - C:\Programfiler\Nikon\NkView4\NkVwMon.exe [2003-06-27 07:31:11]

Service Manager.lnk - C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Phone Connection Monitor.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Phone Connection Monitor.lnk

backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup

 

R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys

R0 imdrvfsf;Iomega File System Filter Driver;C:\WINDOWS\system32\DRIVERS\imdrvfsf.sys

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe"

R2 DiCapi;Eicon CAPI 2.0 Driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi202k.sys

R2 DiPort;Eicon Port Driver;C:\WINDOWS\system32\DRIVERS\DISDN\diport40.sys

R2 MSSQL$HANDYMAN;MSSQL$HANDYMAN;C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlservr.exe -sHANDYMAN

R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpip.dll"

R2 SQLAgent$HANDYMAN;SQLAgent$HANDYMAN;C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlagent.EXE -i HANDYMAN

R2 SSIPDDP;SSIPDDP Parallel port device driver;\??\C:\WINDOWS\system32\DRIVERS\SSIPDDP.SYS

R2 X4HS32;X4HS32;\??\C:\Programfiler\EXEtender\X4HS32.Sys

R3 {6D08DE67-D457-4d38-A7F5-D88CCB81EE00};AIM 3.0 NS2501;C:\WINDOWS\system32\drivers\A306.sys

R3 FUJ02E1;%FUJ02E1.DeviceDesc%;C:\WINDOWS\system32\Drivers\FUJ02E1.sys

R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys

R3 PRISM;Intersil PRISM Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys

R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys

S3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\airplus.sys

S3 DiWan;Eicon Driver for all Diva Client cards;C:\WINDOWS\system32\drivers\disdn\diwan.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 G3GRSC;G3G R Smart Card;C:\WINDOWS\system32\DRIVERS\g3grsc.sys

S3 G3GRUMDM;G3G R USB Modem;C:\WINDOWS\system32\DRIVERS\g3grumdm.sys

S3 G3GRUSER;G3G R USB Serial;C:\WINDOWS\system32\DRIVERS\g3gruser.sys

S3 OIIBTUSB;Bluetooth USB Driver;C:\WINDOWS\system32\Drivers\OIIBTUSB.sys

S3 OiiNd2kU;Bluetooth Ndis Driver;C:\WINDOWS\system32\DRIVERS\oiind2ku.sys

S3 Oiivcomu;Bluetooth Virtual COM Port;C:\WINDOWS\system32\Drivers\oiivcomu.sys

S3 TIACXLN;D-Link AirPlus DWL-650+ Wireless Cardbus Adapter;C:\WINDOWS\system32\DRIVERS\tiacxln.sys

S3 W8100PCI;Marvell Libertas 802.11b/g Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys

S4 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys

 

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2007-10-19 21:08:25 C:\WINDOWS\Tasks\Norton AntiVirus - Søk på min datamaskin - sgranlund.job"

"2007-10-20 09:26:02 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"

.

**************************************************************************

 

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-20 11:42:04

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

**************************************************************************

.

Completion time: 2007-10-20 11:43:31

.

--- E O F ---

[norbat]

Så bra ut dette, steinage.

Du begynner å få dreisen på 'msn-virus' nå

 

Nullstill gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Kontrollpanel->system->systemgjenoppretting .

Sett merke framfor "Slå av Systemgjenopprettingen .....",

restart pc,

fjern merket igjen for å aktivere funksjonen.

[steinage]

HEI... Frua sin PC var nok også infisert... her har det visst gått for seg...med virus....

 

Loggen fra MSN Fix følger her... (er noen mistenkelig filer som jeg trenger hjelp til å vurdere)

MSNFix 1.552

 

C:\Admin\MSNFix\MSNFix

Sokningen var klar pa 21.10.2007 - 20:28:54,15 By Anne Jorunn Granlund

normalt lage

 

************************ Kollar filer

 

Inga Filer Funna

 

************************ Kollar mappar

 

... C:\Temp\

 

 

 

 

************************ Tar bort virus filer

 

 

 

************************ Tar bort virus mappar

 

.. OK ... C:\Temp\

 

 

************************ Rensar registret

 

 

 

************************ Misstankta Filer

 

/!\ Dem funna filerna maste kontrolleras innan borttagning

 

[C:\KLDATA.ZIP] 6F38AC6956048388E62B43F416DDA432

 

==> Var snall och ladda upp filen C:\DOCUME~1\ANNEJO~1\SKRIVE~1\Upload_Me.zip on http://upload.changelog.fr

 

 

 

Filerna och Registernycklarna har sparats i karantan 21.10.2007_20300550.zip

 

 

------------------------------------------------------------------------

Gjord av : !aur3n7 Contact: http://changelog.fr

------------------------------------------------------------------------

 

--------------------------------------------- END ---------------------------------------------

[steinage]

Og her er Combofix loggen ......

