[Løst]Virus, HJT og MBAM Logg, Hjelp, Noen?

[Shax#]

Heisann, jeg har fått en del virus så jeg tenkte at jeg trengte litt hjelp:P (Unknown windows er Windows 7 Ultimate x64)

 

HJT LOGG:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:17:14, on 08.10.2009

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

 

Running processes:

C:\Windows\msb.exe

C:\Fraps\fraps.exe

C:\Windows\PLFSetI.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Program Files (x86)\OSCAR Editor\OscarEditor.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\Pop up Blocker\pd.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files (x86)\inKline Global\PC Booster\PCBooster.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Påloggingshjelp for Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PC Booster] C:\Program Files (x86)\inKline Global\PC Booster\pcbooster.exe

O4 - HKLM\..\Run: [MSCFG32] C:\Windows\system32\wincfg32\wincfg32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OscarEditor] "C:\Program Files (x86)\OSCAR Editor\OscarEditor.exe" Minimum

O4 - HKCU\..\Run: [Google Update] "C:\Users\Kai-Morten\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [steam] "c:\program files (x86)\steam\steam.exe" -silent

O4 - HKCU\..\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [PopRock] C:\Users\KAI-MO~1\AppData\Local\Temp\b.exe

O4 - HKCU\..\Run: [MSCFG32] C:\Windows\system32\wincfg32\wincfg32.exe

O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files (x86)\Pop up Blocker\pd.exe" Minimize

O4 - HKCU\..\Run: [mstwain32] C:\Windows\mstwain32.exe

O4 - HKCU\..\Run: [MSWUpdate] C:\WINDOWS\Cursors\lsass.exe

O4 - HKCU\..\Run: [cHI9Q8GD] C:\Users\KAI-MO~1\AppData\Local\Temp\cHI9Q8GD.exe

O4 - HKLM\..\Policies\Explorer\Run: [mscfg32] C:\Windows\system32\wincfg32\wincfg32.exe

O4 - HKLM\..\Policies\Explorer\Run: [Policies] c:\dir\install\install\svchost.exe

O4 - HKCU\..\Policies\Explorer\Run: [mscfg32] C:\Windows\system32\wincfg32\wincfg32.exe

O4 - HKCU\..\Policies\Explorer\Run: [Policies] c:\dir\install\install\svchost.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETTVERKSTJENESTE')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BTTray.lnk = ?

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: PD - {5FF51D3D-92FC-45F7-81F4-72D5D22093FE} - C:\Program Files (x86)\Pop up Blocker\pd.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Send til Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: Send til &Bluetooth-enhet... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 9592 bytes

 

MBAM LOGG:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.41

Databaseversjon: 2925

Windows 6.1.7600

 

08.10.2009 14:51:05

mbam-log-2009-10-08 (14-51-05).txt

 

Skanntype: Rask Skann

Objekter skannet: 89657

Tid tilbakelagt: 5 minute(s), 26 second(s)

 

Minneprosesser infisert: 1

Minnemoduler infisert: 0

Registernøkler infisert: 5

Registerverdier infisert: 2

Registerfiler infisert: 1

Mapper infisert: 0

Filer infisert: 8

 

Minneprosesser infisert:

C:\Windows\msb.exe (Trojan.Agent) -> Unloaded process successfully.

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b3i1uk3-0024-50s1-x3p8-meckrnhj0foy} (Generic.Bot.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{m5v08o7s-oqj4-kwqk-o51x-r5xh1n6o4xx3} (Generic.Bot.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

 

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

c:\dir\install\install\svchost.exe (Generic.Bot.H) -> Quarantined and deleted successfully.

C:\Users\Kai-Morten\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\Kai-Morten\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.

C:\Windows\System32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

 

Takk på forhånd!

Endret 8. oktober 2009 av mini097

[Shax#]

Forresten så kjører jeg en SUPERAntiSpyware scan nå.

[norbat]

Fant SAS noe? Post gjerne loggen.

[Shax#]

Tja, Poster ny logg til HJT også.

 

HJT LOGG:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:42:19, on 11.10.2009

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

 

Running processes:

C:\Windows\PLFSetI.exe

C:\Program Files (x86)\OSCAR Editor\OscarEditor.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Windows\System32\drivers\etc\csrss.exe

C:\Windows\SysWOW64\RunTimeLib.exe

C:\Windows\SysWOW64\nvscv32.exe

C:\Windows\smms.exe

C:\Program Files (x86)\inKline Global\PC Booster\pcbooster.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\SUPERAntiSpyware\44b6c99d-6c57-4cfe-9003-11062ca30e2d.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Påloggingshjelp for Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [msconfigg] msconf.exe

O4 - HKLM\..\Run: [32.exe] C:\Windows\system32\nvscv32.exe

O4 - HKLM\..\Run: [Google Updater] C:\Windows\smms.exe

O4 - HKLM\..\Run: [ccapp2] C:\windows\system32\RunTimeLib.exe

O4 - HKLM\..\RunServices: [msconfigg] msconf.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OscarEditor] "C:\Program Files (x86)\OSCAR Editor\OscarEditor.exe" Minimum

O4 - HKCU\..\Run: [Google Update] "C:\Users\Kai-Morten\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [msconfigg] msconf.exe

O4 - HKLM\..\Policies\Explorer\Run: [mscfg32] C:\Windows\system32\wincfg32\wincfg32.exe

O4 - HKLM\..\Policies\Explorer\Run: [Policies] c:\dir\install\install\svchost.exe

O4 - HKCU\..\Policies\Explorer\Run: [mscfg32] C:\Windows\system32\wincfg32\wincfg32.exe

O4 - HKCU\..\Policies\Explorer\Run: [Policies] c:\dir\install\install\svchost.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETTVERKSTJENESTE')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BTTray.lnk = ?

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: PD - {5FF51D3D-92FC-45F7-81F4-72D5D22093FE} - C:\Program Files (x86)\Pop up Blocker\pd.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Send til Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: Send til &Bluetooth-enhet... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Xobni\Skype4Com.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ASKService - Unknown owner - C:\Program Files (x86)\AskBarDis\bar\bin\AskService.exe

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files (x86)\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: SecureSrv - My Privacy Tools, Inc. - C:\Program Files (x86)\Hide My IP 2009\SecureSrv.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

O23 - Service: XobniService - Xobni Corporation - C:\Program Files (x86)\Xobni\XobniService.exe

O23 - Service: 1076810768x1 (1076810768107682) - Unknown owner - C:\Users\KAI-MO~1\AppData\Local\Temp\TZJg.exe (file missing)

 

--

End of file - 10768 bytes

 

SAS LOGG:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 10/11/2009 at 01:32 AM

 

Application Version : 4.29.1002

 

Core Rules Database Version : 4153

Trace Rules Database Version: 2081

 

Scan type : Complete Scan

Total Scan Time : 01:00:08

 

Memory items scanned : 507

Memory threats detected : 1

Registry items scanned : 6973

Registry threats detected : 1

File items scanned : 28909

File threats detected : 6

 

Trojan.Agent/Gen-CSRSSFake

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CSRSS.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CSRSS.EXE

[%s] C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CSRSS.EXE

C:\Windows\Prefetch\CSRSS.EXE-B4421EFD.pf

 

Adware.Tracking Cookie

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@tradedoubler[1].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@atdmt[1].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@advertising[2].txt

 

Trojan.Agent/Gen-PennyStockChaser

C:\PROGRAM FILES (X86)\CHEAT ENGINE\SYSTEMCALLSIGNAL.EXE

 

Combofix fungerer vell ikke på x64? Sånn at du ikke spør meg om det

[Shax#]

BUMP

[norbat]

Har du fortsatt problemer med malware?

 

Ta og oppdater MBAM, kjør en rask skann og se om det fortsatt finner noe av interesse.

[Shax#]

Merker ikke noe, men kan ta en sjekkk

[Shax#]

MBAM LOGG:

Klikk for å se/fjerne innholdet nedenfor

Malwarebytes' Anti-Malware 1.41

Databaseversjon: 2925

Windows 6.1.7600

 

12.10.2009 21:55:41

mbam-log-2009-10-12 (21-55-41).txt

 

Skanntype: Rask Skann

Objekter skannet: 89544

Tid tilbakelagt: 4 minute(s), 17 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 1

Registerfiler infisert: 1

Mapper infisert: 0

Filer infisert: 3

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\msconfigg (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Registerfiler infisert:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe C:\WINDOWS\Config\csrss.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

C:\Users\Kai-Morten\AppData\Local\Temp\rs gen.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Windows\System32\servicez.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Windows\system32\Drivers\etc\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

[Shax#]

BUMP!

[norbat]

Hent gratisversjonen til SAS og kjør en raks (quick) skann.

[Shax#]

Jeg posta jo den 11. Oktober, vist du leser lenger opp. Men kan se om det er noe nå.

[Shax#]

SAS-Logg:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 10/14/2009 at 00:08 AM

 

Application Version : 4.29.1002

 

Core Rules Database Version : 4153

Trace Rules Database Version: 2081

 

Scan type : Quick Scan

Total Scan Time : 00:31:17

 

Memory items scanned : 504

Memory threats detected : 0

Registry items scanned : 448

Registry threats detected : 0

File items scanned : 23829

File threats detected : 10

 

Adware.Tracking Cookie

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@doubleclick[1].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@tradedoubler[1].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@atdmt[3].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@adbrite[1].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@advertising[3].txt

C:\Users\Kai-Morten\AppData\Roaming\Microsoft\Windows\Cookies\kai-morten@zedo[2].txt

[norbat]

Det så jo greit ut.

 

Hvis du orker en enkstra runde, så kunne du ha kjørt en onlineskanner, eks. F-secure

[Shax#]

OK.

[Shax#]

Hva gjør jeg etter jeg har skanna?

[norbat]

Hvis det ble funnet noe, kan du be programmet om å slette det. Antar at det lages en logg/rapport. Kunne du, hvis det ble funnet noe, postet det?

[Shax#]

Ja, jeg har iallefall skannet to ganger, og andre gangen stod det at det ikke var virus.

 

Hvor lagres loggen?

[norbat]

Tror ikke loggen lagres. Får du memorert hva og hvor de infiserte filene lå?

[Shax#]

Nei, stod bare dette:

 

Report Clean Close

 

Eller noe sånt. kom error når jeg prøvde å trykke på Report:P