norbat Skrevet 18. oktober 2007 Del Skrevet 18. oktober 2007 Edit: Vi kunne ha sjekke for rootkit: Last ned Rootchk. Kjør programmet og etter noen strakser, vil det dukke opp en logg. Hvis den forteller at den har funnet noe, post gjerne loggen. Se også info fra windows support: http://support.microsoft.com/?kbid=894391 Lenke til kommentar
steinage Skrevet 18. oktober 2007 Forfatter Del Skrevet 18. oktober 2007 Her er loggen... ********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh 18.10.2007 22:32:22,46 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-18 22:32:23 Windows 5.1.2600 Service Pack 2 scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25E142F8-CA88-E4E2-EB9B-A4A8F8C2B53D}] "dbnhkidbdaddjfjmemglijpaoenimfoijneogjlk"=hex:6a,61,6a,64,68,6e,63,6a,6c,6d,6e,63,6a,6e,6f,6b,61,6e,61,66,00,.. "cbhiehghohcoojhghgclnjijbdpfkiebknlnof"=hex:6a,61,69,64,63,6e,65,6a,65,65,68,6e,6e,6a,6c,66,6f,6a,64,6f,00,.. "ianhkidbdaddjfjmem"=hex:61,61,00,00 "hahiehghohcoojhg"=hex:61,61,00,00 "iajfklccmnhcjfnbfn"=hex:61,61,00,00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E4CC390-063E-1562-F400-364074410CFE}] "dbghlbamiffehhdccjlckmgacaiajpijijdmgmop"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,.. "cbihnamgjmeajbgdfhfehcgedeljlbjdgpoecf"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,.. "iaghlbamiffehhdccj"=hex:61,61,00,01 "haihnamgjmeajbgd"=hex:61,61,00,01 "iacidgeimmhkchcmag"=hex:61,61,00,01 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2F2CEBC-EDB5-AFB3-F9A0-57B38EACA0A9}] "dbipjpnbkdhicbnlfiifnmineoaddpaiogleibjn"=hex:6a,61,6d,6f,63,68,64,68,69,64,62,6d,66,65,6e,6f,64,6d,6a,66,00,.. "cbcpcgapafdgkkddcigmfjhlpikalebemnhiof"=hex:6a,61,6e,6f,6a,63,6f,61,69,64,6c,65,68,68,6e,61,70,6f,6b,6a,00,.. "iaipjpnbkdhicbnlfi"=hex:61,61,00,00 "hacpcgapafdgkkdd"=hex:61,61,00,00 "iamamihiamijkmjfbd"=hex:61,61,00,00 "abmamhhmecfjkgjmceimkkkkednebaiepo"=hex:61,61,00,00 "malaphhlmohmbnodkengefeifl"=hex:61,61,00,00 scanning hidden files ... hidden processes: 0 hidden services: 0 hidden files: 0 Lenke til kommentar
norbat Skrevet 18. oktober 2007 Del Skrevet 18. oktober 2007 (endret) Kjør en scan med AVG antirootkit og gi tilbakemelding på om den finner noe. Endret 18. oktober 2007 av norbat Lenke til kommentar
steinage Skrevet 18. oktober 2007 Forfatter Del Skrevet 18. oktober 2007 Ingen feil funnet.... se bilde Lenke til kommentar
norbat Skrevet 18. oktober 2007 Del Skrevet 18. oktober 2007 Ok, vi gjør allikevel dette: Vi skal prøve å slette noen registeroppføringer, men vi tar en backup først: Klikk: Start->Kjør Skriv: regedit Gå til følgende sti: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Høyreklikk på Approved og velg Eksporter. Dette vil lage en backup. Legg den en plass som du evt. finner igjen. Lukk regedit. Åpne Notisblokk og lim inn det som er i fet tekst under. Lagre fila som regfix.reg og legg den på skrivebordet. Dobbeltklikk på fila og si ja til å legge til informasjonen. Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25E142F8-CA88-E4E2-EB9B-A4A8F8C2B53D}] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E4CC390-063E-1562-F400-364074410CFE}] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2F2CEBC-EDB5-AFB3-F9A0-57B38EACA0A9}] Restart PC-en og lag en ny logg med rootchk. Lenke til kommentar
