MSN-virus fra Photobucket-link

[Jorkey]

Jeg fikk et MSN-virus fra en Photobucket-link.

Her er loggen fra fra hijackthis. Jeg skjønner ikke så mye av den. Håper noen kan hjelpe

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\SYSTEM32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\eDSMSNfix.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\Users\vegard\AppData\Local\Temp\RtkBtMnt.exe

C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE

C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Windows\System32\mobsync.exe

C:\Users\vegard\Desktop\PIC5830.jpg-photobucket.com

C:\Windows\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Vegard\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.intl.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://no.intl.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.intl.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O1 - Hosts: ::1 localhost

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe

O4 - HKLM\..\Run: [setPanel] C:\Acer\APanel\APanel.cmd

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe

O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe

O4 - HKLM\..\Run: [LanzarL2007] "C:\Users\vegard\AppData\Local\Temp\{0FED18C9-2C51-47D4-893A-B9E92A396561}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://casinband1.opplandvgs.no/auth/CCALogin.CAB

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: eNetHook.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Endret 11. januar 2008 av Jorkey

[norbat]

Loggen ser grei ut.

Du kan imidlertid fix denne linja med hjt:

O4 - HKLM\..\Run: [LanzarL2007] "C:\Users\vegard\AppData\Local\Temp\{0FED18C9-2C51-47D4-893A-B9E92A396561}\{D1DA 2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"

 

(Start hjt, velg Do a system scan only, sett merke framfor linja og klikk Fix checked)

 

Deretter:

 

Last ned MSNFix, og pakk det ut på skrivebordet.

Kjør filen 'MSNFix.bat'. Følg veiledningen.

 

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix (c:\combofix.txt) + loggen fra MSNFix.

[Jorkey]

MSNFix problem: Jeg valgte engelsk språk, men det kom "Ingen tilgang" 8 ganger nedover når jeg skreiv inn "R" etterpå kom det en logg der det ikke var noe.

[norbat]

Da kjører du bare videre med Combofix ...

[Jorkey]

Scanning for infected files...

This typically doesn't take more than 10 minutes.

However, scan times for badly infected machines may easily double.

 

ComboFix has changed your clock setting.

Do not change it back. It shall be restored later.

 

Completed Stage_1

 

 

Sånn har det stått i over 20 min nå :S

[norbat]

Ok, hvis den fortsatt står der, så avslutt. restart PC-en og prøv følgende:

 

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen.

File::

C:\WINDOWS\lssas.exe

C:\WINDOWS\ntmngr.exe

C:\WINDOWS\images.zip

[Jorkey]

Please wait.

Combofix is preparing to run.

 

Out of memory

 

Så kjøm det en melding der det står:

Were you trying to run CFScript?

The name, CFScript appears to be incorrectly spelt.

 

Finn ikkje CFScript noen plasser :S

 

Der prøvde jeg å lagre med Alle filer, men samme feilmeldinga kom opp igjen.

Endret 11. januar 2008 av Jorkey

[norbat]

CFScript.txt var/er navnet på den fila du opprettet.

 

Det kan være en ide å kjøre en full scan med SAS (gratisversjonen). De gangene jeg har vært borti at combofix har problemer med å kjøre har vært fordi det har ligget en del rammel på PC-en. Alternativt kan man prøve å kjøre programmet fra Sikker modus.

Endret 11. januar 2008 av norbat

[Jorkey]

SAS har (til nå) funnet Adware. Tracking Cookie (26) men tviler på at det er riktig fil som den jeg helst vil finne.

Lar den stå over natta. Rapport kommer da xD

[norbat]

Tracking cookies er ufarlige saker.

 

Kjører du Vista eller XP?

[Jorkey]

Tracking Cookie var alt SAS fant

Jeg kjører Vista

[norbat]

Hent DSS, legg det på skrivebordet

Kjør dss.exe og følge veiledningen.

Har du ikke hijackthis installert vil du få spm. om du vil installere det.

Når scanningen er ferdig, åpnes det en logg (main.txt). Den kopierer du og poster.

(Det vil også lages en annen logg, extra.txt. Den trenger du ikke å poste)

[Jorkey]

Dette er loggen fra DSS

 

--------------------------------------------------------------------------------

 

-- Last 5 Restore Point(s) --

14: 2008-01-11 22:25:45 UTC - RP185 - Installed SUPERAntiSpyware Free Edition

13: 2008-01-11 20:49:37 UTC - RP184 - ComboFix created restore point

12: 2008-01-11 13:37:38 UTC - RP183 - Windows Update

11: 2008-01-10 08:21:44 UTC - RP182 - Windows Update

10: 2008-01-04 12:16:46 UTC - RP181 - Windows Update

 

 

-- First Restore Point --

1: 2007-12-14 13:19:02 UTC - RP172 - Windows Update

 

 

Backed up registry hives.

Performed disk cleanup.

 

 

 

-- HijackThis Clone ------------------------------------------------------------

 

 

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-01-12 15:25:06

Platform: Windows Vista (6.00.6000)

MSIE: Internet Explorer (7.00.6000.16386)

Boot mode: Normal

 

Running processes:

C:\Windows\System32\dwm.exe

C:\Windows\System32\taskeng.exe

C:\Windows\explorer.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\eDSMSNfix.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Acer\Empowering Technology\eNet\eNMTray.exe

C:\Users\vegard\AppData\Local\Temp\RtkBtMnt.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\Windows\System32\taskeng.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Users\vegard\Desktop\dss.exe

C:\Windows\System32\conime.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.intl.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://no.intl.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.intl.acer.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe

O4 - HKLM\..\Run: [setPanel] C:\Acer\APanel\APanel.cmd

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe

O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe

O4 - HKLM\..\Run: [LanzarL2007] "C:\Users\vegard\AppData\Local\Temp\{0FED18C9-2C51-47D4-893A-B9E92A396561}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://casinband1.opplandvgs.no/auth/CCALogin.CAB

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll

O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll

O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: eNetHook.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe

O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe

 

 

--

End of file - 9986 bytes

 

-- File Associations -----------------------------------------------------------

 

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R1 SASDIFSV - \??\c:\program files\superantispyware\sasdifsv.sys

R1 SASKUTIL - \??\c:\program files\superantispyware\saskutil.sys

R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

R3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

R2 eLockService (eLock Service) - c:\acer\empowering technology\elock\service\elockserv.exe <Not Verified; Acer Inc.; Acer eLock Management>

R2 eNet Service - c:\acer\empowering technology\enet\enet service.exe <Not Verified; Acer Inc.; Acer eNet Management>

R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>

R2 eSettingsService (eSettings Service) - c:\acer\empowering technology\esettings\service\capuserv.exe <Not Verified; ; Service>

R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p

R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

R2 WMIService (ePower Service) - c:\acer\empowering technology\epower\epowersvc.exe <Not Verified; acer; Acer ePower Management>

 

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

No disabled devices found.

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2008-01-12 10:10:01 394 --a------ C:\Windows\Tasks\Oppdater Ordnett Pluss.job

 

 

-- Files created between 2007-12-12 and 2008-01-12 -----------------------------

 

2008-01-11 23:26:51 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com

2008-01-11 23:26:09 0 d-------- C:\Program Files\SUPERAntiSpyware

2008-01-11 18:11:05 0 d-------- C:\HiTRUSTDrive

2008-01-05 17:45:22 0 d-------- C:\newfolder

2008-01-03 21:16:56 0 d-------- C:\Program Files\Ventrilo

2008-01-03 21:16:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-12-27 12:16:44 32 --a------ C:\Users\All Users\ezsid.dat

2007-12-27 12:15:03 0 d-------- C:\Program Files\Common Files\Skype

2007-12-16 20:18:00 0 d-------- C:\Program Files\Teamspeak2_RC2

2007-12-16 18:04:54 0 d-------- C:\Games

2007-12-14 15:33:08 0 d-------- C:\Program Files\ElastoMania111

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-01-12 09:02:20 13072 --a------ C:\Users\vegard\AppData\Roaming\nvModes.dat

2008-01-12 09:02:20 13072 --a------ C:\Users\vegard\AppData\Roaming\nvModes.001

2008-01-11 23:26:09 0 d-------- C:\Users\vegard\AppData\Roaming\SUPERAntiSpyware.com

2008-01-11 23:03:49 476858 --a------ C:\Windows\system32\perfh014.dat

2008-01-11 23:03:49 79408 --a------ C:\Windows\system32\perfc014.dat

2008-01-11 22:58:47 0 d-------- C:\Users\vegard\AppData\Roaming\OpenOffice.org2

2008-01-10 15:15:45 0 d-------- C:\Program Files\Windows Mail

2008-01-10 15:15:43 0 d-------- C:\Program Files\Windows Sidebar

2008-01-07 23:12:26 0 d-------- C:\Users\vegard\AppData\Roaming\Skype

2008-01-07 21:49:50 0 d-------- C:\Users\vegard\AppData\Roaming\LimeWire

2008-01-07 21:15:08 0 d-------- C:\Users\vegard\AppData\Roaming\skypePM

2008-01-03 21:16:29 0 d-------- C:\Program Files\Common Files

2007-12-16 20:18:39 0 d-------- C:\Users\vegard\AppData\Roaming\teamspeak2

2007-12-02 12:03:38 0 d-------- C:\Users\vegard\AppData\Roaming\Apple Computer

2007-12-02 12:03:25 0 d-------- C:\Program Files\iTunes

2007-12-02 12:03:16 0 d-------- C:\Program Files\iPod

2007-12-02 12:02:43 0 d-------- C:\Program Files\QuickTime

2007-12-02 11:59:23 0 d-------- C:\Program Files\Common Files\Apple

2007-12-01 20:36:44 0 d-------- C:\Program Files\Apple Software Update

2007-10-31 09:15:39 0 -rahs---- C:\MSDOS.SYS

2007-10-31 09:15:39 0 -rahs---- C:\IO.SYS

2007-10-22 09:38:59 174 --ahs---- C:\Program Files\desktop.ini

2007-10-21 18:45:28 0 --a------ C:\Windows\nsreg.dat

2007-10-20 21:09:23 37 --a------ C:\Windows\r007

2007-10-20 04:22:05 3 --a------ C:\Windows\AFirst.cmd

2007-10-19 14:53:03 1376 --a------ C:\Windows\CLEANUP.CMD

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-21 21:41]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-20 06:50]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-20 06:50]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-20 06:50]

"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 08:38 C:\Windows\RtHDVCpl.exe]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 04:00]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-06 23:04]

"Acer Tour"="" []

"eDSMSNfix"="C:\Acer\Empowering Technology\eDSMSNfix.exe" [2007-02-09 09:40]

"SetPanel"="C:\Acer\APanel\APanel.cmd" []

"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-12-09 04:35]

"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 20:48]

"eRecoveryService"="" []

"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-01-17 08:01]

"LanzarL2007"="C:\Users\vegard\AppData\Local\Temp\{0FED18C9-2C51-47D4-893A-B9E92A396561}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" []

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 01:43]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 09:22]

"Acer Tour Reminder"="" []

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

 

C:\Users\vegard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-06-08 06:28:14]

 

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]

Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-04-26 11:35:24]

Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2007-04-22 05:05:42]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=eNetHook.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

@="IEEE 1394 Bus host controllers"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

@="SBP2 IEEE 1394 Devices"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

@="SecurityDevices"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

 

*Newly Created Service* - SASDIFSV

*Newly Created Service* - SASENUM

*Newly Created Service* - SASKUTIL

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

C:\Windows\system32\unregmp2.exe /ShowWMP

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

 

 

 

-- End of Deckard's System Scanner: finished at 2008-01-12 15:26:30 ------------

[norbat]

Loggen ser grei ut. Plages du med at MSN sender ut til dine kontakter?

[Jorkey]

Viruset sender plutselig ut mange linker til alle som er pålogget på MSN i min kontaktliste ja.

MSN vindu er oppe i 1/10 av et sekund og tar fokus av alt annet jeg gjør.

[norbat]

Søk etter følgende filer og se om du finner dem:

 

lssas.exe

ntmngr.exe

images.zip

[Jorkey]

Fant alle filene, men det var i tekstloggen jeg lagret tidligere.

images.zip og lssas.exe fant den også i MSNFix og en tekstbok-fil som heter Fichier.

[norbat]

Du kan slette disse tekstfilene samt MSNFix.

 

Tøm også temp.filer etc. Du kan godt bruke CCleaner:

Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'.

[Jorkey]

Da var det gjort. Men er viruset borte nå da?

[norbat]

Hvis du fyrer opp MSN og det ikke lengre sender ut meldinger i hytt og pine, så vil jeg si at du ikke lengre har trojaneren. Jeg kan ikke se den i dine logger. Om det viser seg at du fortsatt har problemer med dette, så si i fra.