Theecurtains Skrevet 14. august 2008 Del Skrevet 14. august 2008 (endret) Hallo. I et svakt øyeblikk her om dagen greide jeg det store, å laste ned en sannsynligvis infisert .srt fil. Symptomene var popups på IE7. Kjører full Normanpakke som ikke reagerte overhodet, med lastet ned en annen scanner,PCdoctor e.l., som fant et Vundovirus ,Virtuvundo. DET viser seg å være relativt vanskelig å bli kvitt...Har gjort det som står i første post,men sliter med to ting: Rename Hijackthis ,og etter at jeg begynte å jobbe med å få viruset bort,kommer jeg heller ikke på nett med browser lengre. Men mail,oppdatere SAS osv, funker. Har tatt hele pcen av nett,etter å ha lest meg opp på hva den kan gjøre. Dessuten begynner PCen å henge ved noen av SAS-kjøringene.En annen ting jeg ikke får til er å slå av Norman så mye at den ikke tar den testfilen til Combofix. Har vært ivrig bruker av forumet i en årrekke,men jeg greide ikke å logge meg på med min gamle konto. Så derfor måtte jeg lage en ny,da jeg heller ikke fikk til å kontaktet noen. Håper noen har lyst til å prøve seg på denne,poster loggene.... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:23:38, on 13.08.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\Program Files\Norman\npm\bin\nvoy.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Norman\npf\bin\npfsvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\Program Files\Norman\npf\bin\npfuser.exe C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\Norman\Npm\Bin\ZLH.EXE C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norman\Nvc\Bin\Nip.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Norman\Nvc\Bin\cclaw.exe C:\Program Files\SetPoint\SetPoint.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\Joachim\Desktop\Judas\jdas.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program Files\Norman\npf\bin\npfsvc32.exe O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 8897 bytes ComboFix 08-08-12.01 - Joachim 2008-08-14 8:48:42.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1443 [GMT 2:00] Running from: C:\Morro\New Folder\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\_000006_.tmp.dll C:\WINDOWS\system32\_000007_.tmp.dll C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000009_.tmp.dll C:\WINDOWS\system32\_000010_.tmp.dll C:\WINDOWS\system32\_000011_.tmp.dll C:\WINDOWS\system32\_000014_.tmp.dll C:\WINDOWS\system32\~.exe C:\WINDOWS\system32\actskn43.ocx . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NSESVC -------\Service_nsesvc ((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 ))))))))))))))))))))))))))))))) . 2008-08-13 22:20 . 2008-08-14 07:47 <DIR> d--hs---- C:\RECYCLER(2) 2008-08-13 21:34 . 2008-08-13 21:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-08-13 21:34 . 2008-08-13 21:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-13 21:15 . 2008-08-13 21:15 <DIR> d-------- C:\Program Files\CCleaner 2008-08-13 20:55 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-13 20:47 . 2008-08-13 21:34 <DIR> d-------- C:\Documents and Settings\Joachim\Application Data\SUPERAntiSpyware.com 2008-08-13 20:47 . 2008-08-13 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-13 20:13 . 2008-08-13 20:13 <DIR> d-------- C:\VundoFix Backups 2008-08-13 20:11 . 2008-08-13 20:13 <DIR> d-------- C:\NormanVundoBackup 2008-08-13 10:21 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-07-30 19:12 . 2008-07-30 19:14 <DIR> d-------- C:\Program Files\Avanquest update 2008-07-30 19:12 . 2008-07-30 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software 2008-07-30 19:11 . 2008-07-30 19:11 <DIR> d-------- C:\Program Files\Sony Ericsson 2008-07-30 19:11 . 2008-07-30 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson 2008-07-22 01:18 . 2008-08-04 20:16 2,946 --a------ C:\WirelessDiagLog.csv 2008-07-21 20:50 . 2008-07-21 20:50 <DIR> d-------- C:\Program Files\DIFX 2008-07-21 20:50 . 2007-08-08 15:29 2,772,992 --a------ C:\WINDOWS\system32\NETw4r32.dll 2008-07-21 20:50 . 2008-03-13 03:25 2,530,176 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys 2008-07-21 20:50 . 