krok1 Skrevet 26. august 2008 Del Skrevet 26. august 2008 Har hatt trøbbel med en del pop-ups etc, men håper det meste nå er ryddet av veien..? Trenger imidlertid hjelp til å lese loggene: MBAM-logg: Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.25Database versjon: 1088 Windows 5.1.2600 Service Pack 3 21:46:16 26.08.2008 mbam-log-08-26-2008 (21-46-16).txt Skanntype: Rask Skann Objekter skannet: 47732 Tid tilbakelagt: 5 minute(s), 17 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) ComboFix-logg: Til info kommer Norman AV opp med funn av trojaner når jeg fjerner ComboFix (...ComboFix /u...). Plasseringen oppgis å være c:combofix\rehide.reg og trojaneren skal være av typen REG/Small.A - er det som forventet? Klikk for å se/fjerne innholdet nedenfor ComboFix 08-08-25.01 - Christian 2008-08-26 21:49:55.3 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.650 [GMT 2:00] Running from: C:\Documents and Settings\Christian\Skrivebord\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))) . 2008-08-26 21:30 . 2008-08-26 21:30 <DIR> dr-h----- C:\Documents and Settings\Christian\Siste 2008-08-26 18:20 . 2008-08-26 18:20 <DIR> d-------- C:\Programfiler\Trend Micro 2008-08-26 18:11 . 2008-08-26 18:11 <DIR> d-------- C:\Programfiler\CCleaner 2008-08-26 10:38 . 2008-08-26 10:38 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-26 10:38 . 2008-08-26 10:38 <DIR> d-------- C:\Documents and Settings\Christian\Programdata\SUPERAntiSpyware.com 2008-08-26 10:38 . 2008-08-26 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-26 10:37 . 2008-08-26 10:37 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-08-26 09:48 . 2008-08-26 09:48 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-08-26 09:21 . 2008-08-26 09:21 <DIR> d-------- C:\Documents and Settings\Christian\Programdata\Malwarebytes 2008-08-26 09:20 . 2008-08-26 09:35 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-08-26 09:20 . 2008-08-26 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-08-26 09:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-08-26 09:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-08-24 21:38 . 2008-08-24 21:38 <DIR> d--h----- C:\WINDOWS\SYSTEM32\WLANProfiles 2008-08-24 21:38 . 2008-08-24 21:38 <DIR> d--h----- C:\Settings 2008-08-24 21:38 . 2008-08-24 21:38 516 --a------ C:\Settings.ini 2008-08-21 20:25 . 2008-08-21 20:47 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP 2008-08-19 18:43 . 2008-08-19 18:43 164 --a------ C:\install.dat 2008-08-18 22:19 . 2008-08-18 22:19 0 --a------ C:\WINDOWS\nsreg.dat 2008-08-14 02:19 . 2008-05-01 16:38 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-14 02:18 . 2008-04-11 21:06 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll 2008-08-13 23:50 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\no 2008-08-13 23:50 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits 2008-08-13 23:50 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-13 23:46 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-08-13 23:33 . 2008-08-13 23:33 <DIR> d-------- C:\WINDOWS\EHome 2008-08-13 23:15 . 2004-08-04 00:54 701,440 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-26 14:52 --------- d-----w C:\Programfiler\Norman 2008-08-18 20:00 --------- d-----w C:\Programfiler\Java 2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll 2008-07-07 20:29 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll 2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll 2008-06-24 16:46 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll 2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-06-23 09:23 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-06-23 09:22 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2008-06-20 17:49 246,784 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:49 246,784 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll 2008-06-20 17:49 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll 2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys 2008-06-14 17:36 272,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys 2006-05-26 11:57 46,144 -c--a-w C:\Documents and Settings\Christian\Programdata\GDIPFONTCACHEV1.DAT 2006-03-16 20:09 46,144 -c--a-w C:\Documents and Settings\Christine\Programdata\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:22 15360] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2008-04-14 18:23 1695232] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-05 15:51 68856] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Programfiler\Apoint\Apoint.exe" [2004-09-13 13:33 