Virus fått via MSN - Får ikke avsluttet prosess

[warpzone]

I går fikk jeg følgende beskjed fra en kompis på msn "Is this you [en eller annen link]". Dum som jeg var, så tenkte jeg at han bare køddet, og jeg klikket på linken. Da ble det lastet ned en eller annen applikasjon som åpnet vinduer med alle på hele kontaktlisten min, og så ble samme beskjed som jeg fikk sendt til alle kontaktene.

 

Jeg fikk avsluttet msn, og kjørte en del virusscan-greier. Jeg installerte også msn på nytt, så nå funker msn fint. Problemet er nå at det ser ut som diskplassen min bare minsker og minsker. Etter å ha søkt litt på nett, så har jeg funnet ut at kanskje "csrss.exe" er viruset jeg har fått av dette, som skal være et virus som stjeler passord og dritt. Noen som kan fortelle mer om dette?

 

Jeg får ikke avsluttet prosessen i Task Manager, siden det er en kritisk systemprosess eller noe. Den kjører i sikkerhetsmodus også, så jeg får verken slettet fila (ligger i c:/windows/system32) eller avsluttet prosessen.

 

Noen som kan hjelpe? Evt. noen andre som har blitt utsatt for dette?

 

 

Edit: Etter mer leting på nett, så fant jeg ut at csrss.exe er en nødvendig windows-prosess, som ligger i system32. Det finnes virus som bruker samme navn, men de ligger da i andre foldere, så da er vel det problemet ute av verden siden jeg kun har den windows-csrss-fila.

 

Denne tråden ble vel da smått unødvendig, men om noen andre som har opplevd dette, så vil jeg gjerne vite hva dere gjorde for å fjerne det.

 

Hijackthis-logg:

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 20:25:11, on 12.11.2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norman\bin\ZANDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Norman\Nvc\BIN\nipsvc.exe

C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Program Files\Norman\bin\NJEEVES.EXE

C:\Program Files\Norman\Nvc\bin\nvcoas.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Norman\bin\ZLH.EXE

C:\Program Files\VIA\RAID\raid_tool.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\DeltTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\WINDOWS\TBPanel.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\mslpar.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Norman\Nvc\BIN\NIP.EXE

C:\Program Files\Norman\Nvc\bin\cclaw.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\WordWeb\wweb32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\Christoffer\Desktop\hjt\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6AA8E5E7-0763-43AC-9975-4BDFE6675C3B} - C:\Program Files\Windows Media Player\sadesol.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [DeltTray] DeltTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Windows Dialog Verify] mslpar.exe

O4 - HKLM\..\Run: [defender] C:\\dfndrff_e54.exe

O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e54.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_e54.exe

O4 - HKLM\..\Run: [windows] C:\\windows_e54.exe

O4 - HKLM\..\RunServices: [Windows Dialog Verify] mslpar.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h

O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109623008343

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\bin\ZANDA.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe

Endret 12. november 2006 av Traumatizer

[norbat]

Du kan godt poste en HJT-logg

[warpzone]

Slik, sjekk førsteposten.

[norbat]

Last ned CCleaner, installer og kjør en runde med rens

 

Last ned Combofix

 

Last ned SAS, installer og oppdater.

 

Restart i sikker modus (tapp f8 under oppstart) og kjør en full scan med SAS. Slett alt den finner. Legg gjerne ut loggen fra SAS (Preferences -> Statistics/Logs)

 

Restart og kjør Combofix (den lager også en logg, combofox.txt, som du godt kan legge ut)

 

Legg ut en ny HJT-logg

Endret 12. november 2006 av norbat

[warpzone]

Hmm, takk for hjelpen der. Men det er greit å vite hva som er galt også. Mye rusk i den loggen jeg la ut?

[norbat]

Ja, bla:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O2 - BHO: (no name) - {6AA8E5E7-0763-43AC-9975-4BDFE6675C3B} - C:\Program Files\Windows Media Player\sadesol.dll (file missing)

O4 - HKLM\..\Run: [Windows Dialog Verify] mslpar.exe

O4 - HKLM\..\Run: [defender] C:\\dfndrff_e54.exe

O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e54.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_e54.exe

O4 - HKLM\..\Run: [windows] C:\\windows_e54.exe

O4 - HKLM\..\RunServices: [Windows Dialog Verify] mslpar.exe

O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)

[warpzone]

Hmm. Det er mye trøbbel med maskinen, og tanken på å formatere frister mer og mer. Kanskje dette er rett tidspunkt. Får se hva jeg gjør. Takk uansett.

[norbat]

Uansett hva du gjør bør du absolutt oppdatere med SP2