Spyware - igen

... for en go' ordens skyld; stik os/mig en HiJackThis ->
http://www.spywareinfo.dk/index.htm#/manualer/hijackthis.htm

(Jooo - jeg har 'virus' på hjernen...)

Bemærk at HiJackThis.exe programmet skal gemmes i en dertil oprettet mappe og IKKE køres direkte fra nettet...

PS: Brug denne version af HJT -> http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:33:18, on 17-09-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\Norman\npm\bin\ZLH.EXE
C:\Programmer\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\npm\Bin\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npc\bin\npcsvc32.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\npm\bin\NJEEVES.EXE
C:\Norman\npc\bin\nuaa.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Norman\nvc\BIN\NIP.EXE
C:\Norman\nvc\bin\cclaw.exe
A:\HiJackThis.exe
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPCTray] C:\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hcenter] "C:\Programmer\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://netsupport2.tdconline.dk/sdccommon/download/tgctlar.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.eserver.com/downloads/citrix/plugins/activex/wfica.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165042472265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman V.O.Y. (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6542 bytes

Er der nogen grund til at du ikke har opdateret til Microsoft ServicePack2 ???

"Ubeskyttede pc’er holder i 20 minutter":
http://www.comon.dk/index.php/news/show/id=18812

Det er ikke så godt, for så er du ikke sikret mod mange af de vira, der suser rundt på nettet og kigger efter uopdaterede maskiner. Som du er et godt eksempel på !!!

Du kan hente ServicePack2 (SP2) her som 'løs' fil (~280Mb):
http://intern.sdu.dk/it-service/tjenester/ftphotel/ftpindhold/
Download/copy til et passende sted på din PC.
Afbryd fra det 'farlige' internet (stikket fysisk UD).
Instaler SP2 pakken.
Når det er så gået godt og efter en genstart eller to - først DA tilslut internettet igen og gå i start ->programmer ->Windowsupdate og lade din maskine scanne for nyeste opdateringer. Installer dem du får anbefalet.
Der skal nok være mere end 90 'pakker' ...

Efter en genstart eller to en ny HiJackThis log ...

PS: Før næste kørsel af HiJackThis skal du lige OMDØBE programfilen: HiJackThis.exe til ALTERNATIV.exe - visse uønskede elementer skjuler sig når en process ved navn HiJackThis.exe køres ...

Okay. Nu skal det siges, at det er min fars computer den er gal med, og jeg bor ikke hjemme, så ved faktisk ikke hvad han har installeret og ikke installeret, skrev bare "min" for nemhedens skyld. Nu er det store problem så, at hans computer stort set er holdt op med at reagere i mange tilfælde. Men går ud fra, at Service Pack'en kan hentes fra en anden computer og lægges over på en CD? Jeg prøver lige at guide ham i hvert fald og så vender jeg forhåbentligt tilbage med en ny log :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16:39, on 18-09-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\npm\Bin\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npc\bin\npcsvc32.exe
C:\Norman\npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\npc\bin\nuaa.exe
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\Norman\npm\bin\ZLH.EXE
C:\Programmer\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\nvc\BIN\NIP.EXE
C:\Norman\nvc\bin\cclaw.exe
C:\Norman\npf\bin\npfuser.exe
A:\ALTERNATIV.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPCTray] C:\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [hcenter] "C:\Programmer\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://netsupport2.tdconline.dk/sdccommon/download/tgctlar.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.eserver.com/downloads/citrix/plugins/activex/wfica.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165042472265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman V.O.Y. (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5912 bytes

Det var så SP2 - har du/I også install de 90+ opdateringerfr Microsoft WindowsUpdate ?

"...holdt op med at reagere i mange tilfælde..." - forklar lidt mere her ?

Specicikationerne på maskinen ?
RAM ?

Ja, opdateringerne skulle være installeret også. Men sender lige en ny logfil, fordi der vist lige manglede en enkelt eller sådan noget.

Desuden er computeren en:

Fujitsu - Siemen
AMD athlon(tm) XP 2200, 1,80 Ghz
512 kingston DDR, ram - 166 Mhz

Min fars beskrivelse af problemet:

Computeren er langsom, både i opstart, og i alt hvad den skal udføre.

Det er uanset om det er når jeg åbner dokumenter, skal på nettet, eller vil kalde et program frem. Opstarts fasen er nu mellem 4 - 6 min. mod normal 1 - 1,5 min. f. eks. tager det mere end 2 min. at få kontakt til Outlook, normal 25 - 30 sek.

Normal er der omkring 448 ram til rådighed, nu er kun 305 ram

Maskinen har altid været langsom indtil jeg satte nye ram her for 3 - 4 md siden, efter den tid har den kørt rimeligt, men nu er den helt umulig.

Den kan f.eks. være helt op til 5 - 6 min. om bare at lukke en internet adr.ned eller man ønsker at komme tilbage den forrige Web side, i mange tilfælde må jeg tvangslukke de forskellige sider.

Så computeren er blevet mere dårlig end nogensinde, også efter opdatering igår.

Ny logfil:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:13, on 19-09-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\Norman\npm\bin\ZLH.EXE
C:\Programmer\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\npm\Bin\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\nvc\BIN\NIP.EXE
C:\Norman\npc\bin\npcsvc32.exe
C:\Norman\npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\npc\bin\nuaa.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\nvc\bin\cclaw.exe
C:\Norman\npf\bin\npfuser.exe
A:\ALTERNATIV.exe.exe
A:\ALTERNATIV.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPCTray] C:\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [hcenter] "C:\Programmer\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://netsupport2.tdconline.dk/sdccommon/download/tgctlar.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.eserver.com/downloads/citrix/plugins/activex/wfica.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165042472265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman V.O.Y. (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6645 bytes

... Hmmm....

Gennemfør det du kan fra proceduren ->
http://www.eksperten.dk/artikler/1123

Okay

Combofix-loggen:

ComboFix 07-09-21.2 - "Bjarne Frandsen" 2007-09-21 19:01:41.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1030.18.73 [GMT 2:00]
.

(((((((((((((((((((((((((  Files Created from 2007-08-21 to 2007-09-21  )))))))))))))))))))))))))))))))
.

2007-09-21 18:55    51,200    --a------    C:\WINDOWS\NirCmd.exe
2007-09-21 18:01    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\APPLIC~1\SUPERAntiSpyware.com
2007-09-21 17:49    <DIR>    d--------    C:\Programmer\CCleaner
2007-09-19 22:23    <DIR>    d--------    C:\WINDOWS\system32\da-dk
2007-09-19 22:17    33,792    --a--c---    C:\WINDOWS\system32\dllcache\custsat.dll
2007-09-19 16:48    188,416    --a------    C:\LOTTO7.EXE
2007-09-18 19:59    46,352    --a------    C:\WINDOWS\setdebug.exe
2007-09-18 19:59    139,536    --a------    C:\WINDOWS\system32\javaee.dll
2007-09-18 19:58    69,120    --a--c---    C:\WINDOWS\system32\dllcache\iedw.exe
2007-09-18 19:58    132,608    --a--c---    C:\WINDOWS\system32\dllcache\extmgr.dll
2007-09-18 19:57    144,896    -----c---    C:\WINDOWS\system32\dllcache\schannel.dll
2007-09-18 19:56    86,528    -----c---    C:\WINDOWS\system32\dllcache\directdb.dll
2007-09-18 19:56    85,504    -----c---    C:\WINDOWS\system32\dllcache\wabimp.dll
2007-09-18 19:56    683,520    -----c---    C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-09-18 19:56    510,976    -----c---    C:\WINDOWS\system32\dllcache\wab32.dll
2007-09-18 19:56    1,314,816    -----c---    C:\WINDOWS\system32\dllcache\msoe.dll
2007-09-18 19:05    538,624    --a--c---    C:\WINDOWS\system32\dllcache\spider.exe
2007-09-18 19:05    538,624    --a------    C:\WINDOWS\system32\spider.exe
2007-09-18 19:05    282,112    --a--c---    C:\WINDOWS\system32\dllcache\pinball.exe
2007-09-18 19:05    259,072    --a--c---    C:\WINDOWS\system32\dllcache\snmpcl.dll
2007-09-18 19:03    40,448    --a--c---    C:\WINDOWS\system32\dllcache\snmpthrd.dll
2007-09-18 18:15    332,928    -----c---    C:\WINDOWS\system32\dllcache\srv.sys
2007-09-18 18:15    1,000,960    -----c---    C:\WINDOWS\system32\dllcache\kernel32.dll
2007-09-16 21:54    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\APPLIC~1\MSN6
2007-09-16 16:19    122    -ra------    C:\WINDOWS\system32\drivers\ramsed.bin
2007-09-16 16:19    1,024    -ra------    C:\WINDOWS\system32\drivers\jedih2rx.bin
2007-09-16 16:19    <DIR>    d--------    C:\WINDOWS\LastGood(2)
2007-09-16 16:17    <DIR>    d--------    C:\$CTJTMP(4)
2007-09-16 16:11    <DIR>    d---s----    C:\DOCUME~1\BJARNE~1.000\UserData
2007-09-16 13:36    6,400    --a------    C:\WINDOWS\system32\drivers\splitter.sys
2007-09-16 13:36    52,864    --a------    C:\WINDOWS\system32\drivers\dmusic.sys
2007-09-16 13:32    57,856    --a------    C:\WINDOWS\system32\drivers\redbook.sys
2007-09-16 13:31    40,840    --a------    C:\WINDOWS\system32\drivers\termdd.sys
2007-09-16 13:31    20,992    --a------    C:\WINDOWS\system32\drivers\rtl8139.sys
2007-09-16 13:30    75,264    --a------    C:\WINDOWS\system32\storprop.dll
2007-09-16 13:30    24,661    --a--c---    C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-09-16 13:30    24,661    --a------    C:\WINDOWS\system32\spxcoins.dll
2007-09-16 13:30    13,312    --a--c---    C:\WINDOWS\system32\dllcache\irclass.dll
2007-09-16 13:30    13,312    --a------    C:\WINDOWS\system32\irclass.dll
2007-09-16 13:30    11,264    --a------    C:\WINDOWS\system32\drivers\irenum.sys
2007-09-16 08:31    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.000\Menuen Start
2007-09-16 08:31    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.000\Foretrukne
2007-09-16 08:31    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.000\Dokumenter
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Skabeloner
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Printere
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Lokale indstillinger
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Andre computere
2007-09-16 08:31    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\Skrivebord
2007-09-16 08:31    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\APPLIC~1\InterTrust
2007-09-16 08:30    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.DIT\Menuen Start
2007-09-16 08:30    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.DIT\Foretrukne
2007-09-16 08:30    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.DIT\Dokumenter
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Skabeloner
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Printere
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Lokale indstillinger
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Andre computere
2007-09-16 08:30    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.DIT\Skrivebord
2007-09-15 21:32    <DIR>    d--------    C:\$CTJY
2007-09-15 20:35    <DIR>    d--------    C:\$CTJTMP(3)
2007-09-12 14:04    <DIR>    d--------    C:\{80010297-0000-0000-B82A-A13AEA719AD1}
2007-09-11 22:01    <DIR>    d--------    C:\DOCUME~1\ADMINI~1.DIT\Skabeloner
2007-09-11 22:01    <DIR>    d--------    C:\DOCUME~1\ADMINI~1.DIT\Lokale indstillinger
2007-09-11 22:01    <DIR>    d--------    C:\DOCUME~1\ADMINI~1.DIT\Foretrukne
2007-09-11 13:33    <DIR>    d--------    C:\Programmer\Support Tools
2007-09-10 20:59    <DIR>    d--------    C:\{80010297-0000-0000-9511-A4F9376BE6D4}
2007-09-05 10:09    <DIR>    d--------    C:\Programmer\SupportSoft
2007-09-05 10:09    <DIR>    d--------    C:\Programmer\Support.com
2007-09-05 10:09    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-09-03 18:08    <DIR>    d--------    C:\Programmer\Recuva
2007-09-02 19:35    5,632    --a--c---    C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-02 19:35    5,632    --a--c---    C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-02 19:35    15,872    --a--c---    C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-02 19:35    10,240    --a--c---    C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-02 17:30    <DIR>    d--------    C:\Programmer\RRR utv„rdering
2007-09-02 17:23    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\Skabeloner
2007-09-02 17:23    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\Lokale indstillinger
2007-09-02 17:23    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\Foretrukne

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 18:01    ---------    d--------    C:\Programmer\SUPERAntiSpyware
2007-09-18 19:24    ---------    d--------    C:\Programmer\MSN Messenger
2007-09-17 10:03    ---------    d--------    C:\Programmer\Ahead
2007-09-17 09:19    ---------    d--------    C:\Programmer\WashAndGo
2007-09-13 22:03    ---------    d--------    C:\Programmer\TDC
2007-09-12 12:49    ---------    d--------    C:\Programmer\Windows Live Safety Center
2007-08-28 15:31    ---------    d--------    C:\Programmer\TW2006
2007-07-30 19:19    92504    --a------    C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19    549720    --a------    C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19    53080    --a------    C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19    43352    --a------    C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19    325976    --a------    C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19    271224    --a------    C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19    207736    --a------    C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19    203096    --a------    C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19    1712984    --a------    C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18    33624    --a------    C:\WINDOWS\system32\wups.dll
2007-06-26 08:10    1104896    --a------    C:\WINDOWS\system32\msxml3.dll
    ---------        C:\Programmer\RRR utvärdering
    ---------        C:\Programmer\Fælles filer\Wise Installation Wizard
    ---------        C:\Programmer\Fælles filer\System
    ---------        C:\Programmer\Fælles filer\Microsoft Shared
    ---------        C:\Programmer\Fælles filer
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"nwiz"="nwiz.exe" [2003-04-02 15:40 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-04-02 15:40]
"NPCTray"="C:\Norman\npc\bin\npc_tray.exe" [2006-08-30 17:09]
"Norman ZANDA"="C:\Norman\npm\bin\ZLH.exe" [2006-10-16 11:43]
"hcenter"="C:\Programmer\Support.com\bin\tgcmd.exe" [2005-04-08 12:38]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-09-16 14:00]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50]
"FirstSteps"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-26 17:53]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-04-06 11:35]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-02-16 17:51 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2006-03-08 12:32 258048 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys
R1 TDI_RD;Norman Firewall TDI driver;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
R2 NPFSvc32;Norman Personal Firewall Service;"C:\Norman\npf\bin\npfsvc32.exe"
R2 NVOY;Norman V.O.Y.;C:\Norman\npm\bin\nvoy.exe
R3 NPC;Norman Parental Control;C:\Norman\npc\bin\npcsvc32.exe
R3 NUAA;Norman User Activity Agent;C:\Norman\npc\bin\nuaa.exe
R3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys
R3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys
R3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys
R3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys
R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe
S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE
S3 p2pgasvc;Gruppegodkendelse på peer-netværk;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Identitetsstyring for peer-netværk;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer-netværk;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;PNRP (Peer Name Resolution Protocol);C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc    p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 14:14:04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1179237661.job"
- C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 19:06:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NUAA]
"ImagePath"="C:\Norman\npc\bin\nuaa.exe"
.
Completion time: 2007-09-21 19:09:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 19:09
.
    --- E O F ---



HiJackThis-loggen:

Logfile of HijackThis v1.99.1
Scan saved at 19:49:44, on 22-09-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\npm\Bin\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npm\bin\NJEEVES.EXE
C:\Norman\npc\bin\npcsvc32.exe
C:\Norman\npc\bin\nuaa.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\Norman\npm\bin\ZLH.EXE
C:\Programmer\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Norman\npf\bin\npfuser.exe
C:\Norman\nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\nvc\bin\cclaw.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Programmer\Outlook Express\msimn.exe
C:\Documents and Settings\Bjarne Frandsen.DIT-17JUWBRV4GC.000\Skrivebord\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPCTray] C:\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [hcenter] "C:\Programmer\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://netsupport2.tdconline.dk/sdccommon/download/tgctlar.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.eserver.com/downloads/citrix/plugins/activex/wfica.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165042472265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman V.O.Y. (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


Rootcheck-loggen:


********************************* ROOTCHK-(17-09-07)-LOG, by ejvindh
21-09-2007 19:28:31,39

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 19:28:32
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0


SuperAntiSpyware-loggen kunne ikke laves. Men det var det, jeg havde indtil videre.

Hent Ccleaner her:
http://www.filehippo.com/download_ccleaner/
Installer Ccleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar.
Start programmet, fjern fluebenet i cookies.
Klik på kør Cleaner og lad den fjerne hvad den finder.
Klik så på Problemer ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer.
Klik på OK, klik på Luk når den er færdig.
Genstart.
---------------------------------------
Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.
[black]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
[/black]
---------------------------------------
Kopiér indholdet mellem de bølgede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".

~~~~~~~~~~~~~~~~~~~~~~~~~~

File::
C:\LOTTO7.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
---------------------------------------
Vi skal se en frisk hijackthislog, samt den nye combofixlog.

Men det smager mere af HW fejl, hvis den ikke ser alle rammene.

HiJackThis-loggen:


Logfile of HijackThis v1.99.1
Scan saved at 19:46:19, on 28-09-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\npm\Bin\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npc\bin\npcsvc32.exe
C:\Norman\npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\npc\bin\nuaa.exe
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\Norman\npm\bin\ZLH.EXE
C:\Programmer\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Norman\nvc\BIN\NIP.EXE
C:\Norman\nvc\bin\cclaw.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\My download\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPCTray] C:\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [hcenter] "C:\Programmer\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://netsupport2.tdconline.dk/sdccommon/download/tgctlar.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.eserver.com/downloads/citrix/plugins/activex/wfica.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165042472265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman V.O.Y. (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


Combofix-loggen:


ComboFix 07-09-21.2 - "Bjarne Frandsen" 2007-09-21 19:01:41.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1030.18.73 [GMT 2:00]
.

(((((((((((((((((((((((((  Files Created from 2007-08-21 to 2007-09-21  )))))))))))))))))))))))))))))))
.

2007-09-21 18:55    51,200    --a------    C:\WINDOWS\NirCmd.exe
2007-09-21 18:01    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\APPLIC~1\SUPERAntiSpyware.com
2007-09-21 17:49    <DIR>    d--------    C:\Programmer\CCleaner
2007-09-19 22:23    <DIR>    d--------    C:\WINDOWS\system32\da-dk
2007-09-19 22:17    33,792    --a--c---    C:\WINDOWS\system32\dllcache\custsat.dll
2007-09-19 16:48    188,416    --a------    C:\LOTTO7.EXE
2007-09-18 19:59    46,352    --a------    C:\WINDOWS\setdebug.exe
2007-09-18 19:59    139,536    --a------    C:\WINDOWS\system32\javaee.dll
2007-09-18 19:58    69,120    --a--c---    C:\WINDOWS\system32\dllcache\iedw.exe
2007-09-18 19:58    132,608    --a--c---    C:\WINDOWS\system32\dllcache\extmgr.dll
2007-09-18 19:57    144,896    -----c---    C:\WINDOWS\system32\dllcache\schannel.dll
2007-09-18 19:56    86,528    -----c---    C:\WINDOWS\system32\dllcache\directdb.dll
2007-09-18 19:56    85,504    -----c---    C:\WINDOWS\system32\dllcache\wabimp.dll
2007-09-18 19:56    683,520    -----c---    C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-09-18 19:56    510,976    -----c---    C:\WINDOWS\system32\dllcache\wab32.dll
2007-09-18 19:56    1,314,816    -----c---    C:\WINDOWS\system32\dllcache\msoe.dll
2007-09-18 19:05    538,624    --a--c---    C:\WINDOWS\system32\dllcache\spider.exe
2007-09-18 19:05    538,624    --a------    C:\WINDOWS\system32\spider.exe
2007-09-18 19:05    282,112    --a--c---    C:\WINDOWS\system32\dllcache\pinball.exe
2007-09-18 19:05    259,072    --a--c---    C:\WINDOWS\system32\dllcache\snmpcl.dll
2007-09-18 19:03    40,448    --a--c---    C:\WINDOWS\system32\dllcache\snmpthrd.dll
2007-09-18 18:15    332,928    -----c---    C:\WINDOWS\system32\dllcache\srv.sys
2007-09-18 18:15    1,000,960    -----c---    C:\WINDOWS\system32\dllcache\kernel32.dll
2007-09-16 21:54    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\APPLIC~1\MSN6
2007-09-16 16:19    122    -ra------    C:\WINDOWS\system32\drivers\ramsed.bin
2007-09-16 16:19    1,024    -ra------    C:\WINDOWS\system32\drivers\jedih2rx.bin
2007-09-16 16:19    <DIR>    d--------    C:\WINDOWS\LastGood(2)
2007-09-16 16:17    <DIR>    d--------    C:\$CTJTMP(4)
2007-09-16 16:11    <DIR>    d---s----    C:\DOCUME~1\BJARNE~1.000\UserData
2007-09-16 13:36    6,400    --a------    C:\WINDOWS\system32\drivers\splitter.sys
2007-09-16 13:36    52,864    --a------    C:\WINDOWS\system32\drivers\dmusic.sys
2007-09-16 13:32    57,856    --a------    C:\WINDOWS\system32\drivers\redbook.sys
2007-09-16 13:31    40,840    --a------    C:\WINDOWS\system32\drivers\termdd.sys
2007-09-16 13:31    20,992    --a------    C:\WINDOWS\system32\drivers\rtl8139.sys
2007-09-16 13:30    75,264    --a------    C:\WINDOWS\system32\storprop.dll
2007-09-16 13:30    24,661    --a--c---    C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-09-16 13:30    24,661    --a------    C:\WINDOWS\system32\spxcoins.dll
2007-09-16 13:30    13,312    --a--c---    C:\WINDOWS\system32\dllcache\irclass.dll
2007-09-16 13:30    13,312    --a------    C:\WINDOWS\system32\irclass.dll
2007-09-16 13:30    11,264    --a------    C:\WINDOWS\system32\drivers\irenum.sys
2007-09-16 08:31    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.000\Menuen Start
2007-09-16 08:31    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.000\Foretrukne
2007-09-16 08:31    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.000\Dokumenter
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Skabeloner
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Printere
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Lokale indstillinger
2007-09-16 08:31    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.000\Andre computere
2007-09-16 08:31    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\Skrivebord
2007-09-16 08:31    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.000\APPLIC~1\InterTrust
2007-09-16 08:30    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.DIT\Menuen Start
2007-09-16 08:30    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.DIT\Foretrukne
2007-09-16 08:30    <DIR>    dr-------    C:\DOCUME~1\BJARNE~1.DIT\Dokumenter
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Skabeloner
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Printere
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Lokale indstillinger
2007-09-16 08:30    <DIR>    d--h-----    C:\DOCUME~1\BJARNE~1.DIT\Andre computere
2007-09-16 08:30    <DIR>    d--------    C:\DOCUME~1\BJARNE~1.DIT\Skrivebord
2007-09-15 21:32    <DIR>    d--------    C:\$CTJY
2007-09-15 20:35    <DIR>    d--------    C:\$CTJTMP(3)
2007-09-12 14:04    <DIR>    d--------    C:\{80010297-0000-0000-B82A-A13AEA719AD1}
2007-09-11 22:01    <DIR>    d--------    C:\DOCUME~1\ADMINI~1.DIT\Skabeloner
2007-09-11 22:01    <DIR>    d--------    C:\DOCUME~1\ADMINI~1.DIT\Lokale indstillinger
2007-09-11 22:01    <DIR>    d--------    C:\DOCUME~1\ADMINI~1.DIT\Foretrukne
2007-09-11 13:33    <DIR>    d--------    C:\Programmer\Support Tools
2007-09-10 20:59    <DIR>    d--------    C:\{80010297-0000-0000-9511-A4F9376BE6D4}
2007-09-05 10:09    <DIR>    d--------    C:\Programmer\SupportSoft
2007-09-05 10:09    <DIR>    d--------    C:\Programmer\Support.com
2007-09-05 10:09    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-09-03 18:08    <DIR>    d--------    C:\Programmer\Recuva
2007-09-02 19:35    5,632    --a--c---    C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-02 19:35    5,632    --a--c---    C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-02 19:35    15,872    --a--c---    C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-02 19:35    10,240    --a--c---    C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-02 17:30    <DIR>    d--------    C:\Programmer\RRR utv„rdering
2007-09-02 17:23    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\Skabeloner
2007-09-02 17:23    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\Lokale indstillinger
2007-09-02 17:23    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\Foretrukne

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 18:01    ---------    d--------    C:\Programmer\SUPERAntiSpyware
2007-09-18 19:24    ---------    d--------    C:\Programmer\MSN Messenger
2007-09-17 10:03    ---------    d--------    C:\Programmer\Ahead
2007-09-17 09:19    ---------    d--------    C:\Programmer\WashAndGo
2007-09-13 22:03    ---------    d--------    C:\Programmer\TDC
2007-09-12 12:49    ---------    d--------    C:\Programmer\Windows Live Safety Center
2007-08-28 15:31    ---------    d--------    C:\Programmer\TW2006
2007-07-30 19:19    92504    --a------    C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19    549720    --a------    C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19    53080    --a------    C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19    43352    --a------    C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19    325976    --a------    C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19    271224    --a------    C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19    207736    --a------    C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19    203096    --a------    C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19    1712984    --a------    C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18    33624    --a------    C:\WINDOWS\system32\wups.dll
2007-06-26 08:10    1104896    --a------    C:\WINDOWS\system32\msxml3.dll
    ---------        C:\Programmer\RRR utvärdering
    ---------        C:\Programmer\Fælles filer\Wise Installation Wizard
    ---------        C:\Programmer\Fælles filer\System
    ---------        C:\Programmer\Fælles filer\Microsoft Shared
    ---------        C:\Programmer\Fælles filer
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"nwiz"="nwiz.exe" [2003-04-02 15:40 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-04-02 15:40]
"NPCTray"="C:\Norman\npc\bin\npc_tray.exe" [2006-08-30 17:09]
"Norman ZANDA"="C:\Norman\npm\bin\ZLH.exe" [2006-10-16 11:43]
"hcenter"="C:\Programmer\Support.com\bin\tgcmd.exe" [2005-04-08 12:38]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-09-16 14:00]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50]
"FirstSteps"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-26 17:53]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-04-06 11:35]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-02-16 17:51 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2006-03-08 12:32 258048 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys
R1 TDI_RD;Norman Firewall TDI driver;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
R2 NPFSvc32;Norman Personal Firewall Service;"C:\Norman\npf\bin\npfsvc32.exe"
R2 NVOY;Norman V.O.Y.;C:\Norman\npm\bin\nvoy.exe
R3 NPC;Norman Parental Control;C:\Norman\npc\bin\npcsvc32.exe
R3 NUAA;Norman User Activity Agent;C:\Norman\npc\bin\nuaa.exe
R3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys
R3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys
R3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys
R3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys
R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe
S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE
S3 p2pgasvc;Gruppegodkendelse på peer-netværk;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Identitetsstyring for peer-netværk;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer-netværk;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;PNRP (Peer Name Resolution Protocol);C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc    p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 14:14:04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1179237661.job"
- C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 19:06:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NUAA]
"ImagePath"="C:\Norman\npc\bin\nuaa.exe"
.
Completion time: 2007-09-21 19:09:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 19:09
.
    --- E O F ---


Det var det.

Upload denne fil hos Jotti eller Virustotal: C:\LOTTO7.EXE
http://virusscan.jotti.org/ http://www.virustotal.com/en/indexf.html
Fortæl resultatet.

Der var ingenting. Prøvede på begge sider.

Så er der ikke mere at komme efter.

så det er noget hw...eller

Hvad er status på ramproblemet, og evt andre problemer?

Well, det er ca. det samme, men min far har investeret i en ny computer nu, da computeren i forvejen altid har fungeret mere eller mindre dårligt. Men I skal have tak hjælpen dr1 larry og fromsej. Hvis I lige vil skrive et svar, så kan jeg give jer nogle point :)

Ping...
(Det var et [svar]...)

Og der skulle være point. Nu kommer jeg så i tvivl om, hvorvidt jeg kan give point til flere end en person...hvis ikke jeg kan, så beklager jeg meget fromsej :/

Du skal markere vores navne i boksen og så klikke på Accepter, så burde det gå af sig selv.

Ah, sådan. Endnu engang tak :)

Velbekomme, tak for point. :-)