155648] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024] "Dell QuickSet"="C:\Programfiler\Dell\QuickSet\quickset.exe" [2004-10-07 21:44 610304] "DVDLauncher"="C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54 57344] "UpdateManager"="C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592] "DMXLauncher"="C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 03:01 86016] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035] "TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2005-03-10 20:24 180269] "QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2007-06-29 06:24 286720] "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688] "TomTomHOME.exe"="C:\Programfiler\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52 3770024] "Norman ZANDA"="C:\Programfiler\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 09:47 277616] "NPCTray"="C:\Programfiler\Norman\npc\bin\npc_tray.exe" [2007-09-17 15:29 126008] "SpyHunter Security Suite"="C:\Programfiler\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:22 15360] "DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 06:53 34880] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Cisco Systems VPN Client.lnk - C:\Programfiler\Cisco Systems\VPN Client\vpngui.exe [2008-06-10 11:37:37 1466384] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 18:08 110592 C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.DVSD"= miroDV2avi.DLL "VIDC.PIM1"= pclepim1.dll "VIDC.I420"= vdrcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= R2 Ndiskio;Ndiskio;C:\Programfiler\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R2 NVOY;Norman's Very Own supplY of resources;C:\Programfiler\Norman\npm\bin\nvoy.exe [2008-02-07 11:07] R3 NPC;Norman Parental Control;C:\Programfiler\Norman\npc\bin\npcsvc32.exe [2008-04-17 13:38] R3 NUAA;Norman User Activity Agent;C:\Programfiler\Norman\npc\bin\nuaa.exe [2008-04-30 12:42] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Programfiler\Norman\Nvc\bin\nvcoas.exe [2008-04-30 13:28] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 12:41] S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS [] . Contents of the 'Scheduled Tasks' folder 2008-08-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42] 2008-08-26 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Programfiler\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Christian\Programdata\Mozilla\Firefox\Profiles\vgqb2isa.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.nettavisen.no/ FF -: plugin - C:\Programfiler\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Programfiler\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 21:53:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-26 21:54:29 ComboFix-quarantined-files.txt 2008-08-26 19:54:24 ComboFix2.txt 2008-08-26 15:29:01 Pre-Run: 17,852,497,920 byte ledig Post-Run: 17,842,720,768 byte ledig 157 --- E O F --- 2008-08-22 21:11:20 Etter MBAM og ComboFix, HJT-logg: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:59:33, on 26.08.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe C:\Programfiler\Norman\Npm\Bin\Zanda.exe C:\Programfiler\Norman\npm\bin\nvoy.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE C:\Programfiler\Norman\npc\bin\npcsvc32.exe C:\WINDOWS\System32\alg.exe C:\Programfiler\Norman\npc\bin\nuaa.exe C:\Programfiler\Norman\Nvc\bin\nvcoas.exe C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Programfiler\Apoint\Apoint.exe C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe C:\Programfiler\Dell\QuickSet\quickset.exe C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe C:\Programfiler\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe C:\Programfiler\QuickTime\QTTask.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\Programfiler\iPod\bin\iPodService.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Apoint\Apntex.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Programfiler\TomTom HOME\TomTomHOME.exe C:\Programfiler\Norman\Npm\Bin\ZLH.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Messenger\msmsgs.exe C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Norman\Nvc\Bin\Nip.exe C:\Programfiler\Norman\Nvc\Bin\cclaw.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Christian\Skrivebord\Virusscan\test.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.nettavisen.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll O4 - HKLM\..\Run: [Apoint] "C:\Programfiler\Apoint\Apoint.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [updateManager] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DMXLauncher] "C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe" O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe" O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programfiler\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [Norman ZANDA] "C:\Programfiler\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH O4 - HKLM\..\Run: [NPCTray] "C:\Programfiler\Norman\npc\bin\npc_tray.exe" /LOAD O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Programfiler\Enigma Software Group\SpyHunter\SpyHunter3.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programfiler\Cisco Systems\VPN Client\vpngui.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} (Image Uploader) - http://www.extrafilm.no/ImageUploader4.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Norman NJeeves - Norman ASA - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Programfiler\Norman\npc\bin\npcsvc32.exe O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Programfiler\Norman\npc\bin\nuaa.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Programfiler\Norman\npm\bin\nvoy.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9442 bytes Takknemlig for hjelp! Lenke til kommentar
r2d290 Skrevet 28. august 2008 Del Skrevet 28. august 2008 Bumper denne, så den ikke går i glemmeboken Lenke til kommentar
krok1 Skrevet 28. august 2008 Forfatter Del Skrevet 28. august 2008 (endret) Har sett på en annen PC også - med en del snags.. Setter pris på om også disse loggene kan kikkes på: MBAM-logg: Klikk for å se/fjerne innholdet nedenfor Malwarebytes' Anti-Malware 1.25Database versjon: 1092 Windows 5.1.2600 Service Pack 2 21:21:28 28.07.2008 mbam-log-07-28-2008 (21-21-28).txt Skanntype: Rask Skann Objekter skannet: 49628 Tid tilbakelagt: 5 minute(s), 27 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 2 Registerverdier infisert: 3 Registerfiler infisert: 0 Mapper infisert: 1 Filer infisert: 1 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: C:\WINDOWS\system32\__c00A6258.dat (Trojan.Zlob) -> Delete on reboot. Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00a5ecc (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00a6258 (Trojan.Vundo) -> Delete on reboot. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f388859.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f2d92f.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f5799c.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: C:\Program Files\VirusRemover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully. Filer infisert: C:\WINDOWS\system32\__c00A6258.dat (Trojan.Vundo) -> Delete on reboot. ComboFix-logg: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-08-27.06 - xxxxx xxxxxxx 2008-08-28 21:32:29.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT 2:00] Running from: C:\Documents and Settings\xxxxxxx xxxxxxx\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\WINDOWS\system32\_000005_.tmp.dll C:\WINDOWS\system32\_000006_.tmp.dll C:\WINDOWS\system32\_000007_.tmp.dll C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000009_.tmp.dll C:\WINDOWS\system32\_000010_.tmp.dll C:\WINDOWS\system32\_000011_.tmp.dll C:\WINDOWS\system32\_000012_.tmp.dll C:\xcrashdump.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NSESVC -------\Service_nsesvc ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 ))))))))))))))))))))))))))))))) . 2008-08-20 14:35 . 2008-08-20 14:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-13 10:19 . 2008-05-01 16:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-07-28 20:24 . 2008-07-28 20:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-07-28 20:24 . 2008-07-28 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-07-28 20:23 . 2008-07-28 20:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-28 20:18 . 2008-07-28 20:18 <DIR> d-------- C:\Program Files\CCleaner 2008-07-28 20:16 . 2008-07-28 20:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-28 20:16 . 2008-07-28 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-28 20:16 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-28 20:16 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-28 19:49 . 2008-07-28 19:49 0 --a------ C:\WINDOWS\nsreg.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-28 19:36 --------- d-----w C:\Program Files\Norman 2008-08-10 18:42 304,182 ----a-w C:\StiImg.dat 2008-07-07 20:06 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 16:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-07 16:02 --------- d-----w C:\Program Files\Vimicro 2008-07-07 16:02 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2006-10-03 01:43 2,402,550 ----a-w C:\WINDOWS\inf\SET517.tmp 2004-08-10 12:00 1,431,144 ----a-w C:\WINDOWS\inf\SET58A.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 12:57 65536] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184] "ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-08-22 19:26 1234160] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 01:02 761948] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 14:47 356352] "Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 14:11 73728] "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA zoom\SmoothView.exe" [2005-05-12 14:39 118784] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 06:20 122940] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 01:38 802816] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 01:32 696320] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-12 15:09 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048] "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 03:10 409600] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "Norman ZANDA"="C:\Program Files\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 09:47 277616] "NPCTray"="C:\Program Files\Norman\npc\bin\npc_tray.exe" [2007-09-17 14:29 126008] "RTHDCPL"="RTHDCPL.EXE" [2006-05-05 15:59 16206848 C:\WINDOWS\RTHDCPL.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 16:50 88204 C:\WINDOWS\agrsmmsg.exe] "TPSMain"="TPSMain.exe" [2005-08-04 11:45 266240 C:\WINDOWS\system32\TPSMain.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 14:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360] PC-s›k i Windows.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 23:44:08 257752] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 14:11 233472] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-02-07 13:12] R1 NPROSEC;Norman Security driver;C:\Program Files\Norman\Ngs\bin\nprosec.sys [2008-04-15 15:57] R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\TDI_RD.SYS [2008-02-07 13:12] R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R2 NPFSvc32;Norman Personal Firewall Service;C:\Program Files\Norman\npf\bin\npfsvc32.exe [2008-05-06 09:16] R2 NPROSECSVC;Norman Security service;C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE [2008-04-22 09:36] R2 NVOY;Norman's Very Own supplY of resources;C:\Program Files\Norman\npm\bin\nvoy.exe [2008-02-07 11:07] R3 NPC;Norman Parental Control;C:\Program Files\Norman\npc\bin\npcsvc32.exe [2008-04-17 13:38] R3 NUAA;Norman User Activity Agent;C:\Program Files\Norman\npc\bin\nuaa.exe [2008-04-30 12:42] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 14:56] R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2008-04-30 13:28] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 11:41] R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 11:45] S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 16:11] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\xxxxxxx xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\urm7o81a.default\ . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-28 21:37:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Norman\Npm\Bin\elogsvc.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\Norman\Npm\Bin\Njeeves.exe C:\Program Files\Norman\Npf\Bin\npfuser.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Norman\nvc\bin\Nip.exe C:\Program Files\Norman\nvc\bin\CClaw.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-08-28 21:42:01 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-28 19:41:52 Pre-Run: 45,105,680,384 bytes free Post-Run: 44,912,640,000 byte ledig 177 --- E O F --- 2008-08-18 22:07:43 HJT-logg etter MBAM og Combofix: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:48:42, on 28.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Norman\Npm\Bin\Elogsvc.exe C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\Program Files\Norman\npm\bin\nvoy.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Norman\npf\bin\npfsvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\Program Files\Norman\npc\bin\npcsvc32.exe C:\Program Files\Norman\npc\bin\nuaa.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\Program Files\Norman\npf\bin\npfuser.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\Program Files\TOSHIBA\Tvs\TvsTray.exe C:\Program Files\TOSHIBA\TOSHIBA zoom\SmoothView.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Norman\Npm\Bin\ZLH.EXE C:\Program Files\Norman\Nvc\Bin\Nip.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Norman\Nvc\Bin\cclaw.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Documents and Settings\xxxxxx xxxxxxx\Desktop\Virusscan\test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA zoom\SmoothView.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH O4 - HKLM\..\Run: [NPCTray] C:\Program Files\Norman\npc\bin\npc_tray.exe /LOAD O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PC-søk i Windows.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Program Files\Norman\npc\bin\npcsvc32.exe O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program Files\Norman\npf\bin\npfsvc32.exe O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Program Files\Norman\npc\bin\nuaa.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe -- End of file - 11479 bytes Igjen takk for hjelpen! Endret 28. august 2008 av krok1 Lenke til kommentar
r2d290 Skrevet 28. august 2008 Del Skrevet 28. august 2008 (endret) Logger for PC1 ser ren ut. Prøv å deaktivere Norman når du avinstallerer combofix. Har ikke hørt om dette problemet før... Legg merke til om denne fila forsvinner etter at du har avinstallert combofix (når norman er deaktivert). Gi tilbakemeldingg på hvordan denne maskinen fungerer, så avslutter vi etter det Endret 28. august 2008 av r2d290 Lenke til kommentar
r2d290 Skrevet 28. august 2008 Del Skrevet 28. august 2008 Maskin 2 har vært utsatt for en voundo. Du kan lese mer om denne infeksjonen her: https://www.diskusjon.no/index.php?showtopic=998167 Det ser ut til at programmene fjernet infeksjonen. Oppdater flash (link i guiden ovenfor). Endre filetternavnene på disse filene, ved å sette ".bak" på slutten av filnavnet C:\WINDOWS\inf\SET517.tmp -> C:\WINDOWS\inf\SET517.tmp.bak C:\WINDOWS\inf\SET58A.tmp -> C:\WINDOWS\inf\SET58A.tmp.bak Hvis du ikke merker noen nye problemer etter at du har endret filetternavnet på disse filene, kan du slette disse to filene om en uke. Merker du flere problemer? Hvis ikke gjør du følgende: Du bør oppdatere Java Det er viktig å bruke den seneste versjonen av Java, siden tidligere versjoner kan inneholde sikkerhetshull som vil øke sansynligheten for at du blir infisert igjen. Det ser ut til at din verjson av Java er utdatert Oppdatere Java: Trykk på følgende link, og last ned nyeste versjon av Java:http://java.com/en/download/index.jsp [*]Gå til Start > Kontrollpanel > Legg til/fjern programmer. [*]Søk i listen over alle tidligere versjoner av Java (JRE, J2SE Runtime, J2RE osv.... ) Alle disse versjonene bør ha dette bildet foran: Velg alle du finner, og trykk på Fjern [*]Deretter installerer du den Java-versjonen som du lastet ned i starten. Fortell hvordan det gikk med oppdateringen, da problemer med oppdatering kan indikere flere malware på systemet ditt. Fortell også hvordan maskinen fungerer. Lenke til kommentar
krok1 Skrevet 29. august 2008 Forfatter Del Skrevet 29. august 2008 PC 1 ser nå ut til å fungere som den skal Men jeg tester den litt mer, så poster jeg en oppdatering over helgen. På PC 2 skal jeg oppdatere flash og java, samt endre filnavnet på de to filene listet. Den har imidlertid oppført seg bra etter behandling med MBAM/Combofix/SAS/Norman.. Skal likevel teste funksjonalitet over noe lengre tid, så får vi se. Bør jeg forresten poste flere logger på noe tidspunkt? Takk for hjelpen så langt! Lenke til kommentar
r2d290 Skrevet 29. august 2008 Del Skrevet 29. august 2008 Du poster logger dersom du merker noen flere problemer med noen av maskinene. Hvis maskinen fungerer bra fremover, så sier du ifra, så vi får avsluttet prosessen. Lenke til kommentar
krok1 Skrevet 29. august 2008 Forfatter Del Skrevet 29. august 2008 Har nå forsøkt å finne (på PC 2) C:\WINDOWS\inf\SET517.tmp og C:\WINDOWS\inf\SET58A.tmp for endre filetternavnene på disse filene, ved å sette ".bak" på slutten av filnavnet. Jeg klarer imidlertid ikke å finne frem til filene, verken ved å søke eller direkte via utforsker. Noen idé om hvor de kan ha gjemt seg? Lenke til kommentar
r2d290 Skrevet 29. august 2008 Del Skrevet 29. august 2008 Har du skrudd på skjulte filer og mapper? Dobbelklikk på My Computer på Windows desktop. Trykk på Tools menyen, og velg Folder Options. Trykk på View fanen. Under Hidden files and folders velger du "Show hidden files and folders". Fjern haken ved "Hide protected operating system files (recommended)". Fjern haken ved "Hide file extensions for known file types". Trykk Yes for å bekrefte. Trykk OK. Lenke til kommentar
krok1 Skrevet 31. august 2008 Forfatter Del Skrevet 31. august 2008 Da ble det straks enklere å finne filene :-) Har endret filnavnene som anbefalt og tester maskinen er ukes tid.. Tenker vi da kan avslutte saken! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå