[LØST] Trøbbel i Utforsker og IE

[langvandre]

Kan noen hjelpe meg?

Jeg opplever at ved venstreklikk på mapper i utforsker, så åpnes en nettadresse etter at jeg har klikket Nei i en dialog som popper opp. Dialogen sier noe tull om at jeg har fått virus bla, bla

Dette skjer ikke hver gang jeg klikker på mapper og er litt tilfeldig ettersom hvilken mappe jeg velger...

I IE er problemet stort. De er nesten umulig å få gjort noe fordi nettsider vises uten at jeg ber om det... og adresselinja viser about:blank

 

Enda godt jeg helst bruker Firefox.

 

Jeg har sjekka tjenester som kjører. Har også sjekket explorer.exe for å se om det er noe galt, men det virker ikke sånn. Størrelse, og dato virker ok og den er fortsatt norsk...

En yndet adresse nå er http://free-viruscan.com

 

Kan noen si noe generelt om hvordan dette er mulig? Har noen lignende erfaringer?

Endret 2. september 2008 av langvandre

[snippsat]

Gjør dette.

---

Last ned MBAM til skrivebordet.

Velg Norsk språkdrakt-->kjør hurtig systemskann.

Når MBAM er ferdig åpner den en logg,den poster du.

---

Last Combofix ned ,legg på skrivebordet.

Ikke klikk på vindu mens programet kjører.

post logg C:\combofix.txt

Endret 27. august 2008 av SNIPPSAT

[langvandre]

Gjør dette.

---

.

.

.

post logg C:\combofix.txt

 

Takk for kjapt svar SNIPPSAT. Det gjorde susen! Vanskelig å vite hvilke Malware fjernere som funker, men nå vet jeg det

Bruker ellers Fix-IT mot virus.

 

En liten bemerkning til slutt... det må da være lurere av disse plageåndene, de som lager dette rotet, å la ting foregå i stillhet. En merker jo kjapt om Pc'n er infisert

 

------------

MBAM log

Malwarebytes' Anti-Malware 1.25

Database versjon: 1088

Windows 5.1.2600 Service Pack 3

 

12:44:21 27.08.2008

mbam-log-08-27-2008 (12-44-21).txt

 

Skanntype: Rask Skann

Objekter skannet: 57379

Tid tilbakelagt: 9 minute(s), 31 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 1

Registernøkler infisert: 7

Registerverdier infisert: 0

Registerfiler infisert: 1

Mapper infisert: 0

Filer infisert: 2

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

C:\WINDOWS\system32\dwvk.dll (Trojan.FakeAlert) -> Delete on reboot.

 

Registernøkler infisert:

HKEY_CLASSES_ROOT\TypeLib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf4bff2b-b9c5-4c11-ab65-b3baccbf2c6e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{ecd99db2-abfa-46ae-a7ee-16d0ddb78258} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7fbb2d91-9964-4196-bac5-d5e751762ec3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fbb2d91-9964-4196-bac5-d5e751762ec3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\nimo (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\WINDOWS\system32\dwvk.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\Documents and Settings\Egill\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

 

-------------

ComboFix log

ComboFix 08-08-26.02 - Egill 2008-08-27 13:02:19.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1044.18.419 [GMT 2:00]

Running from: C:\Documents and Settings\Egill\Skrivebord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Egill\Programdata\macromedia\Flash Player\#SharedObjects\ZLCXSNPZ\bin.clearspring.com

C:\Documents and Settings\Egill\Programdata\macromedia\Flash Player\#SharedObjects\ZLCXSNPZ\bin.clearspring.com\clearspring.sol

C:\Documents and Settings\Egill\Programdata\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com

C:\Documents and Settings\Egill\Programdata\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

 

.

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))

.

 

2008-08-27 13:11 . 2008-08-27 13:11 53,248 --a------ C:\Temp\catchme.dll

2008-08-27 13:03 . 2008-08-27 13:03 <DIR> d-------- C:\Temp\WPDNSE

2008-08-27 12:32 . 2008-08-27 12:43 <DIR> d-------- C:\Programfiler\MBAM

2008-08-27 12:32 . 2008-08-27 12:32 <DIR> d-------- C:\Documents and Settings\Egill\Programdata\Malwarebytes

2008-08-27 12:32 . 2008-08-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-08-27 12:32 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-27 12:32 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-26 14:54 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\000002_.tmp

2008-08-26 13:14 . 2008-08-26 13:14 <DIR> d--h----- C:\VCOM

2008-08-26 10:48 . 2008-08-26 10:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-08-26 10:48 . 2008-08-26 10:48 1,409 --a------ C:\WINDOWS\QTFont.for

2008-08-10 23:38 . 2008-08-27 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0009

2008-08-10 23:38 . 2008-08-27 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0008

2008-08-10 22:53 . 2008-08-27 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0007

2008-08-10 22:53 . 2008-08-27 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0006

2008-08-10 22:21 . 2008-08-27 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0005

2008-08-10 22:21 . 2008-08-27 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0002

2008-08-10 21:37 . 2008-08-27 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0004

2008-08-10 21:26 . 2008-08-10 23:37 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0001

2008-08-10 21:26 . 2008-08-10 22:00 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0000

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-27 11:11 --------- d-----w C:\Programfiler\PeerGuardian2

2008-08-27 10:58 --------- d-----w C:\Programfiler\Firefox

2008-08-26 10:23 --------- d-----w C:\Documents and Settings\Egill\Programdata\Skype

2008-08-25 22:03 --------- d-----w C:\Documents and Settings\Egill\Programdata\skypePM

2008-07-17 19:52 --------- d-----w C:\Programfiler\Java

2008-01-17 16:41 32 ----a-w C:\Documents and Settings\All Users\Programdata\ezsid.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PeerGuardian"="C:\Programfiler\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2008-04-14 09:23 1695232]

"LogitechSoftwareUpdate"="C:\Programfiler\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 09:22 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 13:01 4632576]

"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]

"Fix-It AV"="C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [2005-05-10 21:07 32768]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"Apoint"="C:\Programfiler\Apoint\Apoint.exe" [2005-10-07 15:13 176128]

"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 10:08 1347584]

"DiskeeperSystray"="C:\Programfiler\Diskeeper\DkIcon.exe" [2006-06-07 12:35 319488]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]

"LogitechVideoRepair"="C:\Programfiler\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]

"LogitechVideoTray"="C:\Programfiler\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"nwiz"="nwiz.exe" [2004-10-26 13:01 921600 C:\WINDOWS\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 09:22 15360]

"Nokia.PCSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

 

C:\Documents and Settings\Egill\Start-meny\Programmer\Oppstart\

Adobe Gamma.lnk - C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-12-18 22:28:42 25214]

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

Start 3DxWare.lnk - C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2007-07-10 18:54:02 118272]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "P:\EuShlExt.dll" [2004-08-27 11:10 86016]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"SENTINEL"= snti386.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dllzwebauth.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Acrobat Speed Launcher.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Acrobat Speed Launcher.lnk

backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Hurtigstart for Adobe Reader.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Hurtigstart for Adobe Reader.lnk

backup=C:\WINDOWS\pss\Hurtigstart for Adobe Reader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]

--a------ 2008-04-23 02:08 483328 C:\Programfiler\Adobe\Acrobat 7.0\Distillr\acrotray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-03-12 13:49 153136 C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

--a------ 2006-03-30 17:45 313472 C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

 

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-12-08 16:56]

S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2005-12-01 10:35]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\Programfiler\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 06:29]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]

S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]

 

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-PCSuiteTrayApplication - C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

HKU-Default-RunOnce-3DxAssociateFileExts - C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Egill\Programdata\Mozilla\Firefox\Profiles\1w2dfwsz.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.startsiden.no/

FF -: plugin - C:\Programfiler\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - C:\Programfiler\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\np32dsw.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npdivx32.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npnul32.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\nppdf32.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\nppl3260.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npqtplugin.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npqtplugin2.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npqtplugin3.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npqtplugin4.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npqtplugin5.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npqtplugin6.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\npqtplugin7.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\nprjplug.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\nprpjplug.dll

FF -: plugin - C:\Programfiler\Firefox\plugins\NPSWF32.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-27 13:11:57

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-08-27 13:16:08

ComboFix-quarantined-files.txt 2008-08-27 11:15:26

 

Pre-Run: 933,965,824 byte ledig

Post-Run: 4,587,839,488 byte ledig

 

165

[snippsat]

Ja ser bra ut.

 

Litt opprydding.

 

Last ned kjør CCleaner

'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t.

Kjør og register-renser"svar ja til og reparere"-->backup svar ja når du blir spørt.

Kjør register-renser et par ganger til alle feil er borte.

 

Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc.

 

Surf trygt.

[langvandre]

Jeg takker igjen for meget god hjelp. Det er hyggelig å vite at hjelpen er nær :-)

[r2d290]

Dersom du mener at problemet med maskinen din er løst, kan du endre emnetittelen din, ved å trykke på i førsteposten din, og velge full endring. Øverst der emnetittelen din er, skriver du:

[LØST]

foran emnetittelen din.

 

Eks: [LØST] Har fått virus på maskinen

 

Dette vil være med på å holde forumet mer oversiktlig for supporterne, samt at nye folk som får samme problemet lettere vil finne en passende tråd å se i.

 

-Surf trygt-