Avatar billede kaspersmith Nybegynder
26. juni 2012 - 09:36 Der er 2 kommentarer og
1 løsning

Mulig inficeret maskine

Hej Alle exp brugere.

Har vist været under lidt angreb.

Maskinen kører Norma, som går helt amok med information om virus.
Jeg er i fuld gang med også at køre seneste malwarebytes.
Og jeg har hentet Hijackthis som jeg kan se i andre tråde i anbefaler.

Maskinen kører Windows 2003.

Er der en venlig sjæl som kan pinpointe mig lidt videre i min cleaning ?


Her er min log:


Logfile of HijackThis v1.99.1
Scan saved at 09:34:49, on 26-06-2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Norman\Npm\Bin\elogsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Advanced Monitoring Agent\winagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Novosoft\Handy Backup\BackupNetworkCoordinator.exe
C:\Program Files\AhsayOBM\aua\bin\Aua.exe
C:\Program Files\AhsayOBM\bin\CDPService.exe
C:\Program Files\AhsayOBM\aua\jvm\bin\auaJW.exe
C:\Program Files\AhsayOBM\bin\Scheduler.exe
C:\Program Files\AhsayOBM\bin\CDPService.exe
C:\Program Files\AhsayOBM\jvm\bin\bschJW.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\AhsayOBM\bin\SystemTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Norman\nvc\bin\nvcod.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DW08JGNB\HijackThis[1].exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
O1 - Hosts: 69.64.71.218 handybackup.com www.handybackup.com www.softlogica.com softlogica.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [java.exe] "C:\Documents and Settings\ASP.NET\Application Data\java.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [OBSystemTray] "C:\Program Files\AhsayOBM\bin\SystemTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Handy Backup] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1294482921906
O17 - HKLM\System\CCS\Services\Tcpip\..\{7064DF7D-15E8-44B4-8D83-7847CF0A4D9D}: NameServer = 192.168.52.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7064DF7D-15E8-44B4-8D83-7847CF0A4D9D}: NameServer = 192.168.52.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Advanced Monitoring Agent - Remote Monitoring - C:\Program Files\Advanced Monitoring Agent\winagent.exe
O23 - Service: Norman eLogger Service (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\elogsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (WINKOMPASEXPRESS) (MSSQL$WINKOMPASEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sWINKOMPASEXPRESS (file missing)
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
O23 - Service: Novosoft Backup Network Coordinator (NovosoftBackupNetworkCoordinator) - Novosoft LLC - C:\Program Files\Novosoft\Handy Backup\BackupNetworkCoordinator.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Unknown owner - C:\Program Files\Norman\Nse\Bin\NSESVC.EXE" -daemon (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe
O23 - Service: AutoUpdateAgent (Ahsay Online Backup Manager) (OBAutoUpdate) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\Aua.exe
O23 - Service: Continuous Data Protection (Ahsay Online Backup Manager) (OBCDPService) - Unknown owner - C:\Program Files\AhsayOBM\bin\CDPService.exe
O23 - Service: Online Backup Scheduler (Ahsay Online Backup Manager) (OBScheduler) - Unknown owner - C:\Program Files\AhsayOBM\bin\Scheduler.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\scheduler.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
26. juni 2012 - 17:18 #1
Loggen fra en FULD Scaning med MalwareBytes ... ?
Avatar billede kaspersmith Nybegynder
10. august 2012 - 10:57 #2
Den kom selv i live efter scanningen.
10. august 2012 - 14:14 #3
[Acceper] selv dit eget [svar] for at lukke 'tråden' ...
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester