2008-07-02, 18:45
#1
jag har ftt ett "W32 Spybot Worm"(Keylogger?) Virus, under r Norton "Risk Details" den ligger i c:\windows\ehsched.exe och nu till frgan: Hur fan fr jag bort skiten? Norton har ju skiten som "unhandeled" och inget gr att gra med det och filen kan inte hittas i c:\windows\
Process:
c:\windows\ehsched.exe
Infection:
c:\windows\ehsched.exe
Registry:
HKEY_USERS\S-1-5-21-1844237615-1960408961-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Run Services\->Firewall Controls
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Firewall Controls
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Firewall Controls
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunServices\->Firewall Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Firewall Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->246545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->665578
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->7686743
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->rrrun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\->Microsoft Visual Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List\->C:\WINDOWS\system32\dllcache\winsno.exe
HKEY_USERS\S-1-5-21-1844237615-1960408961-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Run Services\->ATI Video Driver Controls
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->ATI Video Driver Controls
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->ATI Video Driver Controls
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunServices\->ATI Video Driver Controls
HKEY_USERS\S-1-5-21-1844237615-1960408961-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Run Services\->Microsoft Directxsp
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Microsoft Directxsp
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Microsoft Directxsp
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunServices\->Microsoft Directxsp
HKEY_CLASSES_ROOT\CLSID\{1C047C97-CA7F-BAF1-05A4-AEBA271281ED}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->ATI Video Driver Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Microsoft Directxsp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\->ATI Video Driver Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\->Microsoft Directxsp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->1123
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->112
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusOverride:0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\->Start:4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WindowsUpdate\Auto Update->AUOptions:3
Browser Cache
c:\windows\ehsched.exe
Infection:
c:\windows\ehsched.exe
Registry:
HKEY_USERS\S-1-5-21-1844237615-1960408961-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Run Services\->Firewall Controls
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Firewall Controls
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Firewall Controls
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunServices\->Firewall Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Firewall Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->246545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->665578
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->7686743
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->rrrun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\->Microsoft Visual Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List\->C:\WINDOWS\system32\dllcache\winsno.exe
HKEY_USERS\S-1-5-21-1844237615-1960408961-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Run Services\->ATI Video Driver Controls
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->ATI Video Driver Controls
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->ATI Video Driver Controls
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunServices\->ATI Video Driver Controls
HKEY_USERS\S-1-5-21-1844237615-1960408961-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Run Services\->Microsoft Directxsp
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Microsoft Directxsp
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\->Microsoft Directxsp
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunServices\->Microsoft Directxsp
HKEY_CLASSES_ROOT\CLSID\{1C047C97-CA7F-BAF1-05A4-AEBA271281ED}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->ATI Video Driver Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Microsoft Directxsp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\->ATI Video Driver Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\->Microsoft Directxsp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->1123
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\->112
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusOverride:0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\->Start:4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WindowsUpdate\Auto Update->AUOptions:3
Browser Cache