ComboFix 07-10-20.6 - Anne Jorunn Granlund 2007-10-21 20:40:35.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.210 [GMT 2:00]

Running from: C:\Admin\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))

.

 

2007-10-21 20:39 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-19 21:50 <DIR> d-------- C:\WINDOWS\system32\Resource

2007-10-19 21:50 <DIR> d-------- C:\Programfiler\Citrix

2007-10-19 21:47 <DIR> d-------- C:\Programfiler\F-Secure

2007-10-19 20:53 <DIR> d-------- C:\Documents and Settings\Anne Jorunn Granlund\Citrix

2007-10-19 20:53 81 --a------ C:\CTX.DAT

2007-10-10 17:40 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-12 20:01 --------- d-----w C:\Programfiler\Java

2007-09-14 16:27 --------- d-----w C:\Programfiler\FotoStation Easy

2007-09-07 14:30 --------- d-----w C:\Documents and Settings\All Users\Programdata\AntiVir PersonalEdition Classic

2007-09-02 16:48 --------- d-----w C:\Programfiler\IKEA HomePlanner

2004-02-16 10:12 5,577 ---ha-w C:\Documents and Settings\Medbygg\hpothb07.dat

2003-09-26 13:08 182,272 ----a-w C:\Programfiler\ISCrypter.dll

2003-08-20 08:58 181 ---h--w C:\Documents and Settings\Anne Jorunn Granlund\hpothb07.dat

2000-07-14 22:00 136,192 ----a-w C:\Programfiler\Fellesfiler\MSDERUN.DLL

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2001-12-10 11:37]

"LoadBtnHnd"="C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe" [2001-12-07 16:39]

"IndicatorUtility"="C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe" [2002-03-19 20:41]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]

"AtiPTA"="atiptaxx.exe" [2002-03-12 19:30 C:\WINDOWS\system32\atiptaxx.exe]

"LTSMMSG"="LTSMMSG.exe" [2001-12-17 16:50 C:\WINDOWS\LTSMMSG.exe]

"Apoint"="C:\Programfiler\Apoint2K\Apoint.exe" [2001-08-09 19:21]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2003-04-03 13:27]

"zBrowser Launcher"="C:\Programfiler\Logitech\iTouch\iTouch.exe" [2002-07-22 02:10]

"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 09:50]

"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-05-20 19:36]

"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50]

"Share-to-Web Namespace Daemon"="C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]

"HP Component Manager"="C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

"HP Software Update"="C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

"avgnt"="C:\Programfiler\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-15 14:38]

"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2007-01-06 21:43]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]

"FoneSyncSystemTray"="C:\Programfiler\FoneSync 4.0\FoneSyncSystemTray.Exe" [2001-03-05 10:50]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

D-Link AirPlus.lnk - C:\Programfiler\D-Link AirPlus\AirPlus.exe [2007-07-10 22:39:46]

FotoStation Easy AutoLaunch.lnk - C:\Programfiler\FotoStation Easy\FotoStation Easy AutoLaunch.exe [2003-06-27 07:46:28]

HP Digital Imaging Monitor.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]

HP Image Zone Hurtigstart.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

InterVideo WinCinema Manager.lnk - C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-09-09 11:49:49]

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56]

NkVwMon.exe.lnk - C:\Programfiler\Nikon\NkView4\NkVwMon.exe [2003-06-27 07:43:36]

Pervasive.SQL 2000 Workgroup.lnk - C:\Programfiler\Scenario\W3dbsmgr.exe [2003-04-08 12:29:01]

Phone Connection Monitor.lnk - C:\Programfiler\Sony Ericsson\Mobile\audevicemgr.exe [2006-09-22 22:55:57]

 

R1 RFWSLPT;RFWSLPT;\??\C:\WINDOWS\system32\drivers\RFWSLPT.sys

R2 DgiVecp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgiVecp.sys

R2 MSSQL$SYSTEM4;MSSQL$SYSTEM4;C:\Programfiler\Microsoft SQL Server\MSSQL$SYSTEM4\Binn\sqlservr.exe -sSYSTEM4

R3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\AIRPLUS.sys

R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys

R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys

S3 cmeu0wdm;CardMan 2020;C:\WINDOWS\system32\DRIVERS\cmeu0wdm.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys

S3 SQLAgent$SYSTEM4;SQLAgent$SYSTEM4;C:\Programfiler\Microsoft SQL Server\MSSQL$SYSTEM4\Binn\sqlagent.EXE -i SYSTEM4

S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys

S4 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys

 

.

**************************************************************************

 

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-21 20:50:31

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-10-21 20:54:51 - machine was rebooted

.

--- E O F ---

[norbat]

Hvis det er denne fila du ønsker å få sjekket: C:\DOCUME~1\ANNEJO~1\SKRIVE~1\Upload_Me.zip, laster du opp fila på følgende nettsted: http://virusscan.jotti.org/. Fila vil bli scannet og du vil få et resultat som forteller om det er funnet noe eller ei.