{Løst} Trojaner, rpcc.dll - med HJT logg utvidet

tha_man · 28. desember 2006

HTJ logg:

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 00:08:40, on 29.12.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Programfiler\Logitech\Video\LogiTray.exe

C:\Programfiler\SoftDisc\softdisc.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

C:\Programfiler\Logitech\MouseWare\system\em_exec.exe

C:\Programfiler\Winamp\winampa.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Programfiler\BMT MouseTracker\MouseTrack.exe

C:\Programfiler\Pulse\Pulse.exe

C:\Programfiler\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Programfiler\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE

C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Programfiler\Mamut Online Services\Mamut Online Backup\Mamut Online Backup.exe

C:\Programfiler\Logitech\Video\FxSvr2.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Programfiler\MindArk\Entropia Universe\PEAssLoader.EXE

C:\Programfiler\MindArk\Entropia Universe\ClientLoader.exe

C:\Programfiler\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Programfiler\BitComet\BitComet.exe

C:\Documents and Settings\Server\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - Default URLSearchHook is missing

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programfiler\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programfiler\TechSmith\SnagIt 8\SnagItIEAddin.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [CTStartup] C:\Programfiler\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Programfiler\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programfiler\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programfiler\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [softDisc] "C:\Programfiler\SoftDisc\softdisc.exe" -hide

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Programfiler\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot

O4 - HKCU\..\Run: [TaskTray] C:\Programfiler\Creative\TaskBar\CTLTray.exe

O4 - HKCU\..\Run: [TaskBar] C:\Programfiler\Creative\TaskBar\CTLTask.exe

O4 - HKCU\..\Run: [LDM] C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [bMT] C:\Programfiler\BMT MouseTracker\MouseTrack.exe

O4 - HKCU\..\Run: [Pulse] C:\Programfiler\Pulse\Pulse.exe -splash

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Programfiler\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

O4 - HKCU\..\Run: [E06AXLRD_16125156] "C:\Programfiler\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE" -m

O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programfiler\Octoshape Streaming Services\Server\OctoshapeClient.exe" -inv:bootrun

O4 - Startup: Mamut Online Backup.lnk = ?

O4 - Startup: Spy Sweeper Fix.lnk = C:\Programfiler\Webroot\Spy Sweeper\SpySweeperFix.bat

O4 - Startup: World Community Grid Agent.lnk = C:\Programfiler\WorldCommunityGrid\UD.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Exif Launcher 2.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Påminnelser for Microsoft Works Kalender.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\programfiler\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programfiler\Fellesfiler\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1118175952031

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.icanal.no/spill/commerce/catalo...es/ExentCtl.ocx

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1118175849265

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6978F5E5-3FD8-4CB7-80FF-52CDF6E3D714}: NameServer = 193.213.112.4 130.67.15.198

O18 - Protocol: bw+0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw+0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwg0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0s - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: offline-8876480 - {315C8B80-A969-47BA-B47B-80A58BA583CE} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe (file missing)

O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)

Den har så godt som stjelt internett tilkoblingen min så jeg har bare fattige 8kb/s igjen men opplasting har jeg fullt. Sliter med å bruke pc'en ellers også. De kaller det vel MSN-viruset men bruker ikke så mye av msn og bruker iallefall ikke usikra linker.... Har så fattig internett tilkobling nå at jeg klarte ikke å komme meg inn på HJT log reader (så vidt jeg klarer å poste noe her)!

Hva skal jeg gjøre nå for å kvitte meg med rpcc.dll trojanern og kansje andre ting?

Endret 1. januar 2007 av tha_man

norbat · 28. desember 2006

Kjør HJT og fix:

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Sørg for at du kan se skjulte filer og mapper (kontrollpanel->mappealt.->vis->"vis skjulte filer og mapper")

Last ned SAS, installer og oppdater.

Last ned DrWeb

Last ned CCleaner, installer og kjør noen ganger rens

Restart i sikker modus (tapp f8 under oppstart)

Bruk utforsker og slett (i bold):

C:\WINDOWS\system32\rpcc.dll

Kjør drweb

-den vil kjøre en expresscan.

-når det er ferdig velger du Options->Change settings.

i fanebladet Scan, fjern merke ved Heuristic analysis.

i fanebladet Actions, forandres punktene under Malware til Rename.

-velg partisjon og kjør en scan

Kjør en complete scan med SAS, slett alt den finner

Restart og post en ny HJT-logg

tha_man · 29. desember 2006

Jeg klarer ikke å slette rpcc.dll i sikkermodus engang. Det kommer bare at opp at filen brukes av en annen person eller et annet program. Hva skal jeg gjøre da?

Klarer ikke å laste ned DrWeb på den linken....

Enforhånds takk til alle som hjelper til :w00t:

norbat · 29. desember 2006

Vi prøver:

Last ned Killbox

Kjør HJT og fix:

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)

Start Killbox

Velg å 'Delete on reboot'

Følgende skal settes inn:

C:\WINDOWS\system32\rpcc.dll

C:\WINDOWS\system32\winser.exe

Restart

Se om du får hentet DrWeb HER

En alt. engangsskanner er Mwav.exe. Når du pakker ut lages en mappe, typisk i C:\Kaspersky – Start programmet

Sett merke i : Memory, Startup folders, drive, Registry, System folders og Services.

Sett merke i:

All local drives og Scan all files. Start Scanningen.

EDIT:

PS. Ellers er det bare å fortsette med nedlasting av SAS og scanning med dette programmet. Det kan være lurt å kjøre en rens med CCleaner, da dette gjør scanningen litt raskere.

Endret 29. desember 2006 av norbat

tha_man · 29. desember 2006

HTJ klarte ikke å fikse rpcc.dll men Killbot klarte iallefall å slette den.

HTJ fikset: O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)

En liten seier :w00t: :w00t: Takk Norbat :thumbup:

(Eventyret fortsetter snart.....)

Endret 29. desember 2006 av tha_man

tha_man · 29. desember 2006

Er det noen forsjell om jeg scanner i sikkermodus eller ikke med SAS og DrWeb?

norbat · 29. desember 2006

Det er en fordel å scanne i sikker modus, da filer som kjøres, ofte må stoppes før man får slettet dem. I sikker modus er det et miminum av filer som kjøres, slik at det er mer sannsynlig at skadelige filer blir fjernet når man kjører fra sikker modus.

tha_man · 29. desember 2006

I sikker modus skal jeg logge på meg selv eller Admin?

norbat · 29. desember 2006

Som 'meg selv'. Regner med du også har administratorrettigheter på kontoen din (i motsetning til en konto med begrenset rettighet)

Endret 29. desember 2006 av norbat

tha_man · 29. desember 2006

HJT Logg oppdatert:

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 18:35:31, on 29.12.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Programfiler\Logitech\Video\LogiTray.exe

C:\Programfiler\SoftDisc\softdisc.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Programfiler\Winamp\winampa.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Programfiler\BMT MouseTracker\MouseTrack.exe

C:\Programfiler\Pulse\Pulse.exe

C:\Programfiler\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Programfiler\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\ATI Technologies\ATI.ACE\CLI.EXE

C:\Programfiler\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\system32\LVComsX.exe

C:\Programfiler\Logitech\Video\FxSvr2.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Programfiler\Mamut Online Services\Mamut Online Backup\Mamut Online Backup.exe

C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Server\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - Default URLSearchHook is missing

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programfiler\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO.dll