Irriterende popup virus, klarer ikke å fjerne det

17. januar 2008

Alright, here we go: Har et sykt jævlig virus som gjør at, hva enn jeg driver på med, blir minimert (ikke lukket). Det er en popup fra menyen ned i venstre hjørne. Har scana PC-en to ganger med AVG (free), men finner ingenting med den. Noen som vet hva jeg skal gjøre?

Bilde:

virus.bmp

norbat · 17. januar 2008

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Post loggfilen fra combofix (c:\combofix.txt)

17. januar 2008

ComboFix 08-01-17.5 - Fagerhaug 2008-01-17 20:12:13.1 - NTFSx86

Running from: C:\Documents and Settings\Fagerhaug\Programdata\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Programfiler\Helper

.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))

.

2008-01-17 20:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-14 00:45 . 2008-01-14 00:45 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\AVG7

2008-01-14 00:45 . 2008-01-17 09:07 <DIR> d-------- C:\Documents and Settings\Fagerhaug\Programdata\AVG7

2008-01-14 00:45 . 2008-01-14 00:45 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2008-01-14 00:45 . 2008-01-14 00:45 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

2008-01-14 00:44 . 2008-01-14 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Grisoft

2008-01-14 00:44 . 2008-01-14 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\avg7

2008-01-14 00:30 . 2008-01-14 00:30 <DIR> d---s---- C:\Documents and Settings\Fagerhaug\UserData

2008-01-14 00:18 . 2008-01-14 00:22 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP

2008-01-13 02:08 . 2008-01-13 02:08 <DIR> d-------- C:\Programfiler\VirtualDJ

2008-01-06 21:26 . 2008-01-06 21:26 <DIR> d-------- C:\Programfiler\Ventrilo

2008-01-06 21:25 . 2008-01-06 21:25 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-01-05 04:25 . 2008-01-05 04:25 <DIR> d-------- C:\Documents and Settings\Fagerhaug\Programdata\Creative

2008-01-05 04:22 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe

2008-01-05 04:21 . 2008-01-05 04:22 <DIR> d-------- C:\Programfiler\Creative

2007-12-31 01:16 . 2007-12-31 01:16 <DIR> d-------- C:\WebCam

2007-12-18 23:10 . 2007-12-18 23:10 0 --a------ C:\WINDOWS\nsreg.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-16 21:00 --------- d-----w C:\Documents and Settings\Fagerhaug\Programdata\LimeWire

2008-01-16 20:45 --------- d-----w C:\Programfiler\Steam

2008-01-14 19:18 --------- d-----w C:\Programfiler\mIRC

2008-01-13 02:56 13,312 --s-a-w C:\WINDOWS\system32\shlahsd.dll

2008-01-11 23:41 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-01-11 22:58 --------- d-----w C:\Documents and Settings\Fagerhaug\Programdata\Azureus

2008-01-11 20:14 --------- d-----w C:\Programfiler\PN

2008-01-09 06:58 --------- d-----w C:\Programfiler\World of Warcraft

2007-12-30 06:29 --------- d-----w C:\Documents and Settings\Fagerhaug\Programdata\Skype

2007-12-29 20:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-12-29 20:13 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2007-12-29 20:13 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-12-27 00:40 --------- d-----w C:\Programfiler\Azureus

2007-12-11 17:12 --------- d-----w C:\Programfiler\WowEquip

2007-11-26 08:07 --------- d-----w C:\Programfiler\Comodo

2007-11-25 17:26 --------- d-----w C:\Documents and Settings\Fagerhaug\Programdata\SUPERAntiSpyware.com

2007-11-25 17:24 --------- d-----w C:\Programfiler\Full Tilt Poker

2007-11-25 17:24 --------- d-----w C:\Documents and Settings\All Users\Programdata\McAfee.com

2007-11-18 13:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-11-18 13:28 --------- d-----w C:\Programfiler\Electronic Arts

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA0BACB5-FC95-451E-94D2-4959AB0949D2}]

C:\Programfiler\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{F2BADA0D-FD61-45EF-A994-64A073FD6613}

[HKEY_CLASSES_ROOT\clsid\{f2bada0d-fd61-45ef-a994-64a073fd6613}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{F2BADA0D-FD61-45EF-A994-64A073FD6613}"= C:\Programfiler\Video Add-on\ictmdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{f2bada0d-fd61-45ef-a994-64a073fd6613}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

"Steam"="C:\Programfiler\Steam\Steam.exe" [2007-11-30 13:33 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]