steinage Skrevet 18. oktober 2007 Forfatter Del Skrevet 18. oktober 2007 HER kommer loggen..... gjort som du skrev.... sjekket med rootkit også (null funn der) ********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh 18.10.2007 23:56:06,67 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-18 23:56:07 Windows 5.1.2600 Service Pack 2 scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25E142F8-CA88-E4E2-EB9B-A4A8F8C2B53D}] "dbnhkidbdaddjfjmemglijpaoenimfoijneogjlk"=hex:6a,61,6a,64,68,6e,63,6a,6c,6d,6e,63,6a,6e,6f,6b,61,6e,61,66,00,.. "cbhiehghohcoojhghgclnjijbdpfkiebknlnof"=hex:6a,61,69,64,63,6e,65,6a,65,65,68,6e,6e,6a,6c,66,6f,6a,64,6f,00,.. "ianhkidbdaddjfjmem"=hex:61,61,00,00 "hahiehghohcoojhg"=hex:61,61,00,00 "iajfklccmnhcjfnbfn"=hex:61,61,00,00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E4CC390-063E-1562-F400-364074410CFE}] "dbghlbamiffehhdccjlckmgacaiajpijijdmgmop"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,.. "cbihnamgjmeajbgdfhfehcgedeljlbjdgpoecf"=hex:6a,61,63,6b,69,66,6b,6c,70,65,62,67,6d,66,6c,6f,66,6a,70,67,00,.. "iaghlbamiffehhdccj"=hex:61,61,00,01 "haihnamgjmeajbgd"=hex:61,61,00,01 "iacidgeimmhkchcmag"=hex:61,61,00,01 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2F2CEBC-EDB5-AFB3-F9A0-57B38EACA0A9}] "dbipjpnbkdhicbnlfiifnmineoaddpaiogleibjn"=hex:6a,61,6d,6f,63,68,64,68,69,64,62,6d,66,65,6e,6f,64,6d,6a,66,00,.. "cbcpcgapafdgkkddcigmfjhlpikalebemnhiof"=hex:6a,61,6e,6f,6a,63,6f,61,69,64,6c,65,68,68,6e,61,70,6f,6b,6a,00,.. "iaipjpnbkdhicbnlfi"=hex:61,61,00,00 "hacpcgapafdgkkdd"=hex:61,61,00,00 "iamamihiamijkmjfbd"=hex:61,61,00,00 "abmamhhmecfjkgjmceimkkkkednebaiepo"=hex:61,61,00,00 "malaphhlmohmbnodkengefeifl"=hex:61,61,00,00 scanning hidden files ... hidden processes: 0 hidden services: 0 hidden files: 0 Lenke til kommentar
norbat Skrevet 19. oktober 2007 Del Skrevet 19. oktober 2007 Vi prøver en annen vri: Last ned Look2Me-destroyer. Legg det på skrivebordet. Start programmet, sett hake i 'Run this program as a task' Du vil få en melding om at programmet vil reåpne seg. Du kan klikke ok Etter 'reåpning', klikker du på Scan for L2M. Skrivebordsikoner vil forsvinne midlertidig. Når scanningen er ferdig, klikker du på Remove L2M Pc vil bli slått av. Om den ikke slår seg på autom. slår du den bare på selv Det vil ligge en logg på skrivebordet som forteller hva som har skjedd. Post den. Lenke til kommentar
steinage Skrevet 19. oktober 2007 Forfatter Del Skrevet 19. oktober 2007 HEI PC-en har jeg nå levert til dataavdelingen på jobben... så for vi se..hva som skjer etterhvert... De hadde også mistanke om at det kunne være noe med memorykortet.... Takk så mye for hjelpen så langt.... Kommer sikkert tilbake til deg, men problemene på hjemmePCn... Lenke til kommentar
steinage Skrevet 19. oktober 2007 Forfatter Del Skrevet 19. oktober 2007 HEI Her kommer logg fra combofix angående min datters PC.... Kjørte MSNfix først, og den fant "virus"... ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56] "RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16:58 C:\WINDOWS\RTHDCPL.EXE] "SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 20:58] "nwiz"="nwiz.exe" [2006-07-20 20:58 C:\WINDOWS\system32\nwiz.exe] "AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 20:44] "P1370Mon.exe"="C:\WINDOWS\P1370Mon.exe" [2006-06-20 02:00] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 14:38] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38] HP Image Zone Hurtigstart.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36] Hurtigstart for Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys R3 P1370Aud;Creative WebCam Audio Control;\??\C:\WINDOWS\system32\Drivers\P1370Aud.sys R3 P1370Aul;PD1370 Lower Filter Driver;\??\C:\WINDOWS\system32\Drivers\P1370Aul.sys S3 P1370Vfx;P1370Vfx;C:\WINDOWS\system32\DRIVERS\P1370Vfx.sys S3 P1370VID;Live! Cam Voice;C:\WINDOWS\system32\DRIVERS\P1370Vid.sys *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-19 22:14:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-19 22:15:05 C:\ComboFix2.txt ... 2007-10-19 22:02 . --- E O F --- Lenke til kommentar
norbat Skrevet 19. oktober 2007 Del Skrevet 19. oktober 2007 HEIPC-en har jeg nå levert til dataavdelingen på jobben... så for vi se..hva som skjer etterhvert... De hadde også mistanke om at det kunne være noe med memorykortet.... Takk så mye for hjelpen så langt.... Kommer sikkert tilbake til deg, men problemene på hjemmePCn... Var det en firma-pc? Hvis det var det burde du ha opplyst om det (men det kunne jo ikke du vite), da firmapc'er gjerne kan ha installert egne program som i noen tilfeller kan virke 'suspecte' eller bli slettet ved bruke av enkelte fix'er. Kunne du også ha postet en HJT-logg? Lenke til kommentar
steinage Skrevet 19. oktober 2007 Forfatter Del Skrevet 19. oktober 2007 Ingen spesielle firma installasjoner... kun enbruker programvare , og kun terminalserver løsning for e-post... Har du link til Hijack..programmet... har ikke den gamle...dessverre... sorry for maset.... Fant en link...fra ett annet tema..fra deg... burde jo ha sjekke det først ... Her er loggen fra HJ Logfile of HijackThis v1.99.1 Scan saved at 22:57:10, on 19.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe C:\WINDOWS\P1370Mon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\DOCUME~1\STEING~1\LOCALS~1\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nelfo.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe O4 - HKLM\..\Run: [P1370Mon.exe] C:\WINDOWS\P1370Mon.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O15 - Trusted Zone: http://login.nho.no O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.labussa.no/Remote/msrdp.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Lenke til kommentar
norbat Skrevet 19. oktober 2007 Del Skrevet 19. oktober 2007 Loggen ser fin ut Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Lenke til kommentar
steinage Skrevet 20. oktober 2007 Forfatter Del Skrevet 20. oktober 2007 OK Takk for hjelpen...igjen... Lenke til kommentar
steinage Skrevet 20. oktober 2007 Forfatter Del Skrevet 20. oktober 2007 HEI Sjekka den gamle bærbare som dattera også hadde brukt.... den hadde også MSN virus - som ble funnet og rettet med MSNfix... Kjørte Combofix og Hijack , samt CCleaner på den.... Legger ved Hijack loggen her..... ( og Combofix loggen nedenfor) Ser denne grei ut da ? Logfile of HijackThis v1.99.1 Scan saved at 12:35:11, on 20.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlservr.exe C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe C:\Programfiler\Iomega\REV System Software\RevUDF.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlagent.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe C:\WINDOWS\LTSMMSG.exe C:\Programfiler\Eicon\Diva\DiTask.exe C:\Programfiler\Eicon\Diva\Divamon.exe C:\Programfiler\Eicon\Diva\watch.exe C:\WINDOWS\system32\PRISMSTA.EXE C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe C:\Programfiler\Microsoft IntelliPoint\point32.exe C:\Programfiler\HP\Digital Imaging\HP Print Screen\PrnSys.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Iomega\REV System Software\imiconxp.exe C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE C:\Programfiler\MSN Messenger\msnmsgr.exe C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe C:\Programfiler\FotoStation Easy\FotoStation Easy AutoLaunch.exe C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe C:\Programfiler\Nikon\NkView4\NkVwMon.exe C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Programfiler\Mamut Online Services\Mamut Online Backup\Mamut Online Backup.exe C:\Programfiler\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\HPZipm12.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Norton AntiVirus\navapsvc.exe C:\WINDOWS\explorer.exe C:\DOCUME~1\SGRANL~1\LOKALE~1\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe C:\Programfiler\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nelfo.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe O4 - HKLM\..\Run: [LoadBtnHnd] C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe O4 - HKLM\..\Run: [indicatorUtility] C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [DiTask.exe] "C:\Programfiler\Eicon\Diva\DiTask.exe" O4 - HKLM\..\Run: [Divamon.exe] "C:\Programfiler\Eicon\Diva\Divamon.exe" O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Programfiler\Eicon\Diva\watch.exe" O4 - HKLM\..\Run: [CGServer] "C:\Programfiler\Eicon\Diva\cgserver.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PrnSys Executable] C:\Programfiler\HP\Digital Imaging\HP Print Screen\PrnSys.exe O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iomega ImIconXP] C:\Programfiler\Iomega\REV System Software\imiconxp.exe O4 - HKLM\..\Run: [Connect Update Agent] "C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe" O4 - HKLM\..\RunServices: [DJSNetCN] C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [iSUSPM] C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe -scheduler O4 - Startup: Mamut Online Backup.lnk = ? O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: NkVwMon.exe.lnk = C:\Programfiler\Nikon\NkView4\NkVwMon.exe O4 - Global Startup: Service Manager.lnk = C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: &Konverter koblingsmål til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Konverter koblingsmål til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Konverter til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Konverter til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Konverter valgte koblinger til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Konverter valgte koblinger til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Konverterer utvalg til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Konverterer utvalg til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?5a13ab5bdc8544d8907f85ce26ac3ab0 O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?5a13ab5bdc8544d8907f85ce26ac3ab0 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RevUDFService - Iomega Corp - C:\Programfiler\Iomega\REV System Software\RevUDF.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe COMBOFIX ComboFix 07-10-12.4 - sgranlund 2007-10-20 11:34:39.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.159 [GMT 2:00] Running from: C:\Admin\Virussjekk program\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\cfx32.ocx . ((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 ))))))))))))))))))))))))))))))) . 2007-10-20 11:33 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-14 21:14 <DIR> d-------- C:\Documents and Settings\sgranlund\Programdata\ArcSoft 2007-10-10 15:01 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 15:27 <DIR> d-------- C:\WINDOWS\system32\DaisyWare 2007-10-09 15:27 <DIR> d-------- C:\Programfiler\TPB Reader . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-12 18:55 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2007-10-03 09:24 --------- d-----w C:\Programfiler\MSN Messenger 2007-10-01 11:52 --------- d-----w C:\Programfiler\Java 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2006-05-02 21:25 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLec.DAT 2006-03-13 11:26 43,184 ----a-w C:\Documents and Settings\sgranlund\Programdata\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-01-09 01:12] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-01-09 01:04] "LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2001-12-10 11:37] "LoadBtnHnd"="C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe" [2001-12-07 16:39] "IndicatorUtility"="C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe" [2002-03-19 20:41] "LTSMMSG"="LTSMMSG.exe" [2001-12-17 15:50 C:\WINDOWS\LTSMMSG.exe] "Apoint"="C:\Programfiler\Apoint2K\Apoint.exe" [2002-04-05 07:46] "DiTask.exe"="C:\Programfiler\Eicon\Diva\DiTask.exe" [2003-02-13 16:38] "Divamon.exe"="C:\Programfiler\Eicon\Diva\Divamon.exe" [2003-02-17 10:01] "Eicon TechnologyLAN_DAEMON"="C:\Programfiler\Eicon\Diva\watch.exe" [2003-02-17 09:59] "CGServer"="C:\Programfiler\Eicon\Diva\cgserver.exe" [2003-02-17 