Windows security alert - Virus? Hjelp!

[Littleman]

På hurtigstarten får jeg til stadighet opp Windows Security Alert med en beskjed om at maskinen kan være infisert (på engelsk).

Jeg synes også at maskinen er blitt endel tregere de siste dagene. Blant annet må jeg starte Internet Explorer flere ganger for at programmet kommer opp. I oppgavebehandling står det at jeg har 4-5-6 internet explorer prosesser kjøres, men det er kun 1 vIE vindu oppe. Har scannet med SuperAntiSpyware, Ad-Aware og Spybot uten at det har hjulpet. Kan noen hjelpe her? Legger ved HJS logg.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:16:08, on 14.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Norman\Npm\bin\ELOGSVC.EXE

C:\Programfiler\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe

C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Norman\Npm\bin\ZLH.EXE

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\Norman\Nvc\BIN\NIP.EXE

C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

C:\Programfiler\Norman\Nvc\bin\cclaw.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

D:\Programfiler\Ad-Aware\aawservice.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Mozilla Thunderbird\thunderbird.exe

C:\Programfiler\OpenOffice.org 2.3\program\soffice.exe

C:\Programfiler\OpenOffice.org 2.3\program\soffice.BIN

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programfiler\Spybot\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {8E7A2F77-F5F3-4C66-ABC0-C7CC8B760E9B} - C:\WINDOWS\system32\D3DCompiler_3.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\no\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Programfiler\Brother\Brmfl04e\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programfiler\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DW4] "C:\Programfiler\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] D:\Programfiler\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programfiler\OpenOffice.org 2.3\program\quickstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programfiler\Spybot\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programfiler\Spybot\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gate.schibsted.no/dana-cached/setup...perSetupSP1.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Programfiler\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE

 

--

End of file - 8792 bytes

[norbat]

Start hjt, velg "Do a system scan only", sett merke framfor følgendel linje og klikk Fix checked:

O2 - BHO: (no name) - {8E7A2F77-F5F3-4C66-ABC0-C7CC8B760E9B} - C:\WINDOWS\system32\D3DCompiler_3.dll

 

Last ned Killbox

 

Start Killbox

Velg å 'Delete on reboot'

 

Følgende skal settes inn (kopier/lim inn):

C:\WINDOWS\system32\D3DCompiler_3.dll

 

Restart

 

Post ny hjt-logg

[Littleman]

Da er det gjort, men filen D3DCompiler_3.dll er der enda. "Warning! Spyware Alert" kom også opp.

Her er HJT loggen

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:11:33, on 14.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Norman\Npm\bin\ELOGSVC.EXE

C:\Programfiler\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Programfiler\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

C:\Programfiler\Brother\ControlCenter2\brctrcen.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Norman\Npm\bin\ZLH.EXE

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\OpenOffice.org 2.3\program\soffice.exe

C:\Programfiler\Norman\Nvc\BIN\NIP.EXE

C:\Programfiler\OpenOffice.org 2.3\program\soffice.BIN

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\System32\alg.exe

C:\Programfiler\Norman\Nvc\bin\cclaw.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programfiler\Spybot\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {8E7A2F77-F5F3-4C66-ABC0-C7CC8B760E9B} - C:\WINDOWS\system32\D3DCompiler_3.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\no\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Programfiler\Brother\Brmfl04e\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programfiler\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DW4] "C:\Programfiler\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] D:\Programfiler\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programfiler\OpenOffice.org 2.3\program\quickstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programfiler\Spybot\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programfiler\Spybot\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gate.schibsted.no/dana-cached/setup...perSetupSP1.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Programfiler\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE

 

--

End of file - 8674 bytes

[norbat]

Hent Smitfraudfix, legg det på skrivebordet

 

Restart i sikker modus (tapp F8 under oppstart, velg sikker modus)

 

Kjør Smitfraudfix, velg valg 2. (Bakgrunnsbildet på skrivebordet bruker ofte å forsvinne etter denne fix'n).

 

Deretter fra normal tilstand:

 

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix (c:\combofix.txt) + loggen fra Smitfraudfix (C:\rapport.txt)

[Littleman]

Her er Rapportene.

Combofix:

 

ComboFix 08-01-14.4 - Ole Helge 2008-01-14 19:33:51.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.286 [GMT 1:00]

Running from: C:\Documents and Settings\Ole Helge\Skrivebord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\suspend.exe

C:\WINDOWS\system32\users32.dat

 

.

((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))

.

 

2008-01-14 19:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-14 19:29 . 2004-08-04 09:03 84,480 --a------ C:\WINDOWS\system32\bthser.dll

2008-01-14 18:42 . 2008-01-14 18:42 268 --ah----- C:\sqmdata07.sqm

2008-01-14 18:42 . 2008-01-14 18:42 244 --ah----- C:\sqmnoopt07.sqm

2008-01-14 18:04 . 2008-01-14 18:04 268 --ah----- C:\sqmdata06.sqm

2008-01-14 18:04 . 2008-01-14 18:04 244 --ah----- C:\sqmnoopt06.sqm

2008-01-12 18:40 . 2007-05-16 16:45 84,480 --a------ C:\WINDOWS\system32\D3DCompiler_3.dll

2008-01-12 18:40 . 19,456 C:\WINDOWS\system32\drivers\zhwetimb.dat

2008-01-12 16:17 . 2008-01-12 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Knowledge Adventure

2008-01-12 16:17 . 2008-01-12 16:17 95 --a------ C:\WINDOWS\ka.ini

2008-01-12 16:16 . 2008-01-12 16:16 <DIR> d-------- C:\Programfiler\Fellesfiler\Knowledge Adventure

2008-01-09 18:51 . 2008-01-13 18:00 80 --a------ C:\WINDOWS\system32\suspend.bin

2007-12-30 01:14 . 2007-12-30 01:14 <DIR> d-------- C:\WINDOWS\ERUNT

2007-12-30 00:53 . 2008-01-13 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2007-12-29 22:04 . 2008-01-14 19:27 3,812 --a------ C:\WINDOWS\system32\tmp.reg

2007-12-29 20:46 . 2007-12-29 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2007-12-29 20:11 . 2007-12-29 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2007-12-29 20:10 . 2008-01-13 22:30 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2007-12-29 20:10 . 2007-12-30 00:52 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2007-12-29 20:10 . 2007-12-29 20:10 <DIR> d-------- C:\Documents and Settings\Ole Helge\Programdata\SUPERAntiSpyware.com

2007-12-29 19:47 . 2007-12-29 19:47 <DIR> d-------- C:\Programfiler\Trend Micro

2007-12-29 19:19 . 2005-10-30 06:26 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny

2007-12-29 19:19 . 2005-10-30 06:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere

2007-12-29 19:19 . 2005-10-30 06:26 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord

2007-12-29 19:19 . 2005-10-30 06:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Siste

2007-12-29 19:19 . 2005-10-30 06:26 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata

2007-12-29 19:19 . 2005-10-30 06:26 <DIR> d-------- C:\Documents and Settings\Administrator\Mine dokumenter

2007-12-29 19:19 . 2005-10-30 18:31 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler

2007-12-29 19:19 . 2007-12-30 00:39 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger

2007-12-29 19:19 . 2007-12-29 19:21 <DIR> d-------- C:\Documents and Settings\Administrator\Favoritter

2007-12-29 19:19 . 2005-10-30 06:26 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-14 18:23 --------- d-----w C:\Programfiler\Norman

2008-01-14 18:23 --------- d-----w C:\Documents and Settings\Ole Helge\Programdata\OpenOffice.org2

2008-01-14 14:13 --------- d-----w C:\Programfiler\Mozilla Thunderbird

2008-01-13 17:06 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2008-01-12 15:17 --------- d-----w C:\Programfiler\LimeWire

2008-01-09 09:45 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys

2007-12-29 21:14 --------- d-----w C:\Programfiler\MSN Messenger

2007-12-29 09:59 --------- d-----w C:\Programfiler\Windows Defender

2007-12-29 09:59 --------- d-----w C:\Programfiler\QuickTime

2007-12-17 18:34 --------- d-----w C:\Programfiler\Messenger Plus! Live

2007-12-07 17:46 --------- d-----w C:\Documents and Settings\Ole Helge\Programdata\Uniblue

2007-12-07 17:22 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2007-12-04 15:16 --------- d-----w C:\Programfiler\HYPET

2007-11-24 20:06 --------- d-----w C:\Programfiler\Google

2007-11-16 18:44 --------- d-----w C:\Programfiler\GameShadow

2007-11-10 22:04 62,360 ----a-w C:\Documents and Settings\Ole Helge\Programdata\GDIPFONTCACHEV1.DAT

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

.

