MSN-virus fjernet. Noe mer galt her?

[Tharos.]

Sitter på lappen til en venninne, og har (mest sannsynlig) fjerna MSN-viruset. MEN, så fant jeg ei fil som het fresh01.exe som viste seg å være virus. Fjerna den, og nå lurer jeg på om noen kan se over loggene for å se om det er noe mer schwineri?

 

Combofix:

 

 

ComboFix 08-01-21.5 - Anne Sneisen 2008-01-22 18:03:40.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.64 [GMT 1:00]

Running from: C:\Documents and Settings\Anne Sneisen\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Anne Sneisen\Skrivebord\CFscript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\WINDOWS\Fresh01.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\Fresh01.exe

.

---- Previous Run -------

.

C:\WINDOWS\images.zip

C:\WINDOWS\lssas.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))

.

 

2008-01-22 15:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe

2008-01-22 15:17 . 2008-01-22 15:17 <DIR> d-------- C:\Programfiler\CCleaner

2008-01-20 14:29 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys

2008-01-11 23:11 . 2008-01-11 23:11 45,568 --a------ C:\update.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-22 13:02 --------- d-----w C:\Programfiler\Telenor

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-29 20:02 --------- d-----w C:\Programfiler\Windows Live Toolbar

2007-11-14 07:29 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-11-07 09:30 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll

2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys

2007-10-30 10:20 3,079,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-29 22:45 1,290,752 ------w C:\WINDOWS\system32\dllcache\quartz.dll

2007-10-25 16:57 8,460,800 ------w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-25 09:01 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll

2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-25 09:00 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-22_15.27.12,44 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-22 14:24:13 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000001\NTUSER.DAT

+ 2008-01-22 17:03:14 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000001\NTUSER.DAT

- 2008-01-22 14:24:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000002\UsrClass.dat

+ 2008-01-22 17:03:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000002\UsrClass.dat

- 2008-01-22 14:24:13 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000003\NTUSER.DAT

+ 2008-01-22 17:03:14 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000003\NTUSER.DAT

- 2008-01-22 14:24:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000004\UsrClass.dat

+ 2008-01-22 17:03:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000004\UsrClass.dat

- 2008-01-22 14:24:14 2,912,256 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000005\NTUSER.DAT

+ 2008-01-22 17:03:14 2,912,256 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000005\NTUSER.DAT

- 2008-01-22 14:24:14 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000006\UsrClass.dat

+ 2008-01-22 17:03:14 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users0000006\UsrClass.dat

+ 2008-01-22 16:39:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_668.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"STDSB"="C:\WINDOWS\System32\STDSB.exe" [2002-02-27 19:30 28672]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2002-10-25 17:21 126976]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2002-10-25 17:20 561152]

"SoundMan"="SOUNDMAN.EXE" [2003-01-07 18:09 46592 C:\WINDOWS\SOUNDMAN.EXE]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2004-11-13 17:41 77824]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]

"Telenor Online Start"="C:\Programfiler\Telenor\Online Start\Telenor.exe" [2006-11-30 14:51 178312]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:03 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

hp psc 1000 series.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]

hpoddt01.exe.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

 

R0 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp1.sys [2002-03-20 04:20]

R0 viaagp1;VIA AGP Filter;C:\WINDOWS\system32\DRIVERS\viaagp1.sys [2002-03-20 04:20]

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-08-06 08:48]

R2 ANISERVICE;Airgo Networks NIC Service;C:\WINDOWS\System32\aniServ.exe [2004-09-30 12:16]

R2 MTC0003_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\STDSB.sys [2002-06-19 12:23]

 

.

Contents of the 'Scheduled Tasks' folder

"2006-08-15 20:09:12 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1104872543.job"

- C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I

"2005-01-05 21:20:00 C:\WINDOWS\Tasks\Registreringspåminnelse 1.job"

 

 

 

 

Hijackthis:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:25, on 2008-01-22

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\STDSB.exe

C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe

C:\Programfiler\Telenor\Online Start\Telenor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\aniServ.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programfiler\Java\jre1.6.0_02\bin\jucheck.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Anne Sneisen\Skrivebord\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.online.no

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O2 - BHO: Online Start Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Programfiler\Telenor\Online Start\IEFixItNowPlugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [sTDSB] C:\WINDOWS\System32\STDSB.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Telenor Online Start] "C:\Programfiler\Telenor\Online Start\Telenor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?78f45eb346dd4d40891c124cfad0a6e2

O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?78f45eb346dd4d40891c124cfad0a6e2

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.online.no

O16 - DPF: BankID - https://activation1.bankid.no/TNA2Web/content/bankidcoi.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176838743085

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176839001035

O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 6323 bytes

 

 

[Programvare]

Du kan trykke Fix checked på følgende:

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

Ellers ser det meget pent ut ut ifra det jeg kan si.

[Tharos.]

Thanksalot!

[Programvare]

Har du prøvd programmet Ccleaner? Det fjerner temp-filer og annet unødvendig tull som lagrer seg på PC-en din. Det kan i tillegg rydde opp i registeret ditt.

Endret 22. januar 2008 av Vintermåne

[Tharos.]

Jessør, kjørte en runde med det også til slutt. Satser på at venninna mi blir litt mer skeptisk mht. MSN-linker nå. (Det skal i hvert fall bankes inn av undertegnede).