"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2004-07-27 16:01 68096 C:\WINDOWS\SOUNDMAN.EXE]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]

"GameFace Messenger"="C:\Programfiler\GameFace Messenger\GameFace.exe" [ ]

"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]

"DAEMON Tools-1033"="C:\Programfiler\Demon Tools\daemon.exe" [2004-08-22 16:05 81920]

"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 20:05 344064]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-14 14:29 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03 15360]

"DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 00:44 219136]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Wireless USB 2.0 WLAN Card Utility.lnk - C:\Programfiler\Dell Wireless\PRISMCFG.exe [2007-06-18 20:19:55]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{91316323-2ad5-4794-9589-52a2eaa60a68}"= C:\WINDOWS\system32\shlahsd.dll [2008-01-13 03:56 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=0 (0x0)

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

"2008-01-11 16:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

"2008-01-17 00:47:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Programfiler\Windows Defender\MpCmdRun.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-17 20:18:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\WINDOWS\system32\shlahsd.dll

.

Completion time: 2008-01-17 20:19:14

.

2008-01-16 20:25:39 --- E O F ---

norbat · 17. januar 2008

Hent Smitfraudfix, legg det på skrivebordet

Restart i sikker modus (tapp F8 under oppstart, velg sikker modus)

Kjør Smitfraudfix, velg valg 2.

Fra normal modus:

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile".

Loggfilen kopierer du og poster sammen med loggen fra Smitfraudfix (C:\rapport.txt)

17. januar 2008

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:22:34, on 17.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Documents and Settings\Fagerhaug\Mine dokumenter\FanSpeed1_2_0\fanspeedNT.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Programfiler\Demon Tools\daemon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programfiler\iTunes\iTunesHelper.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\Programfiler\LimeWire\LimeWire.exe

C:\Programfiler\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\Winamp\winamp.exe

C:\Programfiler\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Fagerhaug\Programdata\Opera\Opera\profile\cache4\temporary_download\HJTInstall.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {BA0BACB5-FC95-451E-94D2-4959AB0949D2} - C:\Programfiler\Video Add-on\isfmdl.dll (file missing)

O3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - C:\Programfiler\Video Add-on\ictmdl.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [GameFace Messenger] C:\Programfiler\GameFace Messenger\GameFace.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\Demon Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [steam] "C:\Programfiler\Steam\Steam.exe" -silent

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: aposiopetic - {91316323-2ad5-4794-9589-52a2eaa60a68} - C:\WINDOWS\system32\shlahsd.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: FanSpeedNT Service - Unknown owner - C:\Documents and Settings\Fagerhaug\Mine dokumenter\FanSpeed1_2_0\fanspeedNT.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 6549 bytes

norbat · 17. januar 2008

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O2 - BHO: (no name) - {BA0BACB5-FC95-451E-94D2-4959AB0949D2} - C:\Programfiler\Video Add-on\isfmdl.dll (file missing)

O3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - C:\Programfiler\Video Add-on\ictmdl.dll (file missing)

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)

O22 - SharedTaskScheduler: aposiopetic - {91316323-2ad5-4794-9589-52a2eaa60a68} - C:\WINDOWS\system32\shlahsd.dll

Kunne godt tenkt meg å sett Smitfraudfix-loggen for å se om C:\WINDOWS\system32\shlahsd.dll ble fjernet.

18. januar 2008

SmitFraudFix

SmitFraudFix v2.274

Scan done at 14:44:34,87, 18.01.2008

Run from C:\Documents and Settings\Fagerhaug\Skrivebord\SmitfraudFix

OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\START-~1\Online Security Guide.url Deleted

C:\DOCUME~1\ALLUSE~1\START-~1\Security Troubleshooting.url Deleted

C:\DOCUME~1\FAGERH~1\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{81121210-E0C5-4BAF-8540-5A71A491AC66}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{968C0EAA-A31A-4785-AF45-F0A0BB080E8B}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{81121210-E0C5-4BAF-8540-5A71A491AC66}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{968C0EAA-A31A-4785-AF45-F0A0BB080E8B}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{81121210-E0C5-4BAF-8540-5A71A491AC66}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:50:53, on 18.01.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Documents and Settings\Fagerhaug\Mine dokumenter\FanSpeed1_2_0\fanspeedNT.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Demon Tools\daemon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programfiler\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Dell Wireless\PRISMCFG.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\Programfiler\Opera\Opera.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Winamp\winamp.exe

C:\WINDOWS\system32\wuauclt.exe