MSN Virus

Hej igen alle eksperter.

Nu sidder jeg med min svigerfamilies computer, hvor lillesøster har været ramt af MSN virussen der var i omløb for et par uger siden. Jeg har gjort som beskrevet i tidligere spørgsmål og har scannet Ewido, SuperAntiSpyware & Dr.Web og her er resultaterne:

Dr. Web:

rsmartload1135a[1].exe;C:\Documents and Settings\Jens\Lokale indstillinger\Temporary Internet Files\Content.IE5\GTUJ45U3;Adware.DollarRevenue;Renamed.;
drsmartload1135a.exe;C:\Documents and Settings\Jens\Skrivebord;Adware.DollarRevenue;Renamed.;
A0057326.exe;C:\System Volume Information\_restore{A6D09F2E-50AA-472A-A97C-77F34E31BB59}\RP173;Adware.Zango;Renamed.;
A0067751.exe;C:\System Volume Information\_restore{A6D09F2E-50AA-472A-A97C-77F34E31BB59}\RP197;Adware.DollarRevenue;Renamed.;

SuperAntiSpyware:

SUPERAntiSpyware Scan Log
Generated 10/13/2006 at 08:13 PM

Core Rules Database Version : 3103
Trace Rules Database Version: 1129

Memory threats detected  : 0
Registry threats detected : 3
File threats detected    : 38

Adware.Tracking Cookie
    C:\Documents and Settings\Anett\Cookies\anett@indextools[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@statse.webtrendslive[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@ad1.emediate[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@adtech[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@doubleclick[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@microsofteup.112.2o7[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@e2.emediate[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@tribalfusion[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@advertising[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@track.adform[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@mediaplex[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@cgi-bin[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@1071757340[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@atdmt[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@tradedoubler[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@ads.beamfile[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@toplist[1].txt
    C:\Documents and Settings\Anett\Cookies\anett@ads.estart[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@valueclick[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@adfair[2].txt
    C:\Documents and Settings\Anett\Cookies\anett@stats[2].txt
    C:\Documents and Settings\Camilla\Cookies\camilla@atwola[1].txt
    C:\Documents and Settings\Camilla\Cookies\camilla@counter.fateback[1].txt
    C:\Documents and Settings\Camilla\Cookies\camilla@track.adform[1].txt
    C:\Documents and Settings\Jens\Cookies\jens@2o7[2].txt
    C:\Documents and Settings\Jens\Cookies\jens@advertising[2].txt
    C:\Documents and Settings\Jens\Cookies\jens@atdmt[2].txt
    C:\Documents and Settings\Jens\Cookies\jens@casalemedia[1].txt
    C:\Documents and Settings\Jens\Cookies\jens@doubleclick[1].txt
    C:\Documents and Settings\Jens\Cookies\jens@hc2.humanclick[1].txt
    C:\Documents and Settings\Jens\Cookies\jens@revenue[2].txt
    C:\Documents and Settings\Jens\Cookies\jens@track.adform[1].txt
    C:\Documents and Settings\Jens\Cookies\jens@tradedoubler[1].txt

Adware.Toolbar888
    C:\Programmer\Toolbar888\Activate.exe
    C:\Programmer\Toolbar888\Uninst.exe
    C:\Programmer\Toolbar888
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToolBar888
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToolBar888#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToolBar888#UninstallString

Trojan.Freeprod
    C:\Documents and Settings\Jens\Lokale indstillinger\Temporary Internet Files\Content.IE5\KTYN4L6F\alfa[1].exe
    C:\Documents and Settings\Jens\Skrivebord\alfa.exe

Og til sidst Ewido:

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:            21:13:21, 13-10-2006
+ Report-Checksum:        146EBBC

+ Scan result:

    C:\Documents and Settings\Anett\Cookies\anett@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\WINDOWS\system32\MRT.exe -> Heuristic.Win32.AVKiller : Cleaned with backup


::Report End

Og sådan her ser HiJackThis filen ud efter ovenstående er færdiggjort:

Logfile of HijackThis v1.99.1
Scan saved at 21:25:22, on 13-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\Sikkerhed\security suite\ewidoctrl.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Winamp\winamp.exe
C:\Programmer\Sikkerhed\SAS\SUPERAntiSpyware.exe
C:\Programmer\Microsoft Office\Office\WINWORD.EXE
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\Sikkerhed\security suite\ewidoguard.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Anett\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - :C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Programmer\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [LVCOMSX] :C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [srmclean] :C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\Sikkerhed\SAS\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\Sikkerhed\SAS\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\Sikkerhed\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\Sikkerhed\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe


Så nu lyder mit spørgsmål så på om den er clean eller er der mere jeg skal gøre?

På forhånd tak,

Thomas