[Løst]Hjelp med MBAM/ComboFix/HJT-logger

[krok1]

Har hatt trøbbel med en del pop-ups etc, men håper det meste nå er ryddet av veien..? Trenger imidlertid hjelp til å lese loggene:

 

MBAM-logg:

 

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.25

Database versjon: 1088

Windows 5.1.2600 Service Pack 3

 

21:46:16 26.08.2008

mbam-log-08-26-2008 (21-46-16).txt

 

Skanntype: Rask Skann

Objekter skannet: 47732

Tid tilbakelagt: 5 minute(s), 17 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

 

ComboFix-logg:

Til info kommer Norman AV opp med funn av trojaner når jeg fjerner ComboFix (...ComboFix /u...). Plasseringen oppgis å være c:combofix\rehide.reg og trojaneren skal være av typen REG/Small.A - er det som forventet?

 

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-08-25.01 - Christian 2008-08-26 21:49:55.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.650 [GMT 2:00]

Running from: C:\Documents and Settings\Christian\Skrivebord\ComboFix.exe

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))

.

 

2008-08-26 21:30 . 2008-08-26 21:30 <DIR> dr-h----- C:\Documents and Settings\Christian\Siste

2008-08-26 18:20 . 2008-08-26 18:20 <DIR> d-------- C:\Programfiler\Trend Micro

2008-08-26 18:11 . 2008-08-26 18:11 <DIR> d-------- C:\Programfiler\CCleaner

2008-08-26 10:38 . 2008-08-26 10:38 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-08-26 10:38 . 2008-08-26 10:38 <DIR> d-------- C:\Documents and Settings\Christian\Programdata\SUPERAntiSpyware.com

2008-08-26 10:38 . 2008-08-26 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-08-26 10:37 . 2008-08-26 10:37 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-08-26 09:48 . 2008-08-26 09:48 <DIR> d-------- C:\Programfiler\Enigma Software Group

2008-08-26 09:21 . 2008-08-26 09:21 <DIR> d-------- C:\Documents and Settings\Christian\Programdata\Malwarebytes

2008-08-26 09:20 . 2008-08-26 09:35 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-08-26 09:20 . 2008-08-26 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-08-26 09:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys

2008-08-26 09:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys

2008-08-24 21:38 . 2008-08-24 21:38 <DIR> d--h----- C:\WINDOWS\SYSTEM32\WLANProfiles

2008-08-24 21:38 . 2008-08-24 21:38 <DIR> d--h----- C:\Settings

2008-08-24 21:38 . 2008-08-24 21:38 516 --a------ C:\Settings.ini

2008-08-21 20:25 . 2008-08-21 20:47 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP

2008-08-19 18:43 . 2008-08-19 18:43 164 --a------ C:\install.dat

2008-08-18 22:19 . 2008-08-18 22:19 0 --a------ C:\WINDOWS\nsreg.dat

2008-08-14 02:19 . 2008-05-01 16:38 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll

2008-08-14 02:18 . 2008-04-11 21:06 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll

2008-08-13 23:50 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\no

2008-08-13 23:50 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits

2008-08-13 23:50 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\l2schemas

2008-08-13 23:46 . 2008-08-13 23:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-08-13 23:33 . 2008-08-13 23:33 <DIR> d-------- C:\WINDOWS\EHome

2008-08-13 23:15 . 2004-08-04 00:54 701,440 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-26 14:52 --------- d-----w C:\Programfiler\Norman

2008-08-18 20:00 --------- d-----w C:\Programfiler\Java

2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll

2008-07-07 20:29 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll

2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll

2008-06-24 16:46 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll

2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll

2008-06-23 09:23 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe

2008-06-23 09:22 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe

2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe

2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll

2008-06-20 17:49 246,784 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll

2008-06-20 17:49 246,784 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll

2008-06-20 17:49 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll

2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys

2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys

2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys

2008-06-14 17:36 272,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

2006-05-26 11:57 46,144 -c--a-w C:\Documents and Settings\Christian\Programdata\GDIPFONTCACHEV1.DAT

2006-03-16 20:09 46,144 -c--a-w C:\Documents and Settings\Christine\Programdata\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:22 15360]

"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2008-04-14 18:23 1695232]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-05 15:51 68856]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="C:\Programfiler\Apoint\Apoint.exe" [2004-09-13 13:33 155648]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]

"Dell QuickSet"="C:\Programfiler\Dell\QuickSet\quickset.exe" [2004-10-07 21:44 610304]

"DVDLauncher"="C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54 57344]

"UpdateManager"="C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]

"DMXLauncher"="C:\Programfiler\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 03:01 86016]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]

"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2005-03-10 20:24 180269]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528]

"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]

"TomTomHOME.exe"="C:\Programfiler\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52 3770024]

"Norman ZANDA"="C:\Programfiler\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 09:47 277616]

"NPCTray"="C:\Programfiler\Norman\npc\bin\npc_tray.exe" [2007-09-17 15:29 126008]

"SpyHunter Security Suite"="C:\Programfiler\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:22 15360]

"DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 06:53 34880]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Cisco Systems VPN Client.lnk - C:\Programfiler\Cisco Systems\VPN Client\vpngui.exe [2008-06-10 11:37:37 1466384]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 16:28 352256 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 18:08 110592 C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.DVSD"= miroDV2avi.DLL

"VIDC.PIM1"= pclepim1.dll

"VIDC.I420"= vdrcodec.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

 

R2 Ndiskio;Ndiskio;C:\Programfiler\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]

R2 NVOY;Norman's Very Own supplY of resources;C:\Programfiler\Norman\npm\bin\nvoy.exe [2008-02-07 11:07]

R3 NPC;Norman Parental Control;C:\Programfiler\Norman\npc\bin\npcsvc32.exe [2008-04-17 13:38]

R3 NUAA;Norman User Activity Agent;C:\Programfiler\Norman\npc\bin\nuaa.exe [2008-04-30 12:42]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56]

R3 nvcoas;Norman Virus Control on-access component;C:\Programfiler\Norman\Nvc\bin\nvcoas.exe [2008-04-30 13:28]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 12:41]

S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS []

.

Contents of the 'Scheduled Tasks' folder

 

2008-08-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]

 

2008-08-26 C:\WINDOWS\Tasks\MP Scheduled Scan.job

- C:\Programfiler\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Christian\Programdata\Mozilla\Firefox\Profiles\vgqb2isa.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.nettavisen.no/

FF -: plugin - C:\Programfiler\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - C:\Programfiler\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-26 21:53:07

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-08-26 21:54:29

ComboFix-quarantined-files.txt 2008-08-26 19:54:24

ComboFix2.txt 2008-08-26 15:29:01

 

Pre-Run: 17,852,497,920 byte ledig

Post-Run: 17,842,720,768 byte ledig

 

157 --- E O F --- 2008-08-22 21:11:20

 

Etter MBAM og ComboFix, HJT-logg:

 

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:59:33, on 26.08.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe

C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe

C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe

C:\Programfiler\Norman\Npm\Bin\Zanda.exe

C:\Programfiler\Norman\npm\bin\nvoy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe

C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE

C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

C:\Programfiler\Norman\npc\bin\npcsvc32.exe

C:\WINDOWS\System32\alg.exe

C:\Programfiler\Norman\npc\bin\nuaa.exe

C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Programfiler\Apoint\Apoint.exe

C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe

C:\Programfiler\Dell\QuickSet\quickset.exe

C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe

C:\Programfiler\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\QuickTime\QTTask.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programfiler\Apoint\Apntex.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Programfiler\TomTom HOME\TomTomHOME.exe

C:\Programfiler\Norman\Npm\Bin\ZLH.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Norman\Nvc\Bin\Nip.exe

C:\Programfiler\Norman\Nvc\Bin\cclaw.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Christian\Skrivebord\Virusscan\test.exe.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.nettavisen.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll

O4 - HKLM\..\Run: [Apoint] "C:\Programfiler\Apoint\Apoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DMXLauncher] "C:\Programfiler\Dell\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programfiler\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Programfiler\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [NPCTray] "C:\Programfiler\Norman\npc\bin\npc_tray.exe" /LOAD

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Programfiler\Enigma Software Group\SpyHunter\SpyHunter3.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programfiler\Cisco Systems\VPN Client\vpngui.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab

O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} (Image Uploader) - http://www.extrafilm.no/ImageUploader4.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe

O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Programfiler\Norman\npc\bin\npcsvc32.exe

O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Programfiler\Norman\npc\bin\nuaa.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE

O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Programfiler\Norman\npm\bin\nvoy.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe

 

--

End of file - 9442 bytes

 

Takknemlig for hjelp!

[r2d290]

Bumper denne, så den ikke går i glemmeboken

[krok1]

Har sett på en annen PC også - med en del snags.. Setter pris på om også disse loggene kan kikkes på:

 

MBAM-logg:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.25

Database versjon: 1092

Windows 5.1.2600 Service Pack 2

 

21:21:28 28.07.2008

mbam-log-07-28-2008 (21-21-28).txt

 

Skanntype: Rask Skann

Objekter skannet: 49628

Tid tilbakelagt: 5 minute(s), 27 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 2

Registerverdier infisert: 3

Registerfiler infisert: 0

Mapper infisert: 1

Filer infisert: 1

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\WINDOWS\system32\__c00A6258.dat (Trojan.Zlob) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00a5ecc (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00a6258 (Trojan.Vundo) -> Delete on reboot.

 

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f388859.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f2d92f.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f5799c.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

C:\Program Files\VirusRemover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

 

Filer infisert:

C:\WINDOWS\system32\__c00A6258.dat (Trojan.Vundo) -> Delete on reboot.

 

ComboFix-logg:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-08-27.06 - xxxxx xxxxxxx 2008-08-28 21:32:29.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT 2:00]

Running from: C:\Documents and Settings\xxxxxxx xxxxxxx\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\WINDOWS\system32\_000005_.tmp.dll

C:\WINDOWS\system32\_000006_.tmp.dll

C:\WINDOWS\system32\_000007_.tmp.dll

C:\WINDOWS\system32\_000008_.tmp.dll

C:\WINDOWS\system32\_000009_.tmp.dll

C:\WINDOWS\system32\_000010_.tmp.dll

C:\WINDOWS\system32\_000011_.tmp.dll

C:\WINDOWS\system32\_000012_.tmp.dll

C:\xcrashdump.dat

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NSESVC

-------\Service_nsesvc

 

 

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))

.

 

2008-08-20 14:35 . 2008-08-20 14:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-08-13 10:19 . 2008-05-01 16:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

2008-07-28 20:24 . 2008-07-28 20:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-07-28 20:24 . 2008-07-28 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-07-28 20:23 . 2008-07-28 20:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-07-28 20:18 . 2008-07-28 20:18 <DIR> d-------- C:\Program Files\CCleaner

2008-07-28 20:16 . 2008-07-28 20:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-07-28 20:16 . 2008-07-28 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-07-28 20:16 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-07-28 20:16 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-07-28 19:49 . 2008-07-28 19:49 0 --a------ C:\WINDOWS\nsreg.dat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-28 19:36 --------- d-----w C:\Program Files\Norman

2008-08-10 18:42 304,182 ----a-w C:\StiImg.dat

2008-07-07 20:06 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 16:03 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-07 16:02 --------- d-----w C:\Program Files\Vimicro

2008-07-07 16:02 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2006-10-03 01:43 2,402,550 ----a-w C:\WINDOWS\inf\SET517.tmp

2004-08-10 12:00 1,431,144 ----a-w C:\WINDOWS\inf\SET58A.tmp

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 12:57 65536]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]

"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-08-22 19:26 1234160]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 01:02 761948]

"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 14:47 356352]

"Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 14:11 73728]

"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA zoom\SmoothView.exe" [2005-05-12 14:39 118784]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 06:20 122940]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 01:38 802816]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 01:32 696320]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-12 15:09 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]

"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 03:10 409600]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"Norman ZANDA"="C:\Program Files\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 09:47 277616]

"NPCTray"="C:\Program Files\Norman\npc\bin\npc_tray.exe" [2007-09-17 14:29 126008]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 15:59 16206848 C:\WINDOWS\RTHDCPL.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 16:50 88204 C:\WINDOWS\agrsmmsg.exe]

"TPSMain"="TPSMain.exe" [2005-08-04 11:45 266240 C:\WINDOWS\system32\TPSMain.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 14:00 15360]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

PC-s›k i Windows.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 23:44:08 257752]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 14:11 233472]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

 

R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-02-07 13:12]

R1 NPROSEC;Norman Security driver;C:\Program Files\Norman\Ngs\bin\nprosec.sys [2008-04-15 15:57]

R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\TDI_RD.SYS [2008-02-07 13:12]

R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]

R2 NPFSvc32;Norman Personal Firewall Service;C:\Program Files\Norman\npf\bin\npfsvc32.exe [2008-05-06 09:16]

R2 NPROSECSVC;Norman Security service;C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE [2008-04-22 09:36]

R2 NVOY;Norman's Very Own supplY of resources;C:\Program Files\Norman\npm\bin\nvoy.exe [2008-02-07 11:07]

R3 NPC;Norman Parental Control;C:\Program Files\Norman\npc\bin\npcsvc32.exe [2008-04-17 13:38]

R3 NUAA;Norman User Activity Agent;C:\Program Files\Norman\npc\bin\nuaa.exe [2008-04-30 12:42]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 14:56]

R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2008-04-30 13:28]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 11:41]

R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 11:45]

S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 16:11]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\xxxxxxx xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\urm7o81a.default\

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-28 21:37:18

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Norman\Npm\Bin\elogsvc.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Norman\Npm\Bin\Zanda.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Norman\Npm\Bin\Njeeves.exe

C:\Program Files\Norman\Npf\Bin\npfuser.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Norman\nvc\bin\Nip.exe

C:\Program Files\Norman\nvc\bin\CClaw.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-08-28 21:42:01 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-28 19:41:52

 

Pre-Run: 45,105,680,384 bytes free

Post-Run: 44,912,640,000 byte ledig

 

177 --- E O F --- 2008-08-18 22:07:43

 

HJT-logg etter MBAM og Combofix:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:48:42, on 28.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Norman\Npm\Bin\Elogsvc.exe

C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Norman\Npm\Bin\Zanda.exe

C:\Program Files\Norman\npm\bin\nvoy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Norman\npf\bin\npfsvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE

C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

C:\Program Files\Norman\npc\bin\npcsvc32.exe

C:\Program Files\Norman\npc\bin\nuaa.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Norman\Nvc\bin\nvcoas.exe

C:\Program Files\Norman\npf\bin\npfuser.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA zoom\SmoothView.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Norman\Npm\Bin\ZLH.EXE

C:\Program Files\Norman\Nvc\Bin\Nip.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Norman\Nvc\Bin\cclaw.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\xxxxxx xxxxxxx\Desktop\Virusscan\test.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA zoom\SmoothView.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [NPCTray] C:\Program Files\Norman\npc\bin\npc_tray.exe /LOAD

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PC-søk i Windows.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\program files\norman\npc\bin\nlf.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Program Files\Norman\npc\bin\npcsvc32.exe

O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program Files\Norman\npf\bin\npfsvc32.exe

O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\bin\NPROSEC.EXE

O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Program Files\Norman\npc\bin\nuaa.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE

O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

--

End of file - 11479 bytes

 

Igjen takk for hjelpen!

Endret 28. august 2008 av krok1

[r2d290]

Logger for PC1 ser ren ut. Prøv å deaktivere Norman når du avinstallerer combofix. Har ikke hørt om dette problemet før...

 

Legg merke til om denne fila forsvinner etter at du har avinstallert combofix (når norman er deaktivert).

 

Gi tilbakemeldingg på hvordan denne maskinen fungerer, så avslutter vi etter det

Endret 28. august 2008 av r2d290

[r2d290]

Maskin 2 har vært utsatt for en voundo. Du kan lese mer om denne infeksjonen her: https://www.diskusjon.no/index.php?showtopic=998167

Det ser ut til at programmene fjernet infeksjonen.

 

Oppdater flash (link i guiden ovenfor).

 

Endre filetternavnene på disse filene, ved å sette ".bak" på slutten av filnavnet

C:\WINDOWS\inf\SET517.tmp -> C:\WINDOWS\inf\SET517.tmp.bak

C:\WINDOWS\inf\SET58A.tmp -> C:\WINDOWS\inf\SET58A.tmp.bak

 

Hvis du ikke merker noen nye problemer etter at du har endret filetternavnet på disse filene, kan du slette disse to filene om en uke.

 

Merker du flere problemer?

 

Hvis ikke gjør du følgende:

Du bør oppdatere Java

Det er viktig å bruke den seneste versjonen av Java, siden tidligere versjoner kan inneholde sikkerhetshull som vil øke sansynligheten for at du

blir infisert igjen. Det ser ut til at din verjson av Java er utdatert

 

Oppdatere Java:

• Trykk på følgende link, og last ned nyeste versjon av Java:http://java.com/en/download/index.jsp
  

[*]Gå til Start > Kontrollpanel > Legg til/fjern programmer.

[*]Søk i listen over alle tidligere versjoner av Java (JRE, J2SE Runtime, J2RE osv.... )

Alle disse versjonene bør ha dette bildet foran:

Velg alle du finner, og trykk på Fjern

[*]Deretter installerer du den Java-versjonen som du lastet ned i starten.

Fortell hvordan det gikk med oppdateringen, da problemer med oppdatering kan indikere flere malware på systemet ditt.

 

Fortell også hvordan maskinen fungerer.

[krok1]

PC 1 ser nå ut til å fungere som den skal Men jeg tester den litt mer, så poster jeg en oppdatering over helgen.

 

På PC 2 skal jeg oppdatere flash og java, samt endre filnavnet på de to filene listet. Den har imidlertid oppført seg bra etter behandling med MBAM/Combofix/SAS/Norman.. Skal likevel teste funksjonalitet over noe lengre tid, så får vi se. Bør jeg forresten poste flere logger på noe tidspunkt?

 

Takk for hjelpen så langt!

[r2d290]

Du poster logger dersom du merker noen flere problemer med noen av maskinene. Hvis maskinen fungerer bra fremover, så sier du ifra, så vi får avsluttet prosessen.

[krok1]

Will do!

[krok1]

Har nå forsøkt å finne (på PC 2)

 

C:\WINDOWS\inf\SET517.tmp og C:\WINDOWS\inf\SET58A.tmp

 

for endre filetternavnene på disse filene, ved å sette ".bak" på slutten av filnavnet. Jeg klarer imidlertid ikke å finne frem til filene, verken ved å søke eller direkte via utforsker. Noen idé om hvor de kan ha gjemt seg?

[r2d290]

Har du skrudd på skjulte filer og mapper?

 

Dobbelklikk på My Computer på Windows desktop.

Trykk på Tools menyen, og velg Folder Options. Trykk på View fanen.

 

Under Hidden files and folders velger du "Show hidden files and folders".

Fjern haken ved "Hide protected operating system files (recommended)".

Fjern haken ved "Hide file extensions for known file types".

Trykk Yes for å bekrefte. Trykk OK.

[krok1]

Da ble det straks enklere å finne filene :-) Har endret filnavnene som anbefalt og tester maskinen er ukes tid.. Tenker vi da kan avslutte saken!