2007-08-08 15:28 684,032 --a------ C:\WINDOWS\system32\NETw4c32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-14 06:52 --------- d-----w C:\Program Files\Norman 2008-08-13 20:50 --------- d-----w C:\Documents and Settings\Joachim\Application Data\OpenOffice.org2 2008-08-13 17:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-11 19:32 137,968 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-08-11 19:32 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-08-04 08:48 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-09 18:34 --------- d-----w C:\Documents and Settings\Joachim\Application Data\Skype 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-06-23 09:20 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-21 08:09 --------- d-----w C:\Program Files\EA GAMES 2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-19 13:40 --------- d-----w C:\Program Files\Eidos 2008-06-19 12:53 --------- d-----w C:\Program Files\SEGA 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys 2008-05-16 09:28 212,024 ----a-w C:\WINDOWS\system32\nscrnsav.scr 2008-05-10 13:34 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Net4Switch"="C:\Program Files\ASUS\Net4Switch\Net4Switch.exe" [bU] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-08-23 07:22 110592] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 05:58 7581696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 05:58 86016] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945] "Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136] "Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 17:46 90112] "ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 19:14 61440] "Norman ZANDA"="C:\Program Files\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 09:47 277616] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38 802816] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32 696320] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2007-02-09 10:38 49520] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-16 17:48 286720] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Logitech SetPoint.lnk - C:\Program Files\SetPoint\SetPoint.exe [2007-02-14 17:44:00 532480] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F4976] C:\WINDOWS\system32\__c00F4976.dat [bU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update] --a------ 2007-02-09 10:38 49520 C:\Program Files\ASUS\ASUS Live Update\ALU.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATKMEDIA] --a------ 2006-05-16 16:29 53248 C:\Program Files\ASUS\ATK Media\DMedia.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone] --a------ 2006-06-29 14:40 774144 C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-09-16 17:48 286720 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [bU] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] C:\Program Files\Valve\Steam\Steam.exe [bU] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-02-07 13:12] R1 NPROSEC;Norman Security driver;C:\Program Files\Norman\Ngs\bin\nprosec.sys [2008-04-15 15:57] R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\tdi_rd.sys [2008-02-07 13:12] R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R2 NPFSvc32;Norman Personal Firewall Service;C:\Program Files\Norman\npf\bin\npfsvc32.exe [2008-05-06 09:16] R2 NPROSECSVC;Norman Security service;C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE [2008-04-22 09:36] R2 NVOY;Norman's Very Own supplY of resources;C:\Program Files\Norman\npm\bin\nvoy.exe [2008-02-07 11:07] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2008-04-30 13:28] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 12:41] R3 UsbFltr;Razer Copperhead Driver;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 11:54] S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-07-25 13:52] S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-07-25 13:53] S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-07-25 13:53] S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-07-25 13:54] S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-07-25 13:51] S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-07-25 13:54] S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-07-25 13:51] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Autorun.exe . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.startsiden.no/ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-14 08:53:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Norman\Npm\Bin\elogsvc.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Norman\Npm\Bin\Njeeves.exe C:\Program Files\Norman\Nvc\bin\Nip.exe C:\PROGRA~1\Norman\Nvc\bin\CClaw.exe C:\PROGRA~1\COMMON~1\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\ATK0100\ATKOSD.exe . ************************************************************************** . Completion time: 2008-08-14 8:56:30 - machine was rebooted [Joachim] ComboFix-quarantined-files.txt 2008-08-14 06:56:26 ComboFix2.txt 2008-08-13 20:12:23 ComboFix3.txt 2008-08-13 20:05:04 Pre-Run: 67,906,411,008 bytes free Post-Run: 67,706,105,856 bytes free 207 --- E O F --- 2008-08-13 18:59:03 SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/13/2008 at 09:54 PM Application Version : 4.15.1000 Core Rules Database Version : 3535 Trace Rules Database Version: 1524 Scan type : Quick Scan Total Scan Time : 00:05:44 Memory items scanned : 386 Memory threats detected : 0 Registry items scanned : 394 Registry threats detected : 0 File items scanned : 5128 File threats detected : 2 Takk. Jokis. Endret 21. august 2008 av jokis Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 Du har ikke tatt med nederste del av SAS-loggen. Er det fordi det bare var tracking-cookies? Lenke til kommentar
Theecurtains Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 Du har ikke tatt med nederste del av SAS-loggen. Er det fordi det bare var tracking-cookies? Ja,det så slik ut. Skal kjøre igjen å se. Lenke til kommentar
Theecurtains Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 Adware.Tracking Cookie C:\Documents and Settings\Joachim\Cookies\joachim@directtrack[1].txt C:\Documents and Settings\Joachim\Cookies\[email protected][2].txt ...siste biten. Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 Mappene som ble opprettet igår: C:\NormanVundoBackup og C:\VundoFix Backups vet ikke du noe om? Lenke til kommentar
Theecurtains Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 ..joda. Glemte det, begynner å bli trett....holdt på en stund. Prøvde to removers igår ,Norman sin og en til, uten særlig hell. Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 Combofix fjernet en del filer. Utover dette ser ikke jeg noe galt i loggen. Merker du fortsatt problemer? Lenke til kommentar
Theecurtains Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 ..vil bare si at det er hyggelig av deg å ta deg tid. Problemene jeg har nå er at IE ikke funker,kan ikke vise siden meldinga. Men jeg kan oppdatere Norman og bruke outlook. Om jeg prøver å oppatere SAS nå (Jeg gjorde igår altså) henger hele pcen. De andre maskinene på nettverket funker helt , sitter på en gammel lap her nå og bruker IE. Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 Du kan vente og se om noen andre har noen idéer på hva som kan gjøres... Lenke til kommentar
Theecurtains Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 ...etter å ha oppdatert Norman nå netopp,finner den faaktisk 4 infections. 2 i Qoobox,som jeg regner med er de CF tok ut, pluss 2 som ser ut som de ligger i restorefolderen. C:\System Volume Information\_RESTO~1\RP2\A0000004.exe C:\System Volume Information\_RESTO~1\RP5\A0002236.exe Alle fire removed står det. ...begynner å hjelpe da eller? Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 ...begynner å hjelpe da eller? Det må nesten du svare på. Merker du fortsatt problemer? Lenke til kommentar
Theecurtains Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 (endret) ...det eneste som er, er at uansett hva jeg prøver, får jeg ikke surfa. Resten av nettjenestene funker, som mail ,updates og MSN. ...og det var liksom der problemene var. Får se om jeg kan avistallere IE7 og legge på en ekstern disk,også reinstallere. ...eller er det sånn at dette er et greit tidspunkt å bytte nettbrowser på? Bruker Revo uninstaller som regel til slikt. Er det greit? Jokis Endret 14. august 2008 av jokis Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 Har ikke noen erfaring med Revo uninstaller, så det kan jeg ikke svar deg på. Men å bytte nettleser er absolutt ikke dumt. Jeg anbefaler FireFox, men Opra er også bra (du får nesten prøve, og se hva du liker best). Når det er sagt, bør IE fungere selvom du velger å ikke bruke den. Men se om du får til å reinstallere, og se om det hjelper Lenke til kommentar
norbat Skrevet 14. august 2008 Del Skrevet 14. august 2008 At du ikke kommer på nett med nettleseren kan være at brannmuren blokkerer eller at winsock-fila er korrupt Brannmur: Slå midlertidig av brannmuren (i norman?) og sjekk nettleseren Winsock: i kjør-feltet (start->kjør), skriv: netsh winsock reset Restart pc'n ette at du har skrevet kommandoen over. Lenke til kommentar
Theecurtains Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 ...YYYeeeeeessssss!!! Det var ikke værre en at alle rules var konfa streng som f.. gjennom et eller anner jeg har brukt idag!! Ser seg fort blind gitt!! Tusen takk for hjelpen!!! Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 (endret) (takk, norbat ) Da skulle alt være i orden? Dersom du mener at problemet med maskinen din er løst, kan du endre emnetittelen din, ved å trykke på i førsteposten din, og velge full endring. Øverst der emnetittelen din er, skriver du: [LØST] foran emnetittelen din. Eks: [LØST] Har fått virus på maskinen Dette vil være med på å holde forumet mer oversiktlig for supporterne, samt at nye folk som får samme problemet lettere vil finne en passende tråd å se i. -Surf trygt- Endret 14. august 2008 av r2d290 Lenke til kommentar
Theecurtains Skrevet 18. august 2008 Forfatter Del Skrevet 18. august 2008 ...wixawin pop-uppene kom jaggu meg tilbake. Etter at vi fiksa det her om dagen tok det ca. 12 timer, så var det der igjen. På den tiden har jeg kun surfet veldig vanlige norske sider. Jeg gjentok prosedyren med å kjøre de forskjellige programmene og da var det borte i ca 12 timer igjen. På morgenen idag klaska det opp en popup med noe spill og en fake virusscanner som skulle ha meg til å laste ned noe exe-filer. Selvfølgelig. Har kun kjørt Norman nå ,den finner ingenting. ...hva nå? Jokis Lenke til kommentar
norbat Skrevet 18. august 2008 Del Skrevet 18. august 2008 Last ned ny combofix og post loggen. Lenke til kommentar
Theecurtains Skrevet 18. august 2008 Forfatter Del Skrevet 18. august 2008 Her er Combofix loggen. Norman reagerer på den EICAR fila når jeg kjører det...og jeg kjørte SAS i forkant. ComboFix 08-08-17.03 - Joachim 2008-08-18 14:53:25.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1464 [GMT 2:00] Running from: C:\Documents and Settings\Joachim\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Joachim\Cookies\joachim@experts-exchange[1].txt C:\Documents and Settings\Joachim\UserData C:\Documents and Settings\Joachim\UserData\index.dat C:\Documents and Settings\Joachim\UserData\QTN9TCO4\oWindowsUpdate[1].xml C:\Documents and Settings\Joachim\UserData\VWK2W3TP\oWindowsUpdate[1].xml C:\Documents and Settings\LocalService\UserData C:\Documents and Settings\LocalService\UserData\index.dat C:\WINDOWS\system32\__c00BFB7A.dat C:\WINDOWS\system32\~.exe . ((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 ))))))))))))))))))))))))))))))) . 2008-08-17 13:09 . 2008-08-17 13:09 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-14 22:51 . 2008-08-14 22:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-14 21:31 . 2008-08-14 21:31 <DIR> d-------- C:\Program Files\Opera 2008-08-14 18:12 . 2008-08-14 18:12 <DIR> d-------- C:\Program Files\Svupp 2008-08-13 22:20 . 2008-08-14 07:47 <DIR> d--hs---- C:\RECYCLER(2) 2008-08-13 21:34 . 2008-08-14 22:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-08-13 21:15 . 2008-08-13 21:15 <DIR> d-------- C:\Program Files\CCleaner 2008-08-13 20:55 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-13 20:47 . 2008-08-14 22:51 <DIR> d-------- C:\Documents and Settings\Joachim\Application Data\SUPERAntiSpyware.com 2008-08-13 20:47 . 2008-08-13 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-13 20:11 . 2008-08-13 20:13 <DIR> d-------- C:\NormanVundoBackup 2008-08-13 10:21 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-07-30 19:12 . 2008-07-30 19:14 <DIR> d-------- C:\Program Files\Avanquest update 2008-07-30 19:12 . 2008-07-30 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software 2008-07-30 19:11 . 2008-07-30 19:11 <DIR> d-------- C:\Program Files\Sony Ericsson 2008-07-30 19:11 . 2008-07-30 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson 2008-07-22 01:18 . 2008-08-04 20:16 2,946 --a------ C:\WirelessDiagLog.csv 2008-07-21 20:50 . 2008-07-21 20:50 <DIR> d-------- C:\Program Files\DIFX 2008-07-21 20:50 . 2007-08-08 15:29 2,772,992 --a------ C:\WINDOWS\system32\NETw4r32.dll 2008-07-21 20:50 . 2008-03-13 03:25 2,530,176 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys 2008-07-21 20:50 . 2007-08-08 15:28 684,032 --a------ C:\WINDOWS\system32\NETw4c32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-18 12:57 --------- d-----w C:\Program Files\Norman 2008-08-17 21:03 137,968 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-08-17 21:03 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-08-17 10:52 --------- d-----w C:\Program Files\Java 2008-08-17 10:36 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-13 20:50 --------- d-----w C:\Documents and Settings\Joachim\Application Data\OpenOffice.org2 2008-08-13 17:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-09 18:34 --------- d-----w C:\Documents and Settings\Joachim\Application Data\Skype 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-06-23 09:20 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-21 08:09 --------- d-----w C:\Program Files\EA GAMES 2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-19 13:40 --------- d-----w C:\Program Files\Eidos 2008-06-19 12:53 --------- d-----w C:\Program Files\SEGA 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys 2008-05-10 13:34 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-08-23 07:22 110592] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 05:58 7581696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 05:58 86016] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945] "Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136] "Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 17:46 90112] "ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 19:14 61440] "Norman ZANDA"="C:\Program Files\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 09:47 277616] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38 802816] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32 696320] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2007-02-09 10:38 49520] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-16 17:48 286720] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Logitech SetPoint.lnk - C:\Program Files\SetPoint\SetPoint.exe [2007-02-14 17:44:00 532480] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update] --a------ 2007-02-09 10:38 49520 C:\Program Files\ASUS\ASUS Live Update\ALU.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATKMEDIA] --a------ 2006-05-16 16:29 53248 C:\Program Files\ASUS\ATK Media\DMedia.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone] --a------ 2006-06-29 14:40 774144 C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-09-16 17:48 286720 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-02-07 13:12] R1 NPROSEC;Norman Security driver;C:\Program Files\Norman\Ngs\bin\nprosec.sys [2008-04-15 15:57] R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\tdi_rd.sys [2008-02-07 13:12] R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R2 NPFSvc32;Norman Personal Firewall Service;C:\Program Files\Norman\npf\bin\npfsvc32.exe [2008-05-06 09:16] R2 NPROSECSVC;Norman Security service;C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE [2008-04-22 09:36] R2 NVOY;Norman's Very Own supplY of resources;C:\Program Files\Norman\npm\bin\nvoy.exe [2008-02-07 11:07] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2008-04-30 13:28] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 12:41] R3 UsbFltr;Razer Copperhead Driver;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 11:54] S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-07-25 13:52] S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-07-25 13:53] S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-07-25 13:53] S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-07-25 13:54] S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-07-25 13:51] S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-07-25 13:54] S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-07-25 13:51] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Autorun.exe . - - - - ORPHANS REMOVED - - - - HKCU-Run-Net4Switch - C:\Program Files\ASUS\Net4Switch\Net4Switch.exe Notify-__c00BFB7A - C:\WINDOWS\system32\__c00BFB7A.dat Notify-__c00F4976 - C:\WINDOWS\system32\__c00F4976.dat MSConfigStartUp-SMSERIAL - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe MSConfigStartUp-Steam - C:\Program Files\Valve\Steam\Steam.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.startsiden.no/ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-18 14:58:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\drivers\mchInjDrv.sys scan completed successfully hidden files: 1 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Norman\Npm\Bin\elogsvc.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Norman\Npm\Bin\Njeeves.exe C:\PROGRA~1\SYNAPT~1\SynTP\SynTPEnh.exe C:\PROGRA~1\ASUS\POWER4~1\BATTER~1.EXE C:\PROGRA~1\Norman\Npm\Bin\Zlh.exe C:\PROGRA~1\Intel\Wireless\Bin\ZCfgSvc.exe C:\PROGRA~1\Intel\Wireless\Bin\iFrmewrk.exe C:\Program Files\Norman\Nvc\bin\Nip.exe C:\PROGRA~1\Norman\Nvc\bin\CClaw.exe C:\Program Files\Norman\npf\bin\npfuser.exe C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe . ************************************************************************** . Completion time: 2008-08-18 15:01:59 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-18 13:01:52 ComboFix2.txt 2008-08-17 11:04:37 Pre-Run: 69,240,477,696 bytes free Post-Run: 69,297,020,928 bytes free 213 --- E O F --- 2008-08-14 19:22:34 Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå