Problemer med RPC - blaster? HJT-/SAS-/ComboFix-logger

[Peppep]

Sukk, med ny maskin og oppdatert OS/SW trodde jeg at jeg var godt skodd for virus/malware, som jeg ikke har hatt større problemer med på årevis. Nå får jeg imidlertid opp melding fra tid til annen om at RPC (remote procedure call) avslutter uventet, og maskinen vil reboote. Jeg stopper nedtellingen gjennom command prompt, og maskinen går deretter i bluescreen. Er dette trolig blaster?

 

Jeg kjører nyeste Eset Smart Security (+ spybot og windows defender) med WinXP SP2, men dette fremgår vel av loggene. Legger ved SAS- og HJT-logger, oppdaterer snart med ComboFix.

 

SAS:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 03/26/2008 at 09:44 PM

 

Application Version : 4.0.1154

 

Core Rules Database Version : 3425

Trace Rules Database Version: 1417

 

Scan type : Complete Scan

Total Scan Time : 00:18:48

 

Memory items scanned : 516

Memory threats detected : 0

Registry items scanned : 5992

Registry threats detected : 0

File items scanned : 15039

File threats detected : 0

 

HJT:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:45:38, on 26.03.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20733)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Bonjour\mDNSResponder.exe

C:\Programfiler\ESET\ESET Smart Security\ekrn.exe

C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe

C:\Programfiler\SigmaTel\C-dur-lyd\DellXPM_5515v131\WDM\STacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\OEM04Mon.exe

C:\Programfiler\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\Programfiler\Dell\QuickSet\quickset.exe

C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe

C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe

C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe

C:\Programfiler\ESET\ESET Smart Security\egui.exe

C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe

C:\Programfiler\Fellesfiler\Nokia\MPlatform\NokiaMServer.exe

C:\Programfiler\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Windows Live\Messenger\msnmsgr.exe

C:\Programfiler\Skype\Phone\Skype.exe

C:\Programfiler\Picasa2\PicasaMediaDetector.exe

C:\Programfiler\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Programfiler\iPod\bin\iPodService.exe

C:\Programfiler\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\Skype\Plugin Manager\skypePM.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-cache.uib.no:81

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [OEM04Mon.exe] C:\WINDOWS\OEM04Mon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [egui] "C:\Programfiler\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [NokiaMServer] C:\Programfiler\Fellesfiler\Nokia\MPlatform\NokiaMServer /watchfiles

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Nokia Nseries PC Suite.lnk = C:\Programfiler\Nokia\NNPCS\RunLauncher.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send til &Bluetooth-enhet... - C:\Programfiler\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programfiler\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programfiler\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Programfiler\ESET\ESET Smart Security\ekrn.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Nokia\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Programfiler\SigmaTel\C-dur-lyd\DellXPM_5515v131\WDM\STacSV.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe

 

--

End of file - 10455 bytes

[snippsat]

Sjekk.

C:\WINDOWS\OEM04Mon.exe

http://virusscan.jotti.org/

 

Se alle filer.

Start->mindatamaskin

>verktøy->mappealternativer->vis->

Sett hake på "vis skjulte filer og mapper"

Fjern hake på "skjul beskyttede oprativsystem filer"

 

Last Combofix ned ,legg på skrivebordet.

Ikke klikk på vindu mens programet kjører.

post logg C:\combofix.txt

 

Er dette trolig blaster?

Det kan være blaster,eller noe helt annet.

Endret 26. mars 2008 av SNIPPSAT

[Peppep]

Oi, kjappere svar enn jeg forventet.

 

ComboFix:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-03-25.4 - BHS 2008-03-27 1:17:50.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.2179 [GMT 1:00]

Running from: C:\Documents and Settings\BHS\Skrivebord\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))

.

 

2008-03-26 23:44 . 2008-03-27 00:39 <DIR> dr-h----- C:\Documents and Settings\BHS\Siste

2008-03-26 21:47 . 2008-03-26 21:47 <DIR> d-------- C:\Programfiler\Windows Defender

2008-03-26 21:43 . 2008-03-27 01:17 <DIR> d-------- C:\HijackThis

2008-03-26 21:17 . 2008-03-26 21:17 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-03-26 21:17 . 2008-03-26 21:17 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-03-26 21:17 . 2008-03-26 21:17 <DIR> d-------- C:\Documents and Settings\BHS\Programdata\SUPERAntiSpyware.com

2008-03-26 21:17 . 2008-03-26 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-03-26 17:32 . 2008-03-26 17:41 <DIR> d-------- C:\Programfiler\PhotoFiltre Studio

2008-03-26 17:32 . 2008-03-26 17:32 45 ---h----- C:\WINDOWS\dwin6268.dat

2008-03-26 17:31 . 2006-10-05 03:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-03-26 17:31 . 2006-10-05 03:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-03-26 17:30 . 2008-03-26 17:31 <DIR> d-------- C:\Programfiler\Picasa2

2008-03-26 17:30 . 2008-03-26 17:30 <DIR> d-------- C:\Programfiler\Google

2008-03-26 16:30 . 2008-03-26 16:30 52,784 --ah----- C:\WINDOWS\system32\mlfcache.dat

2008-03-26 16:27 . 2008-03-26 16:27 <DIR> d-------- C:\Programfiler\Safari

2008-03-24 09:16 . 2008-03-24 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Yahoo!

2008-03-24 09:15 . 2008-03-24 09:15 <DIR> d-------- C:\Programfiler\Yahoo!

2008-03-23 19:56 . 2008-03-27 00:08 <DIR> d-------- C:\Documents and Settings\BHS\Programdata\skypePM

2008-03-23 19:56 . 2008-03-23 19:56 32 --a------ C:\Documents and Settings\All Users\Programdata\ezsid.dat

2008-03-23 19:54 . 2008-03-23 19:54 <DIR> d-------- C:\Programfiler\Skype

2008-03-23 19:54 . 2008-03-23 19:54 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype

2008-03-23 19:54 . 2008-03-27 01:10 <DIR> d-------- C:\Documents and Settings\BHS\Programdata\Skype

2008-03-23 19:54 . 2008-03-23 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Skype

2008-03-21 08:11 . 2008-03-22 14:23 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP

2008-03-21 08:11 . 2007-09-20 12:04 114,688 --a------ C:\WINDOWS\system32\BTCamVideoSource.dll

2008-03-15 12:26 . 2008-03-15 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Office Genuine Advantage

2008-03-12 11:15 . 2008-03-12 11:15 <DIR> d-------- C:\Programfiler\iTunes

2008-03-12 11:15 . 2008-03-12 11:15 <DIR> d-------- C:\Programfiler\iPod

2008-03-12 11:15 . 2008-03-12 11:15 1,409 --a------ C:\WINDOWS\QTFont.for

2008-02-29 11:42 . 2008-02-29 11:42 268 --ah----- C:\sqmdata00.sqm

2008-02-29 11:42 . 2008-02-29 11:42 244 --ah----- C:\sqmnoopt00.sqm

2008-02-27 11:04 . 2008-02-27 11:05 <DIR> d-------- C:\Programfiler\HJT

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 20:05 --------- d-----w C:\Documents and Settings\BHS\Programdata\uTorrent

2008-03-26 15:29 --------- d-----w C:\Documents and Settings\BHS\Programdata\Apple Computer

2008-03-24 07:05 --------- d-----w C:\Programfiler\Clue

2008-03-22 14:57 --------- d-----w C:\Documents and Settings\BHS\Programdata\Media Player Classic

2008-03-17 22:14 --------- d-----w C:\Programfiler\DAEMON Tools Lite

2008-03-13 22:39 --------- d-----w C:\Programfiler\Java

2008-03-12 12:05 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-02-25 03:29 --------- d-----w C:\Documents and Settings\BHS\Programdata\Move Networks

2008-02-23 20:17 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-02-23 20:17 --------- d-----w C:\Programfiler\Fellesfiler\PocketSoft

2008-02-23 02:38 43,872 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys

2008-02-22 20:19 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-02-22 20:16 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-02-22 15:59 --------- d-----w C:\Programfiler\Opera

2008-02-22 11:54 --------- d-----w C:\Documents and Settings\BHS\Programdata\mIRC

2008-02-22 06:31 --------- d-----w C:\Documents and Settings\BHS\Programdata\PC Suite

2008-02-22 06:29 --------- d-----w C:\Documents and Settings\BHS\Programdata\NSeries

2008-02-22 06:28 --------- d-----w C:\Documents and Settings\BHS\Programdata\Nokia

2008-02-22 06:11 --------- d-----w C:\Documents and Settings\All Users\Programdata\PC Suite

2008-02-22 05:54 --------- d-----w C:\Programfiler\Nokia

2008-02-22 05:53 --------- d-----w C:\Programfiler\Fellesfiler\Nokia

2008-02-22 05:53 --------- d-----w C:\Documents and Settings\All Users\Programdata\Nokia

2008-02-22 05:51 --------- d-----w C:\Documents and Settings\All Users\Programdata\Installations

2008-02-22 05:23 --------- d-----w C:\Programfiler\Fellesfiler\muvee Technologies

2008-02-22 05:16 --------- d-----w C:\Programfiler\Fellesfiler\PCSuite

2008-02-22 04:53 --------- d-----w C:\Programfiler\WIDCOMM

2008-02-22 02:48 --------- d-----w C:\Programfiler\mIRC

2008-02-22 01:39 --------- d-----w C:\Programfiler\Opera 9.5 beta

2008-02-21 05:04 --------- d-----w C:\Documents and Settings\BHS\Programdata\Talkback

2008-02-20 09:20 --------- d-----w C:\Programfiler\CCleaner

2008-02-17 08:53 --------- d-----w C:\Programfiler\Fellesfiler\Java

2008-02-17 08:28 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-02-15 09:28 --------- d-----w C:\Programfiler\Bonjour

2008-02-15 09:27 --------- d-----w C:\Programfiler\Fellesfiler\Apple

2008-02-15 06:42 --------- d-----w C:\Programfiler\ESET

2008-02-15 06:39 --------- d-----w C:\Programfiler\uTorrent

2008-02-15 06:37 --------- d-----w C:\Programfiler\MSBuild

2008-02-15 06:37 --------- d-----w C:\Programfiler\Microsoft Works

2008-02-15 06:36 --------- d-----w C:\Programfiler\Microsoft.NET

2008-02-15 06:35 --------- d-----w C:\Programfiler\Microsoft Visual Studio 8

2008-02-15 06:23 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-02-15 06:23 --------- d-----w C:\Documents and Settings\BHS\Programdata\DAEMON Tools

2008-02-15 06:05 --------- d-----w C:\Programfiler\Microsoft Silverlight

2008-02-15 06:05 --------- d-----w C:\Documents and Settings\BHS\Programdata\Screenshot Sender

2008-02-15 05:59 --------- d-----w C:\Documents and Settings\All Users\Programdata\Messenger Plus!

2008-02-15 05:58 --------- d-----w C:\Programfiler\QuickTime

2008-02-15 05:58 --------- d-----w C:\Programfiler\Apple Software Update

2008-02-15 05:58 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple

2008-02-15 05:49 --------- d-----w C:\Documents and Settings\BHS\Programdata\InstallShield

2008-02-15 05:48 --------- d-----w C:\Documents and Settings\BHS\Programdata\vlc

2008-02-15 05:47 --------- d-----w C:\Documents and Settings\BHS\Programdata\ESET

2008-02-15 05:47 --------- d-----w C:\Documents and Settings\All Users\Programdata\nView_Profiles

2008-02-15 05:42 --------- d-----w C:\Documents and Settings\Administrator\Programdata\ESET

2008-02-15 05:41 --------- d-----w C:\Documents and Settings\All Users\Programdata\ESET

2008-02-15 05:35 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2008-02-15 05:07 --------- d-----w C:\Programfiler\Messenger Plus! Live

2008-02-15 04:57 376,832 ----a-w C:\WINDOWS\system32\AegisI5Installer.exe

2008-02-15 04:57 21,361 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2008-02-15 04:57 21,361 ----a-w C:\WINDOWS\AegisP.sys

2008-02-15 04:57 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Programdata\Intel

2008-02-15 04:57 --------- d-----w C:\Programfiler\Intel

2008-02-15 04:57 --------- d-----w C:\Documents and Settings\NetworkService\Programdata\Intel

2008-02-15 04:57 --------- d-----w C:\Documents and Settings\LocalService\Programdata\Intel

2008-02-15 04:57 --------- d-----w C:\Documents and Settings\BHS\Programdata\Intel

2008-02-15 04:57 --------- d-----w C:\Documents and Settings\All Users\Programdata\Intel

2008-02-15 04:57 --------- d-----w C:\Documents and Settings\Administrator\Programdata\Intel

2008-02-15 04:54 --------- d-----w C:\Programfiler\Windows Live

2008-02-15 04:52 --------- dcsh--w C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2008-02-15 04:50 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-02-15 04:39 --------- d-----w C:\Programfiler\Dell

2008-02-15 04:38 --------- d-----w C:\Documents and Settings\Administrator\Programdata\InstallShield

2008-02-15 04:35 --------- d-----w C:\Programfiler\Synaptics

2008-02-15 04:35 --------- d-----w C:\Programfiler\Fellesfiler\InstallShield

2008-02-15 04:34 --------- d-----w C:\Programfiler\SigmaTel

2008-02-15 04:30 --------- d-----w C:\Programfiler\Broadcom

2008-02-15 04:26 --------- d-----w C:\Programfiler\DIFX

2008-02-15 04:26 --------- d-----w C:\Documents and Settings\Administrator\Programdata\vlc

2008-02-15 03:34 --------- d-----w C:\Programfiler\Settings2

2008-02-15 03:34 --------- d-----w C:\Programfiler\HighMAT CD Writing Wizard

2008-02-15 03:33 --------- d-----w C:\Programfiler\VideoLAN

2008-02-15 03:33 --------- d-----w C:\Programfiler\Unlocker

2008-02-15 03:33 --------- d-----w C:\Programfiler\ImgBurn

2008-02-15 03:33 --------- d-----w C:\Programfiler\Foxit

2008-02-15 03:33 --------- d-----w C:\Programfiler\Alarm

2008-02-15 03:32 --------- d-----w C:\Programfiler\MPC

2008-02-15 03:32 --------- d-----w C:\Documents and Settings\Administrator\Programdata\Media Player Classic

2008-02-15 03:29 --------- d-----w C:\Programfiler\Reference Assemblies

2008-02-15 03:21 --------- d-----w C:\Programfiler\WGA

2008-02-15 03:21 --------- d-----w C:\Programfiler\microsoft frontpage

2008-02-15 03:19 --------- d-----w C:\Programfiler\MSXML 6.0

2008-02-15 03:19 --------- d-----w C:\Programfiler\MSXML 4.0

2008-02-15 03:18 --------- d-----w C:\Programfiler\Windows Media Connect 2

2008-02-15 03:17 --------- d-----w C:\Programfiler\Elektroniske tjenester

2008-02-15 03:16 --------- d-----w C:\Programfiler\Fellesfiler\Tjenester

2008-01-14 12:41 28,672 ----a-w C:\WINDOWS\system32\setupold.exe

2008-01-14 12:10 1,550,336 ----a-w C:\WINDOWS\system32\sfcfiles.dll

2008-01-14 12:09 51,712 ----a-w C:\WINDOWS\system32\wzcsapi.dll

2008-01-14 12:09 51,712 ----a-w C:\WINDOWS\system32\dmutil.dll

2008-01-14 12:09 47,616 ----a-w C:\WINDOWS\system32\cnbjmon.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]

"msnmsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]

"Picasa Media Detector"="C:\Programfiler\Picasa2\PicasaMediaDetector.exe" [2008-02-26 02:23 443968]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-11 18:51 8523776]

"nwiz"="nwiz.exe" [2007-11-11 18:51 1626112 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-11 18:51 81920]

"OEM04Mon.exe"="C:\WINDOWS\OEM04Mon.exe" [2007-06-11 01:01 36864]

"SigmatelSysTrayApp"="C:\Programfiler\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 10:22 405504]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 16:10 851968]

"Dell QuickSet"="C:\Programfiler\Dell\QuickSet\quickset.exe" [2007-07-20 16:55 1228800]

"IntelZeroConfig"="C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 14:18 995328]

"IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 14:13 1101824]

"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

"egui"="C:\Programfiler\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"NokiaMServer"="C:\Programfiler\Fellesfiler\Nokia\MPlatform\NokiaMServer /watchfiles" [ ]

"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:03 158208]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="regsvr32 /s /n /i:U shell32" []

"nltide_3"="advpack.dll" [2007-12-07 02:59 124928 C:\WINDOWS\system32\advpack.dll]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

BTTray.lnk - C:\Programfiler\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 15:43:18 568176]

Nokia Nseries PC Suite.lnk - C:\Programfiler\Nokia\NNPCS\RunLauncher.exe [2008-01-14 15:16:32 679936]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\dxdiag.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"=

"C:\\Programfiler\\iTunes\\iTunes.exe"=

"C:\\Programfiler\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Programfiler\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

 

R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM04Vfx.sys [2007-03-05 18:45]

R3 OEM04Vid;Creative Camera OEM004 Driver;C:\WINDOWS\system32\DRIVERS\OEM04Vid.sys [2007-10-11 01:01]

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2008-01-15 02:39]

 

*Newly Created Service* - SASDIFSV

*Newly Created Service* - SASENUM

*Newly Created Service* - SASKUTIL

*Newly Created Service* - WINDEFEND

.

Contents of the 'Scheduled Tasks' folder

"2008-03-26 06:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe

"2008-03-26 20:50:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Programfiler\Windows Defender\MpCmdRun.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-27 01:18:42

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-03-27 1:19:03

ComboFix-quarantined-files.txt 2008-03-27 00:18:54

.

2008-03-12 12:05:18 --- E O F ---

 

File: OEM04Mon.exe

Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: 0aa044e458c1d3f2a4e40a444196ab36

Packers detected: -

Bit9 reports: No threat detected (more info)

Endret 29. mars 2008 av Peppep

[Peppep]

Ser loggene grei ut?

[snippsat]

Messenger Plus ikke bruk plus versjon den er kjent for og ta med seg grums

 

Kjenner du til disse mapper.

C:\Programfiler\Settings2

C:\Programfiler\Alarm

 

Ellers ser loggen grei ut.

 

Se på post 2er det akkurat samme melding du får?

http://www.techsupportforum.com/microsoft-...html?forumid=10

 

En løsning.

"In order to get the download and install to work, follow these steps:

 

Wait until the RPC pops up the "shutting down" message.

Go to Start >Run

Type "cmd" to bring up the Command Prompt

Type "shutdown -a" at the prompt and hit enter

This will end the RPC program completely.

Now run the download and install.

 

This should solve the problem completely "

Litt info her og som du kan se på.

http://smallvoid.com/article/winnt-blaster-rpc-exploit.html

Endret 29. mars 2008 av SNIPPSAT

[Peppep]

Tar Messenger Plus med seg grums selv om man velger nei til sponsorprogrammet? Min erfaring med slike programmer er at de forsøker å få inn et sponsorprogram, men at man har mulighet til å avslå dette under installasjon. Jeg har i alle fall hatt god erfaring med Plus! gjennom en del år, men om den tar meg seg spyware-opplegget likevel kan jeg gå bort fra det.

 

Mappene er kjent.

 

Jeg fant en del tråder om den samme løsningen da jeg selv feilsøkte og letet etter løsninger, men jeg slo det fra meg igjen. Dette fordi patchen det er snakk om alltid fører til en død link hos MS. Etter litt mer research oppga Microsoft at MS03-026-patchen var erstattet med MS04-012, en nyere oppdatering for RPC/DCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx). Men dette hjalp heller ikke, for denne patchen er kun aktuelt inntil SP1, da den skal være inkludert i SP2. Så jeg kom ingen vei der heller.

 

Jeg begynner å lure på om dette er en brannmursvakhet. Jeg kjører som nevnt ESET Smart Security, og brannmuren der har kommet svakt ut i tester. Feilmeldingen har dessuten vært sporadisk, og nå er det en stund siden, selv om jeg ikke har funnet noen feil eller gjort endringer. Så med mindre det er andre underliggende problemer får jeg vel bytte sikkerhetsprogramvare, som er kjedelig ettersom jeg har ni måneder igjen av ESET-lisensen.

[snippsat]

Du kan jo prøve comodo eller online armor(fikk 100% i siste test)

Begge er gratis.

 

Bruker du de og ikke får feil er problemet løst.

Det kan jo være noe annet som gjør dette.

 

Eset har en del og gjøre på brannvegg delen.

http://www.matousec.com/projects/firewall-...nge/results.php

 

Kjører du bak en ruter eller det rett ut.

Online scannere har du kansje prøvd.

 

Har du sett på mulighet til og reinstallere rpc.

Endret 29. mars 2008 av SNIPPSAT

[Peppep]

Ja, planen er i så fall å gå over til gratisløsning, har ikke planer om å betale for to ulike lisenser samtidig. Men har ikke funnet noen måte i Smart Security å deaktivere kun brannmuren. For jeg er strålende fornøyd med antivirus-delen (NOD32), kanskje jeg bør høre med ESET om jeg får omgjort lisensen min til kun NOD32, som tross alt er billigere.

 

Jeg kjører bak router, og til tider også bak en switch etter det igjen, og begge disse skal ha brannmur-funksjonalitet.

 

Hvordan kan jeg reinstallere RPC? Forsøkte å søke, men fant ingen løsning på det i farten. Åpnet dessuten services.msc, og avhengighetslisten til RPC er ikke akkurat kort. Ikke rart at jeg fikk bluescreen når den stanset opp.

 

Edit: Jeg glemte å svare ang online-scannere. Det er lenge siden jeg sist kjørte full scan med annet enn NOD32, men jeg har de siste dagene kjørt flere spesifikke scannere, bl.a. for msblaster. Holder på å kjøre Trend Micro Housecall-scan nå.

Endret 29. mars 2008 av Peppep

[r2d290]

Noen som vet noe om spørsmålet om å "hake vekk" spionprogrammene med msn plus... dette er jeg også litt interissert i, og vil gjerne vite det. Fint hvis noen som har erfaring med dette, kan gi svar på det

Endret 29. mars 2008 av r2d290