Just nu i M3-nätverket
Jump to content

Virus - Startar explorer fönster


stonegossard

Recommended Posts

Hej

 

Har fått nåt konstigt virus på min dator som vägrar försvinna trots körningar med online scan, Adawre och antivirus program.

 

Den ändrar massa värden där man går in i med regedit. Alltså värden i LOCAL_MACHINE mm. Den startar upp massa IE-fönster med minst sagt stötande innehåll när jag startar dator. Körde Hijackthis och fick följande resultat i logfilen. Skulle vara otroligt tacksam om någon visste vad det är för något samt hur man får bort det:

 

Logfile of HijackThis v1.97.7

Scan saved at 14:34:22, on 2004-11-11

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\D-Tools\daemon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\lsass2.exe

C:\bar.exe

C:\gcash.exe

C:\ysb.exe

C:\lcash.exe

C:\Program Files\Windows AdTools\WinAdTools.exe

C:\WINDOWS\system\lsvchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\windows\180ax.exe

C:\Program Files\Windows AdTools\WinRatchet.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Documents and Settings\Frippe\Application Data\oaas.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\GIANTAntiSpywareMain.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ftp.exe

C:\WINDOWS\System32\logon.exe

C:\WINDOWS\System32\runddl32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Frippe\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [lsass service] lsass2.exe

O4 - HKLM\..\Run: [FUKLBAR] C:\bar.exe

O4 - HKLM\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\Run: [system manager] system.exe

O4 - HKLM\..\Run: [rundll32] runddl32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [wow] C:\bar.exe

O4 - HKLM\..\Run: [GCASH] C:\gcash.exe

O4 - HKLM\..\Run: [YSBCASH] C:\ysb.exe

O4 - HKLM\..\Run: [LCASH] C:\lcash.exe

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [mdetect] C:\WINDOWS\System32\mainx32.exe

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe

O4 - HKLM\..\Run: [update run dos] logon.exe

O4 - HKLM\..\RunServices: [lsass service] lsass2.exe

O4 - HKLM\..\RunServices: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\RunServices: [system manager] system.exe

O4 - HKLM\..\RunServices: [rundll32] runddl32.exe

O4 - HKLM\..\RunServices: [update run dos] logon.exe

O4 - HKCU\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKCU\..\Run: [system manager] system.exe

O4 - HKCU\..\Run: [rundll32] runddl32.exe

O4 - HKCU\..\Run: [Caat] C:\Documents and Settings\Frippe\Application Data\oaas.exe

O4 - HKCU\..\Run: [update run dos] logon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: v3cab - http://searchmiracle.com/cab/13.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8834206f89bf27adc9234f32ec26bf46c2a28aaed342e73f787e9285152496a5bd6f5a72bda930f548f1f0d009ed7943e3bffa1f54:7f9a299c5336e6010bf86feeb96d7cf4

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f008.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

 

 

 

Link to comment
Share on other sites

Avsluta dessa processer

 

[log]

C:\WINDOWS\System32\lsass2.exe

C:\bar.exe

C:\gcash.exe

C:\ysb.exe

C:\lcash.exe

C:\WINDOWS\system\lsvchost.exe

C:\windows\180ax.exe

C:\WINDOWS\System32\logon.exe

C:\WINDOWS\System32\runddl32.exe[/log]

 

 

Sen scanna datorn här och ta bot det som hittas

 

http://housecall.trendmicro.com/

 

 

Efter det putsa datorn med Ad-Aware.

Skicka sen en ny Hijack logg med nyaste versionen

 

http://koti.mbnet.fi/pattaya1/HijackThis.exe

 

Link to comment
Share on other sites

Nu har jag följ dina instruktioner. Fick följnade logfil från hijackthis:

Trendmicros onlinescan hittade inget föresten.

 

Logfile of HijackThis v1.98.2

Scan saved at 16:24:25, on 2004-11-11

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\D-Tools\daemon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\lsass2.exe

C:\ysb.exe

C:\lcash.exe

C:\Program Files\Windows AdTools\WinAdTools.exe

C:\WINDOWS\system\lsvchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Windows AdTools\WinRatchet.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Documents and Settings\Frippe\Application Data\oaas.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\GIANTAntiSpywareMain.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ftp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Winamp3\studio.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\System32\runddl32.exe

C:\WINDOWS\System32\logon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Frippe\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [lsass service] lsass2.exe

O4 - HKLM\..\Run: [FUKLBAR] C:\bar.exe

O4 - HKLM\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\Run: [system manager] system.exe

O4 - HKLM\..\Run: [rundll32] runddl32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [wow] C:\bar.exe

O4 - HKLM\..\Run: [GCASH] C:\gcash.exe

O4 - HKLM\..\Run: [YSBCASH] C:\ysb.exe

O4 - HKLM\..\Run: [LCASH] C:\lcash.exe

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [mdetect] C:\WINDOWS\System32\mainx32.exe

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [update run dos] logon.exe

O4 - HKLM\..\RunServices: [lsass service] lsass2.exe

O4 - HKLM\..\RunServices: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\RunServices: [system manager] system.exe

O4 - HKLM\..\RunServices: [rundll32] runddl32.exe

O4 - HKLM\..\RunServices: [update run dos] logon.exe

O4 - HKCU\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKCU\..\Run: [system manager] system.exe

O4 - HKCU\..\Run: [rundll32] runddl32.exe

O4 - HKCU\..\Run: [Caat] C:\Documents and Settings\Frippe\Application Data\oaas.exe

O4 - HKCU\..\Run: [update run dos] logon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: v3cab - http://searchmiracle.com/cab/13.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8834206f89bf27adc9234f32ec26bf46c2a28aaed342e73f787e9285152496a5bd6f5a72bda930f548f1f0d009ed7943e3bffa1f54:7f9a299c5336e6010bf86feeb96d7cf4

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f008.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

 

 

[inlägget ändrat 2004-11-11 16:26:10 av stonegossard]

Link to comment
Share on other sites

Kanske Norton kan plocka lite här.

Uppdatera Norton.

Stäng av System Restore.

Starta i felsäkert läge och scanna med Norton.

Starta sen normalt sätt på System Restore igen och skicka en ny Hijack logg så rensar vi den .

 

 

Link to comment
Share on other sites

OK, har gjort det du sade. Norton hittade 2 infected och 28 at-risk files. Den kunde inte deleta 12 stycken at-risk files. De som den inte kunde deleta hade följande namn:

"Adware.EliteBar" 9 stycken

"Adware.180Search"

"Adware.CDT"

"Adware.SyncroAd"

 

Fortfarande samma när jag startar om datorn att det startar massa IE fönster med barnförbjudet material.

Kommer även upp en ruta att värden har blivit ändrade. Tror det är att den lagt till elitebar mm på vissa ställen där man går in med REG Edit.

Såhär ser logfilen från hijackthis ut:

 

Logfile of HijackThis v1.98.2

Scan saved at 17:55:48, on 2004-11-11

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\lsass2.exe

C:\bar.exe

C:\WINDOWS\System32\runddl32.exe

C:\gcash.exe

C:\ysb.exe

C:\lcash.exe

C:\Program Files\Windows AdTools\WinAdTools.exe

C:\WINDOWS\system\lsvchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Windows AdTools\WinRatchet.exe

C:\Documents and Settings\Frippe\Application Data\oaas.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\wuauclt.exe

c:\gmsex.exe

c:\cat.exe

c:\likpussy.exe

c:\likpussy.exe

c:\cat.exe

c:\ybsex.exe

C:\DOCUME~1\Frippe\LOCALS~1\Temp\iinstall.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\gmsex.exe

c:\msex.exe

C:\Documents and Settings\Frippe\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [lsass service] lsass2.exe

O4 - HKLM\..\Run: [FUKLBAR] C:\bar.exe

O4 - HKLM\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\Run: [system manager] system.exe

O4 - HKLM\..\Run: [rundll32] runddl32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [wow] C:\bar.exe

O4 - HKLM\..\Run: [GCASH] C:\gcash.exe

O4 - HKLM\..\Run: [YSBCASH] C:\ysb.exe

O4 - HKLM\..\Run: [LCASH] C:\lcash.exe

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [mdetect] C:\WINDOWS\System32\mainx32.exe

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [update run dos] logon.exe

O4 - HKLM\..\Run: [OHBABY] c:\msex.exe

O4 - HKLM\..\RunServices: [lsass service] lsass2.exe

O4 - HKLM\..\RunServices: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\RunServices: [system manager] system.exe

O4 - HKLM\..\RunServices: [rundll32] runddl32.exe

O4 - HKLM\..\RunServices: [update run dos] logon.exe

O4 - HKCU\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKCU\..\Run: [system manager] system.exe

O4 - HKCU\..\Run: [rundll32] runddl32.exe

O4 - HKCU\..\Run: [Caat] C:\Documents and Settings\Frippe\Application Data\oaas.exe

O4 - HKCU\..\Run: [update run dos] logon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: v3cab - http://searchmiracle.com/cab/13.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8834206f89bf27adc9234f32ec26bf46c2a28aaed342e73f787e9285152496a5bd6f5a72bda930f548f1f0d009ed7943e3bffa1f54:7f9a299c5336e6010bf86feeb96d7cf4

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f008.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

 

 

Link to comment
Share on other sites

Nästa gång du klistrar in loggen ifrån hijackthis så gör det emellan

[ LOG ] taggarna, please.

 

Kort instruktion här:

//eforum.idg.se/Eforumintro.asp#Del3

 

 

°±°

 

Link to comment
Share on other sites

Ok,jag tror att vi får köra par gånger för att det ska bli rent.

 

Skapa en ny mapp på C:/ och placera HijackThis.exe dit så C:/HjT/HijackThis.exe

 

Sätt dolda filer synliga titta här hur man gör

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Avsluta dom här processer

 

C:\WINDOWS\System32\lsass2.exe

C:\bar.exe

C:\WINDOWS\System32\runddl32.exe

C:\gcash.exe

C:\ysb.exe

C:\lcash.exe

C:\Program Files\Windows AdTools\WinAdTools.exe

C:\WINDOWS\system\lsvchost.exe

C:\Program Files\Windows AdTools\WinRatchet.exe

c:\gmsex.exe

c:\cat.exe

c:\likpussy.exe

c:\likpussy.exe

c:\cat.exe

c:\ybsex.exe

C:\DOCUME~1\Frippe\LOCALS~1\Temp\iinstall.exe

c:\gmsex.exe

c:\msex.exe

 

 

Sen avinstallera via Kontrollpanelen om den finns där

 

Windows AdTools

 

 

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

[log]R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php'>http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll

O4 - HKLM\..\Run: [lsass service] lsass2.exe

O4 - HKLM\..\Run: [FUKLBAR] C:\bar.exe

O4 - HKLM\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\Run: [system manager] system.exe

O4 - HKLM\..\Run: [rundll32] runddl32.exe

O4 - HKLM\..\Run: [wow] C:\bar.exe

O4 - HKLM\..\Run: [GCASH] C:\gcash.exe

O4 - HKLM\..\Run: [YSBCASH] C:\ysb.exe

O4 - HKLM\..\Run: [LCASH] C:\lcash.exe

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [mdetect] C:\WINDOWS\System32\mainx32.exe

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

O4 - HKLM\..\Run: [update run dos] logon.exe

O4 - HKLM\..\Run: [OHBABY] c:\msex.exe

O4 - HKLM\..\RunServices: [lsass service] lsass2.exe

O4 - HKLM\..\RunServices: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\RunServices: [system manager] system.exe

O4 - HKLM\..\RunServices: [rundll32] runddl32.exe

O4 - HKLM\..\RunServices: [update run dos] logon.exe

O4 - HKCU\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKCU\..\Run: [system manager] system.exe

O4 - HKCU\..\Run: [rundll32] runddl32.exe

O4 - HKCU\..\Run: [Caat] C:\Documents and Settings\Frippe\Application Data\oaas.exe

O4 - HKCU\..\Run: [update run dos] logon.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/13.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8834206f89

bf27adc9234f32ec26bf46c2a28aaed342e73f787e9285152496a5bd6f5a72bda...

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab[/log]

 

 

Starta sen i felsäkert läge sök och ta bort (delete)

 

lsass2.exe

bar.exe

sysrestore.exe

system.exe

runddl32.exe

gcash.exe

ysb.exe

lcash.exe

mainx32.exe

lsvchost.exe

logon.exe

oaas.exe

cat.exe

likpussy.exe

gmsex.exe

msex.exe

 

C:\Program Files\Windows AdTools\WinAdTools.exe

- ta bort Windows AdTools mappen

 

Töm den här TEMP mappen

 

C:\DOCUME~1\Frippe\LOCALS~1\Temp

 

 

Starta sen normalt och skicka en ny Hijack logg

 

Link to comment
Share on other sites

Sådär

 

Alla processer du beskrev fanns inte och inte heller alla exe-filer, de flesta fanns dock, tog bort dom med. Ligger lite andra skumma exe.-filer under c. Några av de filerna jag deletade har kommit tillbaks. Går ej att deleta dom nu, antar att jag måste göra det i felsäkert läge. Såhär ser logfilen ut nu:

 

[log]

Logfile of HijackThis v1.98.2

Scan saved at 19:09:20, on 2004-11-11

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\WINDOWS\System32\lsass2.exe

C:\WINDOWS\System32\runddl32.exe

C:\Documents and Settings\Frippe\Application Data\oaas.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

c:\gmsex.exe

c:\cat.exe

c:\cat.exe

c:\gmsex.exe

c:\likpussy.exe

c:\likpussy.exe

C:\DOCUME~1\Frippe\LOCALS~1\Temp\iinstall.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [lsass service] lsass2.exe

O4 - HKLM\..\Run: [FUKLBAR] C:\bar.exe

O4 - HKLM\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\Run: [system manager] system.exe

O4 - HKLM\..\Run: [rundll32] runddl32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [wow] C:\bar.exe

O4 - HKLM\..\Run: [GCASH] C:\gcash.exe

O4 - HKLM\..\Run: [YSBCASH] C:\ysb.exe

O4 - HKLM\..\Run: [LCASH] C:\lcash.exe

O4 - HKLM\..\Run: [mdetect] C:\WINDOWS\System32\mainx32.exe

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [update run dos] logon.exe

O4 - HKLM\..\Run: [OHBABY] c:\msex.exe

O4 - HKLM\..\RunServices: [lsass service] lsass2.exe

O4 - HKLM\..\RunServices: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\RunServices: [system manager] system.exe

O4 - HKLM\..\RunServices: [rundll32] runddl32.exe

O4 - HKLM\..\RunServices: [update run dos] logon.exe

O4 - HKCU\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKCU\..\Run: [system manager] system.exe

O4 - HKCU\..\Run: [rundll32] runddl32.exe

O4 - HKCU\..\Run: [Caat] C:\Documents and Settings\Frippe\Application Data\oaas.exe

O4 - HKCU\..\Run: [update run dos] logon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: v3cab - http://searchmiracle.com/cab/13.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8834206f89bf27adc9234f32ec26bf46c2a28aaed342e73f787e9285152496a5bd6f5a72bda930f548f1f0d009ed7943e3bffa1f54:7f9a299c5336e6010bf86feeb96d7cf4

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f008.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

[/log]

 

[inlägget ändrat 2004-11-11 19:14:33 av stonegossard]

Link to comment
Share on other sites

Nu har du stressat och missat flera saker ser jag.

Du måste starta i felsäkert läge när du tar bort filer.

Ta det lungt och stressa inte.

 

 

Sätt dolda filer synliga titta här hur man gör

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Avsluta dom här processer

 

C:\WINDOWS\System32\lsass2.exe

C:\WINDOWS\System32\runddl32.exe

C:\Documents and Settings\Frippe\Application Data\oaas.exe

c:\gmsex.exe

c:\cat.exe

c:\cat.exe

c:\gmsex.exe

c:\likpussy.exe

c:\likpussy.exe

C:\DOCUME~1\Frippe\LOCALS~1\Temp\iinstall.exe

 

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

 

[log]O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll

O4 - HKLM\..\Run: [lsass service] lsass2.exe

O4 - HKLM\..\Run: [FUKLBAR] C:\bar.exe

O4 - HKLM\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\Run: [system manager] system.exe

O4 - HKLM\..\Run: [rundll32] runddl32.exe

O4 - HKLM\..\Run: [wow] C:\bar.exe

O4 - HKLM\..\Run: [GCASH] C:\gcash.exe

O4 - HKLM\..\Run: [YSBCASH] C:\ysb.exe

O4 - HKLM\..\Run: [LCASH] C:\lcash.exe

O4 - HKLM\..\Run: [mdetect] C:\WINDOWS\System32\mainx32.exe

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

O4 - HKLM\..\Run: [update run dos] logon.exe

O4 - HKLM\..\Run: [OHBABY] c:\msex.exe

O4 - HKLM\..\RunServices: [lsass service] lsass2.exe

O4 - HKLM\..\RunServices: [MS SyS Restore] sysrestore.exe

O4 - HKLM\..\RunServices: [system manager] system.exe

O4 - HKLM\..\RunServices: [rundll32] runddl32.exe

O4 - HKLM\..\RunServices: [update run dos] logon.exe

O4 - HKCU\..\Run: [MS SyS Restore] sysrestore.exe

O4 - HKCU\..\Run: [system manager] system.exe

O4 - HKCU\..\Run: [rundll32] runddl32.exe

O4 - HKCU\..\Run: [Caat] C:\Documents and Settings\Frippe\Application Data\oaas.exe

O4 - HKCU\..\Run: [update run dos] logon.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/13.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8834206f89bf27

adc9234f32ec26bf46c2a28aaed342e73f787e9285152496a5bd6f5a72bda930f...

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab[/log]

 

 

Starta sen i felsäkert läge sök och ta bort (delete)

 

lsass2.exe

bar.exe

sysrestore.exe

system.exe

runddl32.exe

gcash.exe

ysb.exe

lcash.exe

mainx32.exe

lsvchost.exe

logon.exe

msex.exe

oaas.exe

gmsex.exe

cat.exe

likpussy.exe

 

 

C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll

- ta bort EliteToolBar mappen

 

Förut tömde du inte den här TEMP mappen gör det ny

 

C:\DOCUME~1\Frippe\LOCALS~1\Temp

 

 

Starta sen normalt och skicka en ny Hijack logg.

 

 

 

Link to comment
Share on other sites

Jag fattade ju inte att man skulle trycka på pluset i logfilen du klistrade in så jag raderade bara den första posten för det var den enda som syntes i logfilen du klistrade in. Det verkar banne mig osm det funkar nu. Det kommer inte upp massa skit när jag startar datorn och logfilen ser bra ut. Klistrar in den så kan du ju kolla om du hittar nåt suspekt.

 

Du skall ha ett extremt stort tack för hjälpen, jag hade kunnat sitta i år för att komma på att göra det du beskrev, kul att det finns folk som tar sig tid att hjälpa till.

 

Tack än en gång!

 

Här är logfilen:

 

[log]

Logfile of HijackThis v1.98.2

Scan saved at 20:00:51, on 2004-11-11

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f008.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

[/log]

 

Link to comment
Share on other sites

Ladda ner whndnfix.zip

 

http://digital-solutions.co.uk/lavasoft/whndnfix.zip

 

 

Ladda ner LSPFix.exe

 

 

http://www.cexx.org/LSPFix.exe

 

Öppna den och bocka i

 

I know what I´m doing

 

Sen flytta över alla newdotnet6_38.dll' filer till höger sida med pilknappen och klicka Finish.

Kanske finns bara en.

Stäng sen programmet

 

 

 

Sen avinstallera via Kontrollpanelen om den syns där

 

New.Net eller NewDotNet

 

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

 

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

 

 

Starta sen i felsäkert läge sök och ta bort

 

C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

- ta bort NEWDOT~1 mappen

 

 

Starta sen normat och har du problem att komma in på nätet så unzippa och kör whndnfix.zip.

 

 

 

 

 

 

 

 

 

 

 

[inlägget ändrat 2004-11-11 20:31:45 av Zipp.]

Link to comment
Share on other sites

Tog bort de två filerna med Hijack. Programmet fanns dock inte att avinstallera och inte heller mappen fanns där. Klistarar in log igen så kan du ju kolla om den ser ok ut.

 

[log]

Logfile of HijackThis v1.98.2

Scan saved at 20:46:47, on 2004-11-11

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f008.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

[/log]

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...