Har en HijackThis Logg her som bør sjekkes.

[Skogli]

Logfile of HijackThis v1.99.1

Scan saved at 12:07:40, on 21.11.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\crypserv.exe

C:\Programfiler\Eset\nod32krn.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\1XConfig.exe

C:\Programfiler\HP\Digital Imaging\Promotions\HPpromo.exe

C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe

C:\Programfiler\Eset\nod32kui.exe

C:\Programfiler\DAEMON Tools\daemon.exe

C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programfiler\Mozilla Firefox\winstall.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\MessengerDiscovery\MessengerDiscovery.exe

C:\Programfiler\Skype\Phone\Skype.exe

C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Programfiler\MSN Messenger\msnmsgr.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe

C:\Programfiler\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Programfiler\MSN Messenger\msrr.exe

C:\Programfiler\MaxiVista Demo Viewer\MaxiVistaDemoViewer.exe

C:\Programfiler\Morpheus\Morpheus.exe

C:\WINDOWS\system32\regjyvhy.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dlibwina2.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Pål-Anders Rindal\loadadv642.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

c:\qbofij.exe

C:\Documents and Settings\Pål-Anders Rindal\loadadv642.exe

C:\Programfiler\CCleaner\ccleaner.exe

C:\Documents and Settings\Pål-Anders Rindal\Skrivebord\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENONO/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Programfiler\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Programfiler\MorpheusBar\bar\1.bin\MORPHBAR.DLL

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll (file missing)

O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Programfiler\Fellesfiler\{3022BBD7-06A4-1044-0702-04040317002f}\888.dll

O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Programfiler\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll (file missing)

O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Programfiler\MorpheusBar\bar\1.bin\MORPHBAR.DLL

O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Programfiler\Fellesfiler\{3022BBD7-06A4-1044-0702-04040317002f}\888.dll

O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programfiler\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [explorer] C:\Programfiler\Mozilla Firefox\winstall.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [hdlpscom] regjyvhy.exe

O4 - HKLM\..\RunServices: [hdlpscom] regjyvhy.exe

O4 - HKCU\..\Run: [MessengerDiscovery] C:\Programfiler\MessengerDiscovery\MessengerDiscovery.exe

O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [musyslib2] C:\WINDOWS\system32\dlibwina2.exe

O4 - Startup: MaxiVista Demo Viewer.lnk = C:\Programfiler\MaxiVista Demo Viewer\MaxiVistaDemoViewer.exe

O4 - Startup: Morpheus.lnk = C:\Programfiler\Morpheus\Morpheus.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Programfiler\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe

 

 

Dette er PCen til en kamerat som har fått MSN viruset.

[norbat]

Avinstallere MSN fra Legg til/fjern programmer samt noen av antivirusprogrammene slik at du kun har ett antivirusprogram installer.

 

Last ned drweb

 

Last ned SAS, installer og oppdater programmet.

 

Last ned CCleaner, installer.

 

Restart i Sikker modus (tapp F8 under oppstart)

 

Kjør CCleaner og en runde med 'rens'

 

Kjør drweb-cureit.exe (si ja til å kjøre en express scan)

Når dette er ferdig klikker du på Option -> Change settings.

Under fanearket Scan, fjerner du haken ved Heuristic analysis.

Under fanearket Actions, skal alle punkt under Malware settes til Rename.

Velg partisjon du vil scanne og klikk deretter på den grønne pilen for

å starte scanningen. Velg "yes to all" når det finner noe for første gang.

 

Kjør deretter en full scan med SAS

 

Restart maskinen i normal modus

 

Last ned combofix og kjør programmet.

 

NÅr dette er ferdig, legger du ut en ny HJT-logg (forandre navnet hijackthis.exe til hjt.exe først).

Endret 21. november 2006 av norbat

[Skogli]

Hva er DrWeb?

 

SAS er lastet ned. (Spybot: Search And Destroy ikke sant?)

 

Resten skal jeg nok klare å få gjort i løpet av dagen trur jeg.

[norbat]

DrWeb er et antivirusprog. - som har vist seg å være meget bra til dette formålet

SAS = Superantispyware (en av de bedre)

[Skogli]

DrWeb koster penger så det blir det ikke noe av. Skal ha en permanent antivirus program, som er gratis.

 

Laster ned AVG.

[norbat]

I denne sammenhengen skal du laste ned drweb og scanne med det. Drweb fungerer som en engangsscanner. Det er bare å slette det etterpå.

 

Hvordan går det med scanningen?

Post en ny HJT når du er ferdig.

Endret 21. november 2006 av norbat

[Skogli]

Kjører en scan med AVG akkurat nå. Kan laste ned DrWeb etterpå.

SAS kjører også en test.

 

AVG har funnet 9 virus. De fleste er trojanere.

SAS har funnet 3 objekter.

 

dataen er restartet i sikkerhetsmodus og virusscan er kjørt gjennom.

Filene er slettet fra dataen.

 

Det siste du sa jeg skulle gjøre har ikke blitt gjort. Men dataen er i fungerene stand

Endret 22. november 2006 av Skogli