09:58] "NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50] "PRISMSTA.EXE"="PRISMSTA.EXE" [2002-02-06 19:39 C:\WINDOWS\system32\PRISMSTA.exe] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "IntelliPoint"="C:\Programfiler\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50] "PrnSys Executable"="C:\Programfiler\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2004-05-28 23:47] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-02-21 17:24] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-07-10 21:20] "Acrobat Assistant 7.0"="C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52] "ISUSPM Startup"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" [2006-09-11 04:56] "ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2006-09-11 04:56] "HP Component Manager"="C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54] "HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2006-02-17 07:53] "Iomega ImIconXP"="C:\Programfiler\Iomega\REV System Software\imiconxp.exe" [2005-12-07 15:08] "Connect Update Agent"="C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe" [2006-10-06 16:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03] "H/PC Connection Agent"="C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 16:27] "msnmsgr"="C:\Programfiler\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54] "ISUSPM"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" [2006-09-11 04:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "DJSNetCN"=C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe C:\Documents and Settings\sgranlund\Start-meny\Programmer\Oppstart\ Mamut Online Backup.lnk - C:\Documents and Settings\sgranlund\Programdata\Microsoft\Installer\{3FC8AB9F-49EF-47E9-8807-DBAF3B3E958D}\_46572c49.exe [2005-06-29 15:04:52] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1044-F000-7760-000000000002}\SC_Acrobat.exe [2005-06-10 19:12:57] D-Link AirPlus.lnk - C:\Programfiler\D-Link AirPlus\AirPlus.exe [2003-10-04 23:37:36] FotoStation Easy AutoLaunch.lnk - C:\Programfiler\FotoStation Easy\FotoStation Easy AutoLaunch.exe [2003-06-27 07:34:37] HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38] HP Image Zone Hurtigstart.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36] Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06] NkbMonitor.exe.lnk - C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe [2006-02-17 07:54:25] NkVwMon.exe.lnk - C:\Programfiler\Nikon\NkView4\NkVwMon.exe [2003-06-27 07:31:11] Service Manager.lnk - C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Phone Connection Monitor.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Phone Connection Monitor.lnk backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys R0 imdrvfsf;Iomega File System Filter Driver;C:\WINDOWS\system32\DRIVERS\imdrvfsf.sys R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" R2 DiCapi;Eicon CAPI 2.0 Driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi202k.sys R2 DiPort;Eicon Port Driver;C:\WINDOWS\system32\DRIVERS\DISDN\diport40.sys R2 MSSQL$HANDYMAN;MSSQL$HANDYMAN;C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlservr.exe -sHANDYMAN R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Programfiler\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" R2 SQLAgent$HANDYMAN;SQLAgent$HANDYMAN;C:\Programfiler\Microsoft SQL Server\MSSQL$HANDYMAN\Binn\sqlagent.EXE -i HANDYMAN R2 SSIPDDP;SSIPDDP Parallel port device driver;\??\C:\WINDOWS\system32\DRIVERS\SSIPDDP.SYS R2 X4HS32;X4HS32;\??