Files Infected - Win32.Agent.zb

C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe

C:\Programfiler\Brother\Brmfl04e\BrStDvPt.exe

C:\Programfiler\Brother\ControlCenter2\brctrcen.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Norman\Npm\bin\ZLH.exe

C:\Programfiler\MSN Messenger\MsnMsgr.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

 

((((((((((((((((((((((((((((( snapshot@2007-12-29_23.22.40.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE

+ 2008-01-14 18:33:23 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-14 18:33:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-14 18:33:23 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-14 18:33:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-14 18:33:23 7,700,480 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-14 18:33:24 495,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2007-12-29 06:04:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

+ 2007-12-30 00:14:57 7,671,808 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2007-12-30 00:14:57 495,616 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2007-12-29 06:04:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2007-12-30 00:14:55 7,671,808 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2007-12-30 00:14:55 495,616 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

+ 2007-12-29 23:53:36 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe

+ 2007-12-29 23:53:36 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe

+ 2007-12-29 23:53:36 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe

+ 2007-12-29 23:53:36 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe

- 2007-12-29 18:28:15 4,224 -c--a-w C:\WINDOWS\system32\dllcache\beep.sys

+ 2008-01-09 09:45:11 4,224 -c--a-w C:\WINDOWS\system32\dllcache\beep.sys

- 2006-08-17 12:30:01 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll

+ 2007-11-07 09:30:24 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll

- 2006-04-20 11:51:50 359,808 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys

+ 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys

+ 2007-07-11 12:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys

+ 2007-08-07 11:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

+ 2007-08-07 11:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe

+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe

- 2007-12-13 20:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe

+ 2000-08-31 07:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe

- 2007-12-04 00:00:42 136,704 ----a-w C:\WINDOWS\system32\swsc.exe

+ 2000-08-31 07:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe

- 2006-12-01 04:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe

+ 2000-08-31 07:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E7A2F77-F5F3-4C66-ABC0-C7CC8B760E9B}]

2007-05-16 16:45 84480 --a------ C:\WINDOWS\system32\D3DCompiler_3.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-12-29 10:56 5674352]

"DW4"="C:\Programfiler\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [ ]

"Uniblue RegistryBooster 2"="D:\Programfiler\RegistryBooster 2\RegistryBooster.exe" [ ]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-09 10:45 1318912]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-29 10:56 335872]

"HP Software Update"="C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-12-29 10:56 49152]

"HP Component Manager"="C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2007-12-29 10:56 233472]

"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2007-12-29 10:56 188416]

"DeviceDiscovery"="C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2008-01-09 10:45 229437]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-29 10:56 132496]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-12-29 10:56 77824]

"Microsoft Works Update Detection"="C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe" [2007-12-29 10:56 28672]

"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2007-12-29 10:56 180269]

"SSBkgdUpdate"="C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-29 10:56 155648]

"PaperPort PTD"="C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-29 10:56 57393]

"IndexSearch"="C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-29 10:56 40960]

"SetDefPrt"="C:\Programfiler\Brother\Brmfl04e\BrStDvPt.exe" [2007-12-29 10:56 49152]

"ControlCenter2.0"="C:\Programfiler\Brother\ControlCenter2\brctrcen.exe" [2007-12-29 10:56 851968]

"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2007-12-29 10:56 866584]

"Norman ZANDA"="C:\Programfiler\Norman\Npm\bin\ZLH.exe" [2007-12-29 10:56 183352]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

 

C:\Documents and Settings\Ole Helge\Start-meny\Programmer\Oppstart\

OpenOffice.org 2.3.lnk - C:\Programfiler\OpenOffice.org 2.3\program\quickstart.exe [2007-09-11 04:43:54]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04]

msn_0801_upd102045.exe [2008-01-14 19:29:05]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

R0 rbsvtrqb;rbsvtrqb;C:\WINDOWS\system32\drivers\zhwetimb.dat []

R2 Ndiskio;Ndiskio;C:\Programfiler\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-07-09 09:50]

R3 nvcoas;Norman Virus Control on-access component;C:\Programfiler\Norman\Nvc\bin\nvcoas.exe [2007-07-12 10:38]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]

S3 brfilt;Brother MFC filterdriver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 20:12]

S3 BrSerWDM;Brother WDM seriell driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-13 23:04]

S3 BrUsbMdm;Brother MFC USB-modem for kun telefaks;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 20:12]

S3 BrUsbScn;Brother MFC USB-skannerdriver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 20:12]

S4 Boonty Games;Boonty Games;"C:\Programfiler\Fellesfiler\BOONTY Shared\Service\Boonty.exe" []

 

.

Contents of the 'Scheduled Tasks' folder

"2008-01-14 18:26:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Programfiler\Windows Defender\MpCmdRun.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-14 19:36:23

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-14 19:37:19

ComboFix-quarantined-files.txt 2008-01-14 18:37:10

ComboFix2.txt 2007-12-29 23:39:52

ComboFix3.txt 2007-12-29 23:07:36

ComboFix4.txt 2007-12-29 22:24:12

.

2008-01-09 09:50:27 --- E O F ---

 

 

SmitFraudFix:

 

SmitFraudFix v2.274

 

Scan done at 19:27:35,40, 14.01.2008

Run from D:\Programfiler\Virusprog\SmitfraudFix

OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix.exe by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Intel® PRO/100 VM Network Connection - Miniport for pakkeplanlegger

DNS Server Search Order: 192.168.0.1

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DA08AEAF-D2A5-4A4B-B858-6387650C403F}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{DA08AEAF-D2A5-4A4B-B858-6387650C403F}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{DA08AEAF-D2A5-4A4B-B858-6387650C403F}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

HJK:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:00:52, on 14.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Norman\Npm\bin\ELOGSVC.EXE

C:\Programfiler\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Programfiler\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

C:\Programfiler\Brother\ControlCenter2\brctrcen.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Norman\Npm\bin\ZLH.EXE

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Norman\Nvc\BIN\NIP.EXE

C:\Programfiler\OpenOffice.org 2.3\program\soffice.exe

C:\Programfiler\OpenOffice.org 2.3\program\soffice.BIN

C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\System32\alg.exe

C:\Programfiler\Norman\Nvc\bin\cclaw.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programfiler\Spybot\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {8E7A2F77-F5F3-4C66-ABC0-C7CC8B760E9B} - C:\WINDOWS\system32\D3DCompiler_3.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\no\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Programfiler\Brother\Brmfl04e\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programfiler\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DW4] "C:\Programfiler\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] D:\Programfiler\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programfiler\OpenOffice.org 2.3\program\quickstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: msn_0801_upd102045.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programfiler\Spybot\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programfiler\Spybot\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gate.schibsted.no/dana-cached/setup...perSetupSP1.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Programfiler\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE

 

--

End of file - 8686 bytes

[norbat]

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

Driver::

rbsvtrqb

 

File::

C:\WINDOWS\system32\D3DCompiler_3.dll

C:\WINDOWS\system32\bthser.dll

C:\WINDOWS\system32\drivers\zhwetimb.dat

 

Folder::

C:\Programfiler\Fellesfiler\BOONTY Shared

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E7A2F77-F5F3-4C66-ABC0-C7CC8B760E9B}]

 

Kjør deretter en quick scan med Superantipsyware (SAS)

 

Post combofix-loggen og fortell hvordan det går med problemet.

[Littleman]

Fikk denne feilmeldingen:

 

CFScript Name Error

 

Were you trying to run CFScript?

The name CFSCript appears to be incorrectly spelt

[norbat]

CFScript, ikke CFSCript

Endret 14. januar 2008 av norbat