jijiji Skrevet 14. november 2007 Del Skrevet 14. november 2007 (endret) Jeg plages av at det ca hver halvtime åpnes et nytt vindu i IE7 fra www.worldinpink.no Det gjelder alle brukere på PC-en Jeg har kjørt Webroot Spy Sweeper og har Norton IS installert. Etter litt forumsøking har jeg kjørt hijackthis og legger ved logen. Kan noen hjelpe meg å bli kvitt dette irriterende problemet? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:41:26, on 14.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\Programfiler\Dell\Media Experience\DMXLauncher.exe C:\Programfiler\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe C:\DOCUME~1\Dina\LOKALE~1\Temp\msnmsgs.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\WINDOWS\system32\firefox.exe C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\CNAB4RPK.EXE C:\WINDOWS\system32\svchost.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Webroot\Spy Sweeper\SSU.EXE C:\Documents and Settings\Jon\Skrivebord\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.no/ig/dell?hl=no&client=dell-row&channel=no&ibd=2070618 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://www.google.no/hws/sb/dell-row/no/side.html?channel=no"]http://www.google.no/hws/sb/dell-row/no/side.html?channel=no[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://www.google.no/hws/sb/dell-row/no/side.html?channel=no"]http://www.google.no/hws/sb/dell-row/no/side.html?channel=no[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.sol.no/"]http://www.sol.no/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://www.google.no/hws/sb/dell-row/no/side.html?channel=no"]http://www.google.no/hws/sb/dell-row/no/side.html?channel=no[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.no/ig/dell?hl=no&client=dell-row&channel=no&ibd=2070618 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll (file missing) O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Programfiler\BAE\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll (file missing) O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DMXLauncher] "C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [CTDVDDET] "C:\Programfiler\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [VolPanel] "C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programfiler\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Programfiler\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" O4 - HKLM\..\Run: [Graphic Update] C:\DOCUME~1\Dina\LOKALE~1\Temp\msnmsgs.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Firefox] C:\WINDOWS\system32\firefox.exe O4 - HKLM\..\Run: [spySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google-søk - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Oversett engelsk ord - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Koblinger bakover - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Lignende sider - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Øyeblikksbilde av siden i hurtigbufferen - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185913263687"]http://www.update.microsoft.com/microsoftu...b?1185913263687[/url] O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 11369 bytes Edit: Lagt til codebox. Endret 14. november 2007 av jijiji Lenke til kommentar
norbat Skrevet 14. november 2007 Del Skrevet 14. november 2007 Last ned MSNFix.zip og pakk det ut. Det vil bli opprettet ei mappe kalt MSNFix Åpne mappa og dobbeltklikk på MSNFix. Følg veiledningen. Post loggen den lager + ny htj-logg. Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 Last ned MSNFix.zip og pakk det ut. Det vil bli opprettet ei mappe kalt MSNFix Åpne mappa og dobbeltklikk på MSNFix. Følg veiledningen. Post loggen den lager + ny htj-logg. Er det riktig at det er en .bat fil som er MSNFix programmet? Uansett: Jeg klikka på den og fikk først melding om "unable to open file" eller noe slikt og deretter kom følgende log: (har ikke lagt ved noen ny hijack log, da jeg gjetter på at den er uforandret?) MSNFix 1.577 C:\Documents and Settings\Jon\Skrivebord\MSNFix\MSNFix Scan done at 14.11.2007 - 16:38:26,07 By Jon normal mode ************************ Checking Files No files found ************************ Checking Folders No Folders Found ************************ Suspect Files /!\ The detected files must be reviewed by a forum Helper before changes can be made [C:\Documents and Settings\Jon\dqrojz.exe] E91821591A8358CA5E540C0E7D641D3C ==> Please upload the file C:\DOCUME~1\Jon\SKRIVE~1\Upload_Me.zip to http://upload.changelog.fr ------------------------------------------------------------------------ Author : !aur3n7 Contact: http://changelog.fr ------------------------------------------------------------------------ --------------------------------------------- END --------------------------------------------- Lenke til kommentar
norbat Skrevet 14. november 2007 Del Skrevet 14. november 2007 (endret) Ok, Kjør HJT, velg "Do a system scan only", sett merke framfor følgende linje og klikk Fix checked: O4 - HKLM\..\Run: [Graphic Update] C:\DOCUME~1\Dina\LOKALE~1\Temp\msnmsgs.exe Bruk utforsker til å fjerne fila C:\DOCUME~1\Dina\LOKALE~1\Temp\msnmsgs.exe (mulig du må ut i sikker modus) Hent deretter Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Post loggfilen fra combofix (c:\combofix.txt) + ny hjt-logg. Endret 14. november 2007 av norbat Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 OK. Da har jeg gjort det. (skjønte ikke hvorfor jeg skulle sette merke ved den aktuelle filen msnmsgs.exe først?) Måtte ut i Sikkermodus for å fjerne den... Her er combofix log: ComboFix 07-11-08.1 - Jon 2007-11-14 17:51:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.1577 [GMT 1:00] Running from: C:\Documents and Settings\Jon\Skrivebord\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 ))))))))))))))))))))))))))))))) . 2007-11-14 17:50 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-14 17:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Programdata\Webroot 2007-11-14 11:48 <DIR> d-------- C:\Documents and Settings\Ellen\Programdata\Webroot 2007-11-13 23:44 <DIR> d-------- C:\Programfiler\Webroot 2007-11-13 23:44 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\Webroot 2007-11-13 23:44 <DIR> d-------- C:\Documents and Settings\Jon\Programdata\Webroot 2007-11-13 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Webroot 2007-11-13 23:44 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2007-11-13 23:44 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2007-11-13 23:44 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2007-11-13 23:44 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2007-11-13 23:44 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2007-11-13 23:42 164 --a------ C:\install.dat 2007-11-13 19:07 <DIR> d-------- C:\WINDOWS\pss 2007-11-13 11:49 13,824 --a------ C:\WINDOWS\system32\firefox.exe 2007-11-13 11:49 13,824 --a------ C:\Documents and Settings\Jon\dqrojz.exe 2007-11-08 11:11 <DIR> d-------- C:\Programfiler\iTunes 2007-11-08 11:11 <DIR> d-------- C:\Programfiler\iPod 2007-11-08 07:45 <DIR> d-------- C:\Documents and Settings\Dina\Programdata\Apple Computer 2007-11-06 21:45 <DIR> d-------- C:\Documents and Settings\Hanna\Programdata\Corel 2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll 2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll 2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys 2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys 2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys 2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys 2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys 2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys 2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys 2007-10-23 16:43 <DIR> d-------- C:\Documents and Settings\Ellen\Programdata\Apple Computer 2007-10-21 15:11 <DIR> d-------- C:\Documents and Settings\Dina\Programdata\AdobeUM . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-14 16:49 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec 2007-11-14 13:36 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2007-11-13 18:04 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-11-13 18:04 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2007-11-13 18:04 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-11-13 18:04 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-11-13 18:04 --------- d-----w C:\Programfiler\Symantec 2007-11-13 17:50 --------- d-----w C:\Documents and Settings\Jon\Programdata\Corel 2007-11-08 10:11 --------- d-----w C:\Programfiler\QuickTime 2007-10-30 18:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat 2007-10-30 18:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf 2007-10-25 20:22 --------- d-----w C:\Programfiler\Java 2007-10-25 16:44 8,466,432 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-24 18:38 --------- d-----w C:\Documents and Settings\Ellen\Programdata\Corel 2007-10-02 19:13 --------- d-----w C:\Programfiler\Fellesfiler\Apple 2007-10-02 19:13 --------- d-----w C:\Documents and Settings\Jon\Programdata\Apple Computer 2007-10-02 19:13 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer 2007-10-02 19:10 --------- d-----w C:\Programfiler\Apple Software Update 2007-10-02 19:10 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple 2007-09-23 22:26 --------- d-----w C:\Documents and Settings\All Users\Programdata\Creative 2007-09-23 18:51 --------- d-----w C:\Documents and Settings\Jon\Programdata\Creative 2007-09-20 20:52 --------- d-----w C:\Programfiler\Norton Internet Security 2007-09-20 00:14 --------- d-----w C:\Programfiler\Windows Media Connect 2 2007-09-19 23:21 --------- d-----w C:\Programfiler\Ellusionist TROUBL_MAKER 2007-09-19 23:20 724,992 ----a-w C:\WINDOWS\iun6002.exe 2007-09-18 12:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat 2007-09-18 12:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat 2007-09-18 12:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat 2007-09-18 12:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf 2007-09-18 12:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf 2007-09-18 12:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf 2007-09-18 12:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys 2007-09-18 12:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys 2007-09-18 12:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys 2007-09-16 19:21 --------- d-----w C:\Programfiler\Canon 2007-08-31 18:10 3,666,293 ----a-w C:\WINDOWS\LEGO Star Wars.SCR 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:18 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-08-20 10:03 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-20 10:03 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-20 10:03 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll 2007-08-20 10:03 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll 2007-08-20 10:03 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-08-20 10:03 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-20 10:03 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-08-20 10:03 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll 2007-08-20 10:03 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-08-20 10:03 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-08-20 10:03 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-20 10:03 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-20 10:03 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll 2007-08-20 10:03 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll 2007-08-20 10:03 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll 2007-08-20 10:03 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-20 10:03 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-20 10:03 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll 2007-08-20 10:03 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-20 10:03 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll 2007-08-20 10:03 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll 2007-08-20 10:03 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll 2007-08-20 10:03 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-17 10:24 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-08-17 10:24 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2007-08-17 10:24 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTHelper"="CTHELPER.EXE" [2005-11-08 05:30 C:\WINDOWS\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 21:00 C:\WINDOWS\system32\CTXFIHLP.EXE] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] "IAAnotif"="C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 07:15] "ATICCC"="C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41] "DMXLauncher"="C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12] "CTDVDDET"="C:\Programfiler\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00] "VolPanel"="C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01] "AudioDrvEmulator"="C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20] "ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50] "ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-02-20 13:17] "osCheck"="C:\Programfiler\Norton Internet Security\osCheck.exe" [2007-02-20 13:16] "Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 09:22] "Corel Photo Downloader"="C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 14:20] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-10-19 20:16] "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-11-02 18:36] "Firefox"="C:\WINDOWS\system32\firefox.exe" [2007-11-13 11:49] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-28 19:13] "SpySweeper"="C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00] R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" R2 IAANTMON;Intel® Matrix Storage Event Monitor;C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaantmon.exe R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys S4 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys *Newly Created Service* - CATCHME *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2007-11-08 09:57:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-11-12 21:50:36 C:\WINDOWS\Tasks\Norton Internet Security Online - Kjør fullstendig systemsøk - Jon.job" - C:\Programfiler\Norton Internet Security\Norton AntiVirus\Navw32.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 17:53:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? scanning hidden files ... ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="\"C:\\Programfiler\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe\"" . Completion time: 2007-11-14 17:54:31 . --- E O F --- CODE Og her er ny Hijack Logg: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:58:07, on 14.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\Programfiler\Dell\Media Experience\DMXLauncher.exe C:\Programfiler\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\WINDOWS\system32\firefox.exe C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\CNAB4RPK.EXE C:\WINDOWS\system32\svchost.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\Programfiler\Webroot\Spy Sweeper\SSU.EXE C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Documents and Settings\Jon\Skrivebord\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.no/hws/sb/dell-row/no/side.html?channel=no R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.no/hws/sb/dell-row/no/side.html?channel=no R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.no/hws/sb/dell-row/no/side.html?channel=no R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.no/ig/dell?hl=no&client=dell-row&channel=no&ibd=2070618 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll (file missing) O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Programfiler\BAE\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll (file missing) O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DMXLauncher] "C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [CTDVDDET] "C:\Programfiler\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [VolPanel] "C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programfiler\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programfiler\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Programfiler\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Firefox] C:\WINDOWS\system32\firefox.exe O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto O4 - HKLM\..\Run: [spySweeper] C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google-søk - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Oversett engelsk ord - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Koblinger bakover - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Lignende sider - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Øyeblikksbilde av siden i hurtigbufferen - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185913263687 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 11292 bytes CODE Fikk forresten nettopp Nytt pop-up vindu fra worldinpink mens jeg postet denne nå. Lenke til kommentar
norbat Skrevet 14. november 2007 Del Skrevet 14. november 2007 (endret) Du skulle selvfølgelig klikke Fix checked i hjt etter at du hadde satt nevnte merke. Beklager at jeg glemte å nevne det. Vi skal slette ei fil til og det kan du bruke Killbox til: Last ned Killbox Start Killbox Velg å 'Delete on reboot' Følgende skal settes inn: C:\Documents and Settings\Jon\dqrojz.exe Restart Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'. Fortell så hvordan det går med popuppen. Endret 14. november 2007 av norbat Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 Var litt i tvil om jeg skulle trykke på exit i Killbox før jeg restarta, så jeg lot være... Filen ble ikke sletta. Men jeg gikk inn etterpå og slettet den manuelt i utforsker. I og med at det var mulig, regner jeg det som ok? Deretter har jeg kjørt CCleaner. Mens jeg har holdt på nå, har jeg IKKE sett pop-upen! Det ser ut som det har funka! Mange takk, norbat! Det ser ut som du har spart meg for masse irritasjon! Lenke til kommentar
norbat Skrevet 14. november 2007 Del Skrevet 14. november 2007 (endret) Fint det ordnet seg. Du skulle antakelig ha trykket exit og deretter restartet, men når man kan ta det manuelt så funker det like så greit Du kan godt fjerne de programmene du brukte, da det bare er å laste ned på nytt om du får bruk for dem senere. Combofix: combofix.exe, C:\WINDOWS\NirCmd.exe Hijackhtis: avinstaller fra legg til /fjern prog. Slett programfila/mappa Killbox: programfila Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Surf trygt. Endret 14. november 2007 av norbat Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 ...og der var worldinpink.com tilbake..! Dessverre. Det tok visst bare litt lenger tid denne gangen... Har du flere alternativer? Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 Hjelper det hvis jeg sier at det ikke er "pop-up" i betydningen "nytt vindu som åpner seg", men en ny fane i Explorer som åpner seg på worldinpink-siden...? Lenke til kommentar
norbat Skrevet 14. november 2007 Del Skrevet 14. november 2007 Kjør en scan med Blacklight. Den leter etter rootkit. Gi tilbakemelding på om/hva den fant. Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 No hidden items found. Ingenting. Lenke til kommentar
norbat Skrevet 14. november 2007 Del Skrevet 14. november 2007 Er du inne på noen spesielle sider når denne ny fanen starter? Er popup-blokkeringen slått på? Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 Popup blokkering er skrudd på. Det virker som den kommer tilfeldig, men jeg skal undersøke nå om det er noen spesielle. Nå sist var det diskusjon.no og vg.no som var åpne da den nye fanen kom. Lenke til kommentar
norbat Skrevet 14. november 2007 Del Skrevet 14. november 2007 La oss forsøke litt til... Last ned SAS (gratisversjonen), installer, oppdater og kjør en full (Complete) scan. Det lages en logg som finnes på Preferences->statistics/logs Last deretter ned SDFix til skrivebordet. Dobbeltklikk på SDFix.exe og det vil pakke seg ut til ei mappe i C:\SDFix Restart PC-en i sikker modus (tapp F8 under oppstart, velg sikker modus) Åpne SDFix-mappa og dobbeltklikk på 'RunThis.bat' for å starte programmet Velg Y for å starte rensingen PC-en vil restarte, og SDFix vil fortsette. det vil lages en logg. Post loggen fra SAS og SDFix. Lenke til kommentar
jijiji Skrevet 14. november 2007 Forfatter Del Skrevet 14. november 2007 OK. Skal prøve det nå. Nå kom den nye fanen igjen, med bare diskusjon.no oppe. kl 23:57 Kan virke som det kommer hver halvtime, men det er mulig jeg tar feil. Tenkte ellers å nevne at jeg får feilmelding fra Norton om at NIS ikke er standard Phishing overvåker, eller noe sånt hver gang jeg restarter PC-en nå. Det hadde jeg ikke før. Selv om jeg svarer ja, skjer det samme hver gang jeg restarter. Men det er kanskje fordi jeg har installert og kjører Webroot Spy Sweeper (prøveversjon...) Skal prøve SAS og SDfix nå. Lenke til kommentar
jijiji Skrevet 15. november 2007 Forfatter Del Skrevet 15. november 2007 (endret) OK. Her er loggene: SAS: SUPERAntiSpyware Scan Log [url="http://www.superantispyware.com"]http://www.superantispyware.com[/url] Generated 11/15/2007 at 00:35 AM Application Version : 3.9.1008 Core Rules Database Version : 3344 Trace Rules Database Version: 1345 Scan type : Complete Scan Total Scan Time : 00:22:21 Memory items scanned : 726 Memory threats detected : 0 Registry items scanned : 5412 Registry threats detected : 0 File items scanned : 31226 File threats detected : 108 Adware.Tracking Cookie C:\Documents and Settings\Jon\Cookies\[email protected][2].txt C:\Documents and Settings\Jon\Cookies\jon@doubleclick[1].txt C:\Documents and Settings\Jon\Cookies\[email protected][1].txt C:\Documents and Settings\Jon\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\aksel@doubleclick[2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\aksel@fastclick[2].txt C:\Documents and Settings\Aksel\Cookies\aksel@hitbox[2].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Aksel\Cookies\[email protected][1].txt C:\Documents and Settings\Dina\Cookies\[email protected][2].txt C:\Documents and Settings\Dina\Cookies\[email protected][2].txt C:\Documents and Settings\Dina\Cookies\[email protected][1].txt C:\Documents and Settings\Dina\Cookies\[email protected][1].txt C:\Documents and Settings\Dina\Cookies\[email protected][1].txt C:\Documents and Settings\Dina\Cookies\dina@doubleclick[1].txt C:\Documents and Settings\Dina\Cookies\[email protected][2].txt C:\Documents and Settings\Dina\Cookies\[email protected][2].txt C:\Documents and Settings\Dina\Cookies\[email protected][2].txt C:\Documents and Settings\Dina\Cookies\dina@fastclick[1].txt C:\Documents and Settings\Dina\Cookies\dina@hitbox[1].txt C:\Documents and Settings\Dina\Cookies\[email protected][1].txt C:\Documents and Settings\Dina\Cookies\[email protected][2].txt C:\Documents and Settings\Dina\Cookies\dina@roiservice[1].txt C:\Documents and Settings\Dina\Cookies\[email protected][1].txt C:\Documents and Settings\Dina\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][3].