\C:\Programfiler\EXEtender\X4HS32.Sys R3 {6D08DE67-D457-4d38-A7F5-D88CCB81EE00};AIM 3.0 NS2501;C:\WINDOWS\system32\drivers\A306.sys R3 FUJ02E1;%FUJ02E1.DeviceDesc%;C:\WINDOWS\system32\Drivers\FUJ02E1.sys R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys R3 PRISM;Intersil PRISM Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys S3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\airplus.sys S3 DiWan;Eicon Driver for all Diva Client cards;C:\WINDOWS\system32\drivers\disdn\diwan.sys S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys S3 G3GRSC;G3G R Smart Card;C:\WINDOWS\system32\DRIVERS\g3grsc.sys S3 G3GRUMDM;G3G R USB Modem;C:\WINDOWS\system32\DRIVERS\g3grumdm.sys S3 G3GRUSER;G3G R USB Serial;C:\WINDOWS\system32\DRIVERS\g3gruser.sys S3 OIIBTUSB;Bluetooth USB Driver;C:\WINDOWS\system32\Drivers\OIIBTUSB.sys S3 OiiNd2kU;Bluetooth Ndis Driver;C:\WINDOWS\system32\DRIVERS\oiind2ku.sys S3 Oiivcomu;Bluetooth Virtual COM Port;C:\WINDOWS\system32\Drivers\oiivcomu.sys S3 TIACXLN;D-Link AirPlus DWL-650+ Wireless Cardbus Adapter;C:\WINDOWS\system32\DRIVERS\tiacxln.sys S3 W8100PCI;Marvell Libertas 802.11b/g Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys S4 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2007-10-19 21:08:25 C:\WINDOWS\Tasks\Norton AntiVirus - Søk på min datamaskin - sgranlund.job" "2007-10-20 09:26:02 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job" . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-20 11:42:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . Completion time: 2007-10-20 11:43:31 . --- E O F --- Lenke til kommentar
norbat Skrevet 20. oktober 2007 Del Skrevet 20. oktober 2007 Så bra ut dette, steinage. Du begynner å få dreisen på 'msn-virus' nå Nullstill gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Lenke til kommentar
steinage Skrevet 21. oktober 2007 Forfatter Del Skrevet 21. oktober 2007 HEI... Frua sin PC var nok også infisert... her har det visst gått for seg...med virus.... Loggen fra MSN Fix følger her... (er noen mistenkelig filer som jeg trenger hjelp til å vurdere) MSNFix 1.552 C:\Admin\MSNFix\MSNFix Sokningen var klar pa 21.10.2007 - 20:28:54,15 By Anne Jorunn Granlund normalt lage ************************ Kollar filer Inga Filer Funna ************************ Kollar mappar ... C:\Temp\ ************************ Tar bort virus filer ************************ Tar bort virus mappar .. OK ... C:\Temp\ ************************ Rensar registret ************************ Misstankta Filer /!\ Dem funna filerna maste kontrolleras innan borttagning [C:\KLDATA.ZIP] 6F38AC6956048388E62B43F416DDA432 ==> Var snall och ladda upp filen C:\DOCUME~1\ANNEJO~1\SKRIVE~1\Upload_Me.zip on http://upload.changelog.fr Filerna och Registernycklarna har sparats i karantan 21.10.2007_20300550.zip ------------------------------------------------------------------------ Gjord av : !aur3n7 Contact: http://changelog.fr ------------------------------------------------------------------------ --------------------------------------------- END --------------------------------------------- Lenke til kommentar
steinage Skrevet 21. oktober 2007 Forfatter Del Skrevet 21. oktober 2007 Og her er Combofix loggen ...... ComboFix 07-10-20.6 - Anne Jorunn Granlund 2007-10-21 20:40:35.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.210 [GMT 2:00] Running from: C:\Admin\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 ))))))))))))))))))))))))))))))) . 2007-10-21 20:39 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-19 21:50 <DIR> d-------- C:\WINDOWS\system32\Resource 2007-10-19 21:50 <DIR> d-------- C:\Programfiler\Citrix 2007-10-19 21:47 <DIR> d-------- C:\Programfiler\F-Secure 2007-10-19 20:53 <DIR> d-------- C:\Documents and Settings\Anne Jorunn Granlund\Citrix 2007-10-19 20:53 81 --a------ C:\CTX.DAT 2007-10-10 17:40 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-12 20:01 --------- d-----w C:\Programfiler\Java 2007-09-14 16:27 --------- d-----w C:\Programfiler\FotoStation Easy 2007-09-07 14:30 --------- d-----w C:\Documents and Settings\All Users\Programdata\AntiVir PersonalEdition Classic 2007-09-02 16:48 --------- d-----w C:\Programfiler\IKEA HomePlanner 2004-02-16 10:12 5,577 ---ha-w C:\Documents and Settings\Medbygg\hpothb07.dat 2003-09-26 13:08 182,272 ----a-w C:\Programfiler\ISCrypter.dll 2003-08-20 08:58 181 ---h--w C:\Documents and Settings\Anne Jorunn Granlund\hpothb07.dat 2000-07-14 22:00 136,192 ----a-w C:\Programfiler\Fellesfiler\MSDERUN.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2001-12-10 11:37] "LoadBtnHnd"="C:\Programfiler\Fujitsu\BtnHnd\BtnHnd.exe" [2001-12-07 16:39] "IndicatorUtility"="C:\AddOn\Fujitsu\Hotkey\IndicatorUty.exe" [2002-03-19 20:41] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe] "AtiPTA"="atiptaxx.exe" [2002-03-12 19:30 C:\WINDOWS\system32\atiptaxx.exe] "LTSMMSG"="LTSMMSG.exe" [2001-12-17 16:50 C:\WINDOWS\LTSMMSG.exe] "Apoint"="C:\Programfiler\Apoint2K\Apoint.exe" [2001-08-09 19:21] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2003-04-03 13:27] "zBrowser Launcher"="C:\Programfiler\Logitech\iTouch\iTouch.exe" [2002-07-22 02:10] "EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 09:50] "MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-05-20 19:36] "NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50] "Share-to-Web Namespace Daemon"="C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42] "HP Component Manager"="C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [] "HP Software Update"="C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11] "avgnt"="C:\Programfiler\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-15 14:38] "TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2007-01-06 21:43] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03] "FoneSyncSystemTray"="C:\Programfiler\FoneSync 4.0\FoneSyncSystemTray.Exe" [2001-03-05 10:50] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ D-Link AirPlus.lnk - C:\Programfiler\D-Link AirPlus\AirPlus.exe [2007-07-10 22:39:46] FotoStation Easy AutoLaunch.lnk - C:\Programfiler\FotoStation Easy\FotoStation Easy AutoLaunch.exe [2003-06-27 07:46:28] HP Digital Imaging Monitor.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38] HP Image Zone Hurtigstart.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36] Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26] InterVideo WinCinema Manager.lnk - C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-09-09 11:49:49] Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56] NkVwMon.exe.lnk - C:\Programfiler\Nikon\NkView4\NkVwMon.exe [2003-06-27 07:43:36] Pervasive.SQL 2000 Workgroup.lnk - C:\Programfiler\Scenario\W3dbsmgr.exe [2003-04-08 12:29:01] Phone Connection Monitor.lnk - C:\Programfiler\Sony Ericsson\Mobile\audevicemgr.exe [2006-09-22 22:55:57] R1 RFWSLPT;RFWSLPT;\??\C:\WINDOWS\system32\drivers\RFWSLPT.sys R2 DgiVecp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgiVecp.sys R2 MSSQL$SYSTEM4;MSSQL$SYSTEM4;C:\Programfiler\Microsoft SQL Server\MSSQL$SYSTEM4\Binn\sqlservr.exe -sSYSTEM4 R3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\AIRPLUS.sys R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys S3 cmeu0wdm;CardMan 2020;C:\WINDOWS\system32\DRIVERS\cmeu0wdm.sys S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys S3 SQLAgent$SYSTEM4;SQLAgent$SYSTEM4;C:\Programfiler\Microsoft SQL Server\MSSQL$SYSTEM4\Binn\sqlagent.EXE -i SYSTEM4 S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys S4 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-21 20:50:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-21 20:54:51 - machine was rebooted . --- E O F --- Lenke til kommentar
norbat Skrevet 21. oktober 2007 Del Skrevet 21. oktober 2007 Hvis det er denne fila du ønsker å få sjekket: C:\DOCUME~1\ANNEJO~1\SKRIVE~1\Upload_Me.zip, laster du opp fila på følgende nettsted: http://virusscan.jotti.org/. Fila vil bli scannet og du vil få et resultat som forteller om det er funnet noe eller ei. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå