[LØST] Har fått virus på maskinen

vetting · 3. juni 2008

Hei trenger litt hjelp til fjærning av msn-viruset. Har lest litt her på forumet, og har skjønt dere trenger noen loggre for å finne hva som skal slettes. Jeg brukte programmene i safe-modus med netverkstilkobling. Burde jeg bruke de i vanlig modus, eller går det bra med disse loggene fra sikkermodus?

Her er loggene:

Combofix:

ComboFix 08-06-01.6 - Øystein Vetting 2008-06-03 19:36:28.1 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.702 [GMT 2:00]

Running from: C:\Documents and Settings\Øystein Vetting\Skrivebord\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\lsprst7.dll

C:\WINDOWS\system32\ssprs.dll

.

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))

.

2008-06-03 18:32 . 2004-10-29 01:47 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-06-03 18:32 . 2007-09-22 21:31 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny

2008-06-03 18:32 . 2004-10-29 02:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere

2008-06-03 18:32 . 2004-10-29 01:47 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord

2008-06-03 18:32 . 2007-09-22 21:31 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste

2008-06-03 18:32 . 2008-06-03 18:32 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Intel

2008-06-03 18:32 . 2008-06-03 18:33 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata

2008-06-03 18:32 . 2007-09-22 21:31 <DIR> dr------- C:\Documents and Settings\Administrator\Mine dokumenter

2008-06-03 18:32 . 2004-10-29 01:20 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler

2008-06-03 18:32 . 2008-06-03 19:39 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger

2008-06-03 18:32 . 2007-09-22 21:31 <DIR> dr------- C:\Documents and Settings\Administrator\Favoritter

2008-06-03 18:32 . 2004-10-29 02:14 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask

2008-06-03 18:32 . 2008-06-03 18:32 <DIR> d-------- C:\Documents and Settings\Administrator

2008-06-03 14:55 . 2008-06-03 19:33 <DIR> dr-h----- C:\Documents and Settings\Øystein Vetting\Siste

2008-06-03 13:57 . 2008-06-01 22:10 49,156 -r-hs---- C:\WINDOWS\svchosl.exe

2008-06-02 17:29 . 2008-06-02 17:29 <DIR> d-------- C:\Programfiler\CCleaner

2008-05-12 13:48 . 2008-05-12 13:48 <DIR> d-------- C:\Programfiler\Fellesfiler\Adobe

2008-05-10 18:15 . 2004-08-04 21:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-05-10 18:06 . 2008-05-10 18:06 <DIR> d-------- C:\WINDOWS\system32\no

2008-05-10 18:06 . 2008-05-10 18:06 <DIR> d-------- C:\WINDOWS\system32\bits

2008-05-10 18:06 . 2008-05-10 18:06 <DIR> d-------- C:\WINDOWS\l2schemas

2008-05-10 18:01 . 2008-05-10 18:01 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-05-10 17:51 . 2008-05-10 17:51 <DIR> d-------- C:\WINDOWS\EHome

2008-05-10 17:37 . 2004-08-03 22:29 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys

2008-05-10 17:37 . 2004-08-03 22:29 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys

2008-05-10 17:37 . 2004-08-03 22:29 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys

2008-05-10 17:37 . 2004-08-03 22:29 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys

2008-05-10 17:37 . 2004-08-03 22:29 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys

2008-05-10 17:37 . 2004-08-03 22:29 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys

2008-05-10 17:34 . 2004-08-04 00:54 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-03 16:19 --------- dcsh--w C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2008-06-03 16:01 --------- d-----w C:\Programfiler\Windows Live

2008-06-03 16:00 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-06-03 12:00 22,528 ----a-w C:\WINDOWS\system32\drivers\nhcDriver.sys

2008-06-03 12:00 20,128 ----a-w C:\WINDOWS\system32\MGHwTemp.sys

2008-06-01 17:54 --------- d-----w C:\Documents and Settings\Øystein Vetting\Programdata\EndNote

2008-05-28 11:21 --------- d-----w C:\Programfiler\Clue

2008-05-21 17:21 23,456 ----a-w C:\Documents and Settings\Øystein Vetting\Programdata\GDIPFONTCACHEV1.DAT

2008-05-20 09:56 --------- d-----w C:\Programfiler\Microsoft Silverlight

2008-05-12 11:46 --------- d-----w C:\Documents and Settings\Øystein Vetting\Programdata\AdobeUM

2008-04-25 09:06 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-04-25 09:06 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys

2008-04-25 09:06 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

2008-04-25 09:05 --------- d-----w C:\Programfiler\AVG

2008-04-25 09:05 --------- d-----w C:\Documents and Settings\All Users\Programdata\avg8

2008-04-23 09:58 --------- d-----w C:\Programfiler\Norman

2008-04-17 11:06 --------- d-----w C:\Programfiler\PokerStars

2008-04-16 11:51 --------- d-----w C:\Programfiler\SPSS

2008-04-14 16:39 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-14 16:26 330,752 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 16:22 996,352 ----a-w C:\WINDOWS\system32\msgina.dll

2008-04-14 16:21 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll

2008-04-14 16:20 7,680 ----a-w C:\WINDOWS\system32\kbdsmsno.dll

2008-04-14 16:19 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll

2008-04-14 16:19 3,584 ----a-w C:\WINDOWS\system32\icmp.dll

2008-04-14 16:19 3,072 ----a-w C:\WINDOWS\system32\dpnlobby.dll

2008-04-14 16:19 3,072 ----a-w C:\WINDOWS\system32\dpnaddr.dll

2008-04-14 16:19 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll

2008-04-14 16:19 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll

2008-04-14 15:56 73,344 ----a-w C:\WINDOWS\system32\drivers\sr.sys

2008-04-14 15:56 120,192 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys

2008-04-14 15:55 80,000 ----a-w C:\WINDOWS\system32\drivers\parport.sys

2008-04-14 15:55 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys

2008-04-14 15:55 46,592 ----a-w C:\WINDOWS\system32\drivers\p3.sys

2008-04-14 15:53 2,190,720 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-14 15:53 2,067,584 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-04-14 15:52 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll

2008-04-14 15:50 799,872 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys

2008-04-14 15:50 24,448 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys

2008-04-14 15:50 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys

2008-04-14 15:49 79,360 ----a-w C:\WINDOWS\system32\msxml6r.dll

2008-04-14 15:49 37,376 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys

2008-04-14 15:48 77,312 ------w C:\WINDOWS\system32\msshavmsg.dll

2008-04-14 15:48 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys

2008-04-14 15:48 40,576 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys

2008-04-14 15:48 40,192 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys

2008-04-14 15:47 556,032 ----a-w C:\WINDOWS\system32\shdoclc.dll

2008-04-14 15:47 47,616 ----a-w C:\WINDOWS\system32\inetres.dll

2008-04-14 15:46 64,640 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-14 15:45 51,840 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-14 15:44 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys

2008-04-14 15:43 9,728 ----a-w C:\WINDOWS\system32\gpkrsrc.dll

2008-04-14 15:43 57,600 ----a-w C:\WINDOWS\system32\drivers\redbook.sys

2008-04-14 15:43 273,152 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-04-14 15:43 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-14 15:42 65,024 ----a-w C:\WINDOWS\system32\browselc.dll

2008-04-14 15:41 52,480 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys

2008-04-14 15:41 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys

2008-04-14 15:41 39,680 ----a-w C:\WINDOWS\system32\drivers\processr.sys

2008-04-14 15:39 41,600 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys

2008-04-14 15:39 41,216 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys

2008-04-14 15:39 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll

2008-04-14 15:38 22,912 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys

2008-04-14 15:37 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys

2008-04-14 15:37 187,776 ----a-w C:\WINDOWS\system32\drivers\acpi.sys

2008-04-14 11:22 --------- d-----w C:\Programfiler\EndNote X1

2008-04-14 09:49 --------- d-----w C:\Programfiler\Fellesfiler\Risxtd

2008-04-14 09:48 --------- d-----w C:\Programfiler\Fellesfiler\Thomson ResearchSoft

2008-04-14 09:35 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-04-14 07:23 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe

2008-04-14 07:22 987,136 ----a-w C:\WINDOWS\system32\setupapi.dll

2008-04-14 07:22 423,936 ----a-w C:\WINDOWS\system32\licdll.dll

2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:22 15360]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 12:36 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 12:31 126976]

"IntelZeroConfig"="C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe" [2005-05-31 21:46 401408]

"IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2005-06-03 00:31 385024]

"EOUApp"="C:\Programfiler\Intel\Wireless\Bin\EOUWiz.exe" [2005-05-31 21:50 356352]

"AGRSMMSG"="AGRSMMSG.exe" [2005-08-01 17:00 88363 C:\WINDOWS\AGRSMMSG.exe]

"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-07-15 19:32 102400]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-07-15 19:31 606208]

"MGSysCtrl"="C:\Programfiler\MSI\System Control Manager\MGSysCtrl.exe" [2005-07-25 11:41 167936]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"NotebookHardwareControl"="C:\Programfiler\Notebook Hardware Control\nhc.exe" [2007-05-04 02:33 2629632]

"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 14:30 45056]

"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2003-04-07 17:09 118784]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2007-11-18 17:54 185896]

"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 19:01 36864 C:\WINDOWS\system32\P0630Pin.dll]

"SSBkgdUpdate"="C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]

"PaperPort PTD"="C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-18 16:03 57393]

"IndexSearch"="C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-18 16:15 40960]

"SetDefPrt"="C:\Programfiler\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 19:02 49152]

"ControlCenter2.0"="C:\Programfiler\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 18:42 933888]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-25 11:05 1177368]

"SoundMan"="SOUNDMAN.EXE" [2005-12-14 19:06 577536 C:\WINDOWS\SOUNDMAN.EXE]

"Windows Messanger Control Center"="svchosl.exe" [2008-06-01 22:10 49156 C:\WINDOWS\svchosl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:22 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

Statusoverv†kning.lnk - C:\Programfiler\Brother\Brmfcmon\BrMfcWnd.exe [2008-03-16 15:22:31 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll 2005-05-31 21:46 110592 C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^VPN Client.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\VPN Client.lnk

backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

"C:\\Programfiler\\Internet Explorer\\iexplore.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgemc.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\RMEDIA.SYS [2003-10-20 21:09]

S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-25 11:06]

S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-25 11:05]

S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-25 11:05]

S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-25 11:06]

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]

S3 MGHwCtrl;MGHwCtrl;C:\WINDOWS\System32\Drivers\MGHwCtrl.sys [2007-09-22 12:22]

S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-06 03:44]

*Newly Created Service* - CATCHME

*Newly Created Service* - PARPORT

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-03 19:39:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-06-03 19:40:30

ComboFix-quarantined-files.txt 2008-06-03 17:40:23

Pre-Run: 56,011,599,872 byte ledig

Post-Run: 57,348,526,080 byte ledig

231 --- E O F --- 2008-05-20 09:56:46

Hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 19:33:28, on 03.06.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\winlogon.exe

C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Øystein Vetting\Skrivebord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programfiler\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelZeroConfig] C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe

O4 - HKLM\..\Run: [intelWireless] C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [EOUApp] C:\Programfiler\Intel\Wireless\Bin\EOUWiz.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MGSysCtrl] C:\Programfiler\MSI\System Control Manager\MGSysCtrl.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Programfiler\Notebook Hardware Control\nhc.exe" -quiet

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Programfiler\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Programfiler\Brother\Brmfl05a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programfiler\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Windows Messanger Control Center] svchosl.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - Startup: Registration Silent Hunter III.LNK = C:\Programfiler\Ubisoft\SilentHunterIII\Support\Register\RegistrationReminder.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Statusovervåkning.lnk = C:\Programfiler\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programfiler\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: IntelWireless - C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\OProtSvc.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe

Ewido:

__________________________________________________

ewido anti-spyware online scanner

http://www.ewido.net

__________________________________________________

Name: TrackingCookie.Serving-sys

Path: C:\Documents and Settings\Øystein Vetting\Cookies\ø[email protected][1].txt

Risk: Medium

Name: TrackingCookie.Serving-sys

Path: C:\Documents and Settings\Øystein Vetting\Cookies\øystein_vetting@serving-sys[2].txt

Risk: Medium

Name: TrackingCookie.Netflame

Path: C:\Documents and Settings\Øystein Vetting\Cookies\ø[email protected][2].txt

Risk: Medium

Name: TrackingCookie.Statistik-gallup

Path: C:\Documents and Settings\Øystein Vetting\Cookies\øystein_vetting@statistik-gallup[1].txt

Risk: Medium

Name: TrackingCookie.Webtrends

Path: C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Risk: Medium

Name: TrackingCookie.Netflame

Path: C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

Risk: Medium

Endret 3. juni 2008 av timmy84

norbat · 3. juni 2008

Synderen ligger som:

O4 - HKLM\..\Run: [Windows Messanger Control Center] svchosl.exe

i hjt-loggen

Tilhørende fil:

C:\WINDOWS\svchosl.exe

Før du fjerner den, kunne du ha lastet den opp på Jotti og sett hvilken betegnelsen den får (navn)

På hvilken måte fikk du dette og hva sto det på evt. link du trykket på?

vetting · 3. juni 2008

Synderen ligger som:
O4 - HKLM\..\Run: [Windows Messanger Control Center] svchosl.exe

i hjt-loggen

Tilhørende fil:

C:\WINDOWS\svchosl.exe

Før du fjerner den, kunne du ha lastet den opp på Jotti og sett hvilken betegnelsen den får (navn)

På hvilken måte fikk du dette og hva sto det på evt. link du trykket på?

Jeg var dum nok til å trykke på en link jeg fikk hos en kompis. Så det sto youtube, så trodde det var en film jeg skulle få se.

Ikarus fant dette: VirTool.Win32.VBInject.C

Det var den eneste som kom fram.

Skal jeg slette denne fila bare ved å høyreklikke på den og slett? Eller er det en annen måte jeg skal gjøre det på så den ikke kommer tilbake?

Endret 3. juni 2008 av timmy84

norbat · 3. juni 2008

Sørg for at du er i normal modus (ikke sikker modus)

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\svchosl.exe

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Messanger Control Center"=-

Post ny logg og fortell om du fortsatt opplever probl. med msn.

snippsat · 3. juni 2008

Steng nettleser.

Start HijackThis "scan" finn disse linjene merk dem,så trykk fix checked.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O4 - HKLM\..\Run: [Windows Messanger Control Center] svchosl.exe

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

---

Restart

---

Da prøver du og slette.

C:\WINDOWS\svchosl.exe

Ja litt sen

Endret 3. juni 2008 av SNIPPSAT

vetting · 3. juni 2008

Sørg for at du er i normal modus (ikke sikker modus)

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\svchosl.exe

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Messanger Control Center"=-

Post ny logg og fortell om du fortsatt opplever probl. med msn.

Her er den nye loggen:

ComboFix 08-06-01.6 - Øystein Vetting 2008-06-03 22:13:57.2 - NTFSx86

Running from: C:\Documents and Settings\Øystein Vetting\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Øystein Vetting\Skrivebord\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\WINDOWS\svchosl.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\svchosl.exe

.

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))

.

2008-06-03 21:26 . 2008-06-03 21:26 <DIR> d-------- C:\Programfiler\Lavasoft