Downloader.Trojan - Hur blir jag av med detta skräp?

[fkarpenm]

Hej

 

Nån som kan läsa en log-fil från HijackThis flytande?

 

Min Norton Antivirus flaggar dagligen för en Downloader.Trojan och placerar en massa exe-filer i karantän. Mkt besvärande...

 

Jag är tacksam för all hjälp!

 

/F

 

Här är loggen:

 

Logfile of HijackThis v1.99.0
Scan saved at 21:46:17, on 2005-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\NavNT\defwatch.exe
C:\WINDOWS\system32\id2scaps.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program\NavNT\vptray.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program\iD2\CSP\iD2CertMover.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eniro.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.tele2.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [statusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [vptray] C:\Program\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZiKNgJtf] C:\WINDOWS\axtcxcb.exe
O4 - HKLM\..\Run: [-
] C:\WINDOWS\axtcxcb.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\RunServicesOnce: [capscanuninstall] "C:\WINDOWS\command.com" /c del "C:\DOCUME~1\Fredrik\LOKALA~1\Temp\uninstal.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Date Manager.lnk = C:\Program\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Påminnelser för Kalendern i Microsoft Works.lnk = ?
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Informationshanteraren - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program\Delade filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .sgn: C:\Program\Internet Explorer\PLUGINS\npSign.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093686558047
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program\NavNT\defwatch.exe
O23 - Service: iD2 Smart Card Server - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

[Mentor]

Läs här hur du ska göra för att bli av med det.

 

http://securityresponse.symantec.com/avcenter/venc/data/downloader.trojan.html

 

[Cecilia]

Börja med att göra som Mentor skriver.

 

Vad är det för Norton du har, variant och årsmodell?

I vilka filer rapporterar Norton att du har trojanen?

 

Om man tar bort något med HijackThis så kommer den att skapa säkerhetskopior i samma mapp som den själv ligger, eftersom dessa säkerhetskopior kan vara väldigt bra att ha om något går snett så tycker jag inte att det är så bra att HijackThis ligger i en mapp som heter Temp, allför stor risk att mappen tas bort.

 

Innan vi börjar med HijackThis så tycker jag att du först försöker rensa din dator med lite säkrare program.

Först dessa online-skanningar:

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Skriv ner vad de hittar och i vilka filer.

 

Sedan antispioinprogrammen Ad-aware och Spybot Search & Destroy:

http://www.lavasoft.de/swedish/support/download/

http://www.lavasoftsupport.com/index.php?showtopic=42066 (instruktioner)

http://www.safer-networking.org/en/download/index.html

Ta bort sådant de rapporterar som kritiskt eller farligt.

 

Sedan startar du om datorn och tar ut en ny HijackThis-logg.

Skriv i ditt svar vad online-skanningarna hittade, svar på övriga frågor och lägg med loggen.

Men denna gång så använder du LOG-knappen och inte KOD-knappen!

 

[fkarpenm]

Fortfarande lika illa...

 

Har tyvärr bara modemuppkoppling än så länge, så online-scanningarna har jag inte löst ännu - det verkade ta väldigt lång tid att plocka hem de komponenter som behövdes?!?!

 

Har uppdaterat mina program nu igen (Norton, Adaware SE, Spybot)

 

Norton som jag kör är:

Norton AntiVirus, Corporate edition, 7.61.930, Server/Client Gold

Denna har jag varit duktig att uppdatera kontinuerligt.

 

Det är Nortons realtime-protection som hele tiden poppar upp. Dessutom vill datorn dra igång modemet varje gång jag startar datorn - nån skit verkar vilja ta kontakt med internet direkt vid uppstart. Så har det inte varit tidare...

 

Typiska filer som det varnas för:

axtcxb.exe

fsBNsdt.exe

osv.

De är av typ Downloader.Trojan.

 

Istbar är ett begrepp som jag tycker mig se lite här o var i detta...

 

Nedan finns tre feta logfiler

- Adaware SE

- Spybot

- HijackThis

 

Tacksam för all hjälp

/Fredrik

 

 

 

Adaware SE logfil:

 

[log]

Ad Aware

 

ArchiveData(auto-quarantine- 2005-01-21 21-26-14.bckp)

Referencefile : SE1R25 11.01.2005

======================================================

 

ISTBAR

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[0]=Regkey : S-1-5-21-1602489464-1318987518-222395546-1007\software\ist

obj[1]=RegValue : S-1-5-21-1602489464-1318987518-222395546-1007\software\ist "Recover"

 

 

============

 

 

Ad-Aware SE Build 1.05

Logfile Created on:den 26 januari 2005 21:14:35

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R26 25.01.2005

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

istbar(TAC index:6):2 total references

Tracking Cookie(TAC index:3):1 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Definition File:

=========================

Definitions File Loaded:

Reference Number : SE1R26 25.01.2005

Internal build : 31

File location : C:\Program\Lavasoft\Ad-Aware SE Personal\defs.ref

File size : 413418 Bytes

Total size : 1303446 Bytes

Signature data size : 1273751 Bytes

Reference data size : 29183 Bytes

Signatures total : 36254

Fingerprints total : 607

Fingerprints size : 22890 Bytes

Target categories : 15

Target families : 632

 

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium IV

Memory available:47 %

Total physical memory:523760 kb

Available physical memory:243460 kb

Total page file size:1280504 kb

Available on page file:1056572 kb

Total virtual memory:2097024 kb

Available virtual memory:2047788 kb

OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

 

Ad-Aware SE Settings

===========================

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

2005-01-26 21:14:35 - Scan started. (Full System Scan)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32 ProcessID : 456

ThreadCreationTime : 2005-01-26 19:33:23

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32 ProcessID : 504

ThreadCreationTime : 2005-01-26 19:33:24

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32 ProcessID : 532

ThreadCreationTime : 2005-01-26 19:33:26

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 580

ThreadCreationTime : 2005-01-26 19:33:26

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Operativsystemet Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Tjänst- och styrenhetsprogram

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. Med ensamrätt.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 592

ThreadCreationTime : 2005-01-26 19:33:26

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 732

ThreadCreationTime : 2005-01-26 19:33:27

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 812

ThreadCreationTime : 2005-01-26 19:33:27

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 848

ThreadCreationTime : 2005-01-26 19:33:27

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 908

ThreadCreationTime : 2005-01-26 19:33:28

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 1004

ThreadCreationTime : 2005-01-26 19:33:28

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [explorer.exe]

FilePath : C:\WINDOWS ProcessID : 1176

ThreadCreationTime : 2005-01-26 19:33:29

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Operativsystemet Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Utforskaren

InternalName : explorer

LegalCopyright : © Microsoft Corporation. Med ensamrätt.

OriginalFilename : EXPLORER.EXE

 

#:12 [spoolsv.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 1268

ThreadCreationTime : 2005-01-26 19:33:29

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:13 [ctsvccda.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 1372

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 1.0.1.0

ProductVersion : 1.0.0.0

ProductName : Creative Service for CDROM Access

CompanyName : Creative Technology Ltd

FileDescription : Creative Service for CDROM Access

InternalName : CTsvcCDAEXE

LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.

OriginalFilename : CTsvcCDA.EXE

 

#:14 [defwatch.exe]

FilePath : C:\Program\NavNT ProcessID : 1392

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 7.61.00.930

ProductVersion : 7.61.00.930

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Virus Definition Daemon

InternalName : DefWatch

LegalCopyright : Copyright © 1998 Symantec Corporation

OriginalFilename : DefWatch.exe

 

#:15 [id2scaps.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 1424

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

 

 

#:16 [mdm.exe]

FilePath : C:\Program\Delade filer\Microsoft Shared\VS7Debug ProcessID : 1452

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 7.00.9064.9150

ProductVersion : 7.00.9064.9150

ProductName : Microsoft Development Environment

CompanyName : Microsoft Corporation

FileDescription : Machine Debug Manager

InternalName : mdm.exe

LegalCopyright : Copyright © Microsoft Corp. 1997-2000

OriginalFilename : mdm.exe

 

#:17 [rtvscan.exe]

FilePath : C:\Program\NavNT ProcessID : 1480

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 7.61.00.930

ProductVersion : 7.61.00.930

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus

LegalCopyright : Copyright © Symantec Corporation 1991-2001

 

#:18 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 1512

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 6.14.10.5216

ProductVersion : 6.14.10.5216

ProductName : NVIDIA Driver Helper Service, Version 52.16

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 52.16

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:19 [svchost.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 1572

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:20 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 1620

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:21 [mspmspsv.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 1664

ThreadCreationTime : 2005-01-26 19:33:30

BasePriority : Normal

FileVersion : 7.00.00.1954

ProductVersion : 7.00.00.1954

ProductName : Microsoft ® DRM

CompanyName : Microsoft Corporation

FileDescription : WMDM PMSP Service

InternalName : MSPMSPSV.EXE

LegalCopyright : Copyright © Microsoft Corp. 1981-2000

OriginalFilename : MSPMSPSV.EXE

 

#:22 [cthelper.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 204

ThreadCreationTime : 2005-01-26 19:33:32

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : cthelper

CompanyName : Creative Technology Ltd

FileDescription : cthelper

InternalName : cthelper

LegalCopyright : Copyright © 2002

OriginalFilename : cthelper.exe

 

#:23 [statusclient.exe]

FilePath : C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient ProcessID : 244

ThreadCreationTime : 2005-01-26 19:33:32

BasePriority : Normal

FileVersion : 00.00.13

ProductVersion : 00.00.13

ProductName : Hewlett-Packard T-TR Status Client

CompanyName : Hewlett-Packard

FileDescription : Hewlett-Packard T-TR Status Client

InternalName : StatusClient.exe

LegalCopyright : Copyright © 2002 Hewlett-Packard Company

LegalTrademarks : All Rights Reserved.

OriginalFilename : StatusClient.exe

 

#:24 [vptray.exe]

FilePath : C:\Program\NavNT ProcessID : 324

ThreadCreationTime : 2005-01-26 19:33:32

BasePriority : Normal

FileVersion : 7.61.00.930

ProductVersion : 7.61.00.930

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus

LegalCopyright : Copyright © Symantec Corporation 1991-2001

 

#:25 [realsched.exe]

FilePath : C:\Program\Delade filer\Real\Update_OB ProcessID : 332

ThreadCreationTime : 2005-01-26 19:33:32

BasePriority : Normal

FileVersion : 0.1.0.1622

ProductVersion : 0.1.0.1622

ProductName : RealOne Player (32-bit)

CompanyName : RealNetworks, Inc.

FileDescription : RealNetworks Scheduler

InternalName : schedapp

LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002

LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

OriginalFilename : realsched.exe

 

#:26 [ctfmon.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 384

ThreadCreationTime : 2005-01-26 19:33:33

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:27 [msmsgs.exe]

FilePath : C:\Program\Messenger ProcessID : 396

ThreadCreationTime : 2005-01-26 19:33:33

BasePriority : Normal

FileVersion : 4.7.3000

ProductVersion : Version 4.7.3000

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Windows Messenger

InternalName : msmsgs

LegalCopyright : Copyright © Microsoft Corporation 2004

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

OriginalFilename : msmsgs.exe

 

#:28 [rundll32.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 412

ThreadCreationTime : 2005-01-26 19:33:33

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Operativsystemet Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Kör en DLL-fil som ett program

InternalName : rundll

LegalCopyright : © Microsoft Corporation. Med ensamrätt.

OriginalFilename : RUNDLL.EXE

 

#:29 [acrotray.exe]

FilePath : C:\Program\Adobe\Acrobat 5.0\Distillr ProcessID : 432

ThreadCreationTime : 2005-01-26 19:33:33

BasePriority : Normal

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

LegalCopyright : Copyright © 2001

OriginalFilename : AcroTray.exe

 

#:30 [id2certmover.exe]

FilePath : C:\Program\iD2\CSP ProcessID : 476

ThreadCreationTime : 2005-01-26 19:33:33

BasePriority : Normal

 

 

#:31 [wincinemamgr.exe]

FilePath : C:\Program\InterVideo\Common\Bin ProcessID : 480

ThreadCreationTime : 2005-01-26 19:33:33

BasePriority : Normal

FileVersion : 1.0

ProductVersion : 1, 0, 0, 1

ProductName : WinCinema Manager for InterVideo WinCinema products

FileDescription : WinCinema Manager

InternalName : WinCinema Manager

LegalCopyright : Copyright © 2000 InterVideo Inc.

OriginalFilename : WinCinemaMgr.EXE

 

#:32 [javaw.exe]

FilePath : C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin ProcessID : 1972

ThreadCreationTime : 2005-01-26 19:33:41

BasePriority : Normal

 

 

#:33 [alg.exe]

FilePath : C:\WINDOWS\System32 ProcessID : 2184

ThreadCreationTime : 2005-01-26 19:33:41

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:34 [msgsys.exe]

FilePath : C:\WINDOWS\system32 ProcessID : 2352

ThreadCreationTime : 2005-01-26 19:33:43

BasePriority : Normal

FileVersion : 6.0.201.0940 E

ProductVersion : 6.0

ProductName : Intel Common Base Agent

CompanyName : Intel Corporation

FileDescription : CBA -- Message System

InternalName : MsgExe

LegalCopyright : Copyright © 1997, 1998

LegalTrademarks : LANDesk ® is a registered trademark of Intel Corporation

OriginalFilename : MsgSys.EXE

 

#:35 [dbgout.exe]

FilePath : C:\Program\Ericsson\COMMUN~1\MOBILE~1 ProcessID : 3352

ThreadCreationTime : 2005-01-26 19:35:10

BasePriority : Normal

FileVersion : 1, 0, 0,1671

ProductVersion : 1,1,0,109

ProductName : DbgOut Application

CompanyName : Teleca Software Solutions AB

FileDescription : DbgOut MFC Application

InternalName : DbgOut

LegalCopyright : Copyright © 1999-2002 Teleca Software Solutions AB. All rights reserved.

OriginalFilename : DbgOut.EXE

 

#:36 [ad-aware.exe]

FilePath : C:\Program\Lavasoft\Ad-Aware SE Personal ProcessID : 2684

ThreadCreationTime : 2005-01-26 20:09:25

BasePriority : Normal

FileVersion : 6.2.0.206

ProductVersion : VI.Second Edition

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

istbar Object Recognized!

Type : Regkey

Data :

Category : Malware

Comment :

Rootkey : HKEY_USERS

Object : S-1-5-21-1602489464-1318987518-222395546-1007\software\ist

 

istbar Object Recognized!

Type : RegValue

Data :

Category : Malware

Comment :

Rootkey : HKEY_USERS

Object : S-1-5-21-1602489464-1318987518-222395546-1007\software\ist

Value : Recover

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 2

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : fredrik@cgi-bin[1].txt

Category : Data Miner

Comment : Hits:2

Value : Cookie:fredrik@imrworldwide.com/cgi-bin

Expires : 2009-01-19

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 3

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 3

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

21:32:44 Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:18:09.438

Objects scanned:177879

Objects identified:3

Objects ignored:0

New critical objects:3

 

===========================

[/log]

 

 

 

Logfil från SpyBot

 

 

[log]

WebTrends live: Tracking cookie (Internet Explorer: Fredrik) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Fredrik) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Fredrik) (Cookie, fixed)

Avenue A, Inc.: Tracking cookie (Internet Explorer: Fredrik) (Cookie, fixed)

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-21-1602489464-1318987518-222395546-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DyFuCA.InternetOptimizer: Program directory (Directory, fixed)

C:\Program files\Internet OptimizerGAIN.Gator: Common files (Directory, fixed)

C:\Program\Delade filer\CMEII

GAIN.Gator: Autostart file (File, fixed)

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\GStartup.lnk

GAIN.Gator: Autostart file (File, fixed)

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\PrecisionTime.lnk

GAIN.Gator: Autostart file (File, fixed)

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Påminnelser för Kalendern i Microsoft Works.lnk

GAIN.Gator: Autostart file (File, fixed)

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Date Manager.lnk

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\GMT.exe.manifest

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\CMEII\CMEDiagnostics.log

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\CMEII\GatorSupportInfo.txt

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\mepgh.dat

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\mepcmeft.dat

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\meprca.dat

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\mepcme.dat

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\Helper.wav

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\FillIn.wav

GAIN.Gator: Common file (global) (File, fixed)

C:\Program\Delade filer\GMT\Gator.log

GAIN.Gator: Common files (Directory, fixed)

C:\Program\Delade filer\GMT

GAIN.Gator: Module usage (Registry key, fixed)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/IEGator.dll

GAIN.Gator: Program group (Directory, fixed)

C:\Documents and Settings\All Users\Start-meny\Program\Date Manager

GAIN.Gator: Program group (Directory, fixed)

C:\Documents and Settings\All Users\Start-meny\Program\PrecisionTime

--- Spybot - Search && Destroy version: 1.3 ---

2004-05-12 Includes\Cookies.sbi

[/log]

 

 

Logfil från HijackThis

 

[log]

Logfile of HijackThis v1.99.0

Scan saved at 22:07:30, on 2005-01-26

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program\NavNT\defwatch.exe

C:\WINDOWS\system32\id2scaps.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program\NavNT\vptray.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program\iD2\CSP\iD2CertMover.exe

C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Program\Ericsson\COMMUN~1\MOBILE~1\DbgOut.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eniro.se/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.tele2.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [statusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM\..\Run: [vptray] C:\Program\NavNT\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ZiKNgJtf] C:\WINDOWS\axtcxcb.exe

O4 - HKLM\..\Run: [-

] C:\WINDOWS\axtcxcb.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe

O4 - HKLM\..\RunServicesOnce: [capscanuninstall] "C:\WINDOWS\command.com" /c del "C:\DOCUME~1\Fredrik\LOKALA~1\Temp\uninstal.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: Informationshanteraren - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program\Delade filer\Microsoft Shared\Reference 2001\EROProj.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .sgn: C:\Program\Internet Explorer\PLUGINS\npSign.dll

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093686558047

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A731078E-EB75-40E1-9D62-D2E4A6F94D2A}: NameServer = 213.150.135.211 213.150.135.210

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program\NavNT\defwatch.exe

O23 - Service: iD2 Smart Card Server - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe

O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program\NavNT\rtvscan.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

[/log]

 

[Little cracker]

hej

 

jag brukade ha istbar på min bärbar men nu är den borta! jag använde ad aware se, letade efter viruser..när den har letat klart så visas den en lista med alla farliga filer och på vilken plats de finns... istbar var i min registry(finns det viruser i registry så visas hela adressen, precis var den finns, typ... HEKY_CURRENT_USER/software... osv.)

 

...det e bara köra regedit, följa adressen hitta filen och radera bort den och när du gör den ska du ta bort nyckeln alla undernycklar....hoppas att det här hjälper dig.

 

[Cecilia]

Det är Ok med att du hoppar över online-skanningarna.

 

Även om du bara har uppringt modem så kan det nog vara ide med en brandvägg. Du kan ladda hem en gratis från t ex Kerio eller Sygate:

http://smb.sygate.com/products/spf_standard.htm

http://www.kerio.com/kpf_download.html

 

Låt Ad-aware ta bort allt den hittar som har med Istbar att göra. Om den inte kan göra det så starta om datorn i felsäkert läge och kör Ad-aware igen och se om det går bättre då.

 

Spybots klagan på DSO Exploit är en en bug i Spybot och inget att bry sig om. Om de andra sakerna kommer tillbaks i Spybot så kan det även där vara ide att köra den i felsäkert läge.

 

För att du inte ska råka återställa datorn till ett läge med en massa otrevligheter i så bör du nu stänga av systemåterställningsfunktionen för att ta bort alla systemåterställningspunkter.

Den här Datorn - Högerklick - Egenskaper - Systemåterställning

När datorn är ren så ska den sättas på igen.

 

[log]Efter att ha försökt med de två programmen så starta om datorn och kör HiajckThis och skanna. Bocka sedan för dessa rader:

 

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [ZiKNgJtf] C:\WINDOWS\axtcxcb.exe

O4 - HKLM\..\Run: [-

] C:\WINDOWS\axtcxcb.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

 

Starta om i felsäkert läge.

 

Ställ in så att du kan se alla filer i Utforskaren:

Verktyg - Mappalternativ - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

Bocka för Visa innehållet i systemmappar

 

Ta bort filen:

C:\WINDOWS\axtcxcb.exe

 

Ta bort innehållet i denna mapp, men låt mappen vara kvar:

C:\DOCUME~1\Fredrik\LOKALA~1\TempDär ~1 står för ett antal godtyckliga tecken.[/log]

 

Starta om i normalt läge och ta ut en ny HijackThis-logg, som du lägger ut här tillsammans med hur det har gått med Ad-aware och Spybot (loggar från dem behövs inte).

 

[fkarpenm]

Hej

 

Tack alla som engagerat sig i mitt ärende. Jag valde dock att ominstallera hela burken. Har haft ett antal angrepp och kände att tiden var mogen för en nystart.

 

TACK!

/F

 

 

[Cecilia]

Ok!

För att skydda din dator i framtiden så kör Ad-aware och Spybot S&D regelbundet.

 

[fkarpenm]

Man riskerar inte att "dra på sig skräp" genom att installera dessa produkter på sin dator, eller? Är de "safe" ?

 

/F

 

[[Esc]]

Ovanstående produkter är mest för att reparera skadan, och ta bort skräp

Laddas ner här:

Spybot (http://security.kolla.de/)

AdAware (http://www.lavasoft.de eller http//www.lavasoftusa.com/)

 

För att i framtiden hindra att spyware installeras:

Ladda ner

Spywareblaster

Spyywareguard

från http://www.javacoolsoftware.com

 

och Microsoft Antispyware Beta

från http://www.microsoft.com/athome/security/spyware/software/default.mspx

 

Alla dessa produkter är "safe"

 

 

--

[Esc]

 

[fkarpenm]

Schysst! Man tackar!