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\ellen@adbrite[2].txt C:\Documents and Settings\Ellen\Cookies\ellen@adfair[2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\ellen@doubleclick[1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\ellen@fastclick[2].txt C:\Documents and Settings\Ellen\Cookies\ellen@hitbox[2].txt C:\Documents and Settings\Ellen\Cookies\ellen@indexstats[2].txt C:\Documents and Settings\Ellen\Cookies\ellen@indextools[2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\ellen@postclicktracking[2].txt C:\Documents and Settings\Ellen\Cookies\ellen@qksrv[2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Ellen\Cookies\[email protected][2].txt C:\Documents and Settings\Ellen\Cookies\[email protected][3].txt C:\Documents and Settings\Ellen\Cookies\[email protected][4].txt C:\Documents and Settings\Ellen\Cookies\[email protected][5].txt C:\Documents and Settings\Ellen\Cookies\[email protected][6].txt C:\Documents and Settings\Ellen\Cookies\[email protected][7].txt C:\Documents and Settings\Ellen\Cookies\[email protected][8].txt C:\Documents and Settings\Ellen\Cookies\[email protected][1].txt C:\Documents and Settings\Hanna\Cookies\[email protected][1].txt C:\Documents and Settings\Hanna\Cookies\[email protected][1].txt C:\Documents and Settings\Hanna\Cookies\[email protected][1].txt C:\Documents and Settings\Hanna\Cookies\hanna@doubleclick[1].txt C:\Documents and Settings\Hanna\Cookies\hanna@fastclick[1].txt C:\Documents and Settings\Hanna\Cookies\[email protected][1].txt C:\Documents and Settings\Hanna\Cookies\[email protected][2].txt C:\Documents and Settings\Hanna\Cookies\hanna@revsci[2].txt C:\Documents and Settings\Hanna\Cookies\[email protected][1].txt C:\Documents and Settings\Hanna\Cookies\[email protected][2].txt C:\Documents and Settings\Hanna\Cookies\[email protected][1].txt SDFix: SDFix: Version 1.114 Run by Jon on 15.11.2007 at 00:48 Microsoft Windows XP [Versjon 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2007-11-15 00:54:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Programfiler\Messenger\msmsgs.exe" Wed 4 Aug 2004 60,416 A.SH. --- "C:\Programfiler\Outlook Express\msimn.exe" Wed 4 Aug 2004 4,639 A.SH. --- "C:\Programfiler\Windows Media Player\mplayer2.exe" Wed 15 Nov 2006 64,000 A.SH. --- "C:\Programfiler\Windows Media Player\wmplayer.exe" Tue 13 Nov 2007 1,264 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Mon 17 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Thu 20 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp" Tue 31 Aug 2004 2,997,248 A..H. --- "C:\Documents and Settings\Ellen\Mine dokumenter\Ellens dokumenter fra Gammel PC\Bryllup\~WRL1807.tmp" Thu 2 Sep 2004 3,457,024 A..H. --- "C:\Documents and Settings\Ellen\Mine dokumenter\Ellens dokumenter fra Gammel PC\Bryllup\~WRL1934.tmp" Thu 18 Jan 2007 4,348 A..H. --- "C:\Documents and Settings\Jon\Mine dokumenter\Min musikk\Sikkerhetskopi av lisens\drmv1key.bak" Thu 18 Jan 2007 20 A..H. --- "C:\Documents and Settings\Jon\Mine dokumenter\Min musikk\Sikkerhetskopi av lisens\drmv1lic.bak" Thu 18 Jan 2007 400 A.SH. --- "C:\Documents and Settings\Jon\Mine dokumenter\Min musikk\Sikkerhetskopi av lisens\drmv2key.bak" Mon 10 Sep 2007 31,232 ...H. --- "C:\Documents and Settings\Jon\Programdata\Microsoft\Word\~WRL1439.tmp" Mon 10 Sep 2007 246,272 ...H. --- "C:\Documents and Settings\Jon\Programdata\Microsoft\Word\~WRL4065.tmp" Finished! Setter virkelig pris på hjelpen din! Endret 15. november 2007 av jijiji Lenke til kommentar
norbat Skrevet 15. november 2007 Del Skrevet 15. november 2007 Det er ingen ting i de loggene som viser noen form for infeksjoner. Hva som trigger dette, blir derfor litt usikkert. CCleaner burde tatt det meste av temporære filer, der slike 'triggere' kan ligge (lukk alle andre programmer når ccleaner kjører) Det kunne ha vært et ide og avinstallert IE 7 midlertidig. Vil popuppen fortsatt komme? (Når du avinstallerer IE7 vil du automatisk få tilbake IE6) Du avinstallerer IE7 ved å gå til legg til /fjern programmer. Sett hake i 'Vis oppdateringer'. Et annen mulighet er å forsøke et søk på pc etter noe med worldinpink og sett om det gir noen funn. SpySweeper kan nok være grunnen til at du får meldingen om at NIS ikke er standard Phishing-prog. Spy Sweeper er forøvrig et glimrende prog. Lenke til kommentar
jijiji Skrevet 15. november 2007 Forfatter Del Skrevet 15. november 2007 Nå åpnet den jammen meg Explorer helt av seg selv på worldinpink.com mens jeg var ute et ærend. Irriterende. Jeg skal prøve å avinstallere IE 7. Lenke til kommentar
jijiji Skrevet 15. november 2007 Forfatter Del Skrevet 15. november 2007 Den kommer i IE6 også. Satt og skrev en mail med IE6 oppe i bakgrunnen med aftenposten.no Plutselig spretter aftenposten.no frem, og min mail havner i bakgrunnen, og etter noen sekunder går den over på worldinpink.com Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå