Trojaner

[Mr Boogie]

Hej,

är det någon kan hjälpa mig? Min dator blev hijacked och jag fick in flera trojaner. Har tagit bort en del, men har fortfarande kvar problem. Har bla en ickeönskvärd skrivbordsunderläggsbild med röd bakgrund och med texten spyware danger,som jag fick i samband med att jag fick in virus.

(verkar vara en reklam desctop för företaget smartsecurity. Det går inte att byta bild via kontrollpanelen och varje gång jag loggar in i datorn startar utforskaren. Dessutom är iconerna färre än tidigare och det går inte att högerklicka på skrivbordet. Tog bort något ad-aware som hette desctop och skrivbordsbilden försvann temporärt, när jag sedan loggade in i internet så återkom bilden och har sedan dess inte gått få bort. Även när jag skall starta explorer så börjar den alltid med about:blank som startbild. Har tagit bort ett 20 tal trojaner, har kört spybot och ad-aware men problemen kvarstår. Körde hijack this och funderar hur mycket man törs ta bort. I loggen finns bland annat nycklar med about:blank och searchmaid. Tror själv att jag utan risk törs ta bort dessa men är lite osäker. Förmodligen finns även där kommandon som startar oönskade program när jag kommer in i windows.

 

Här är loggen från hijack this. Vad kan jag deleta?

 

[log]

Logfile of HijackThis v1.98.2

Scan saved at 16:08:34, on 2005-03-30

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\mocih.exe

C:\WINNT\SYSTEM32\DNTUS26.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE

c:\winnt\system32\Microsoft\Crypto\backup\msriff\rundll16.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINNT\system32\Frn.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\system32\atau.exe

C:\WINNT\system32\r?ndll32.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Real\RealPlayer\RealPlay.exe

C:\Program\Delade filer\Real\Update_OB\rnathchk.exe

C:\Program\Microsoft Office\Office\WINWORD.EXE

C:\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Roger1\LOKALA~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4AA97A8D-EE6B-49F4-9BFD-A44ADC57D964} - C:\WINNT\system32\gkoe.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AE14983F-07F6-2602-867A-5DB0C81F35CF} - C:\WINNT\system32\odtok.dll

O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Microsoft Netview] mssvc32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Internet Firewall Manager] GMT16.exe

O4 - HKLM\..\Run: [Microsoft Windows Depedency Rerouter] QMS32.exe

O4 - HKLM\..\Run: [Microsoft Windows Kernel Functionalities] msrundll.exe

O4 - HKLM\..\Run: [Microsoft Data Acces Objects] msdao32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [security iGuard] C:\Program\Security iGuard\Security iGuard.exe

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [its] C:\WINNT\system32\Frn.exe

O4 - HKLM\..\Run: [service Host] C:\WINNT\system32\Services\{35170FDE-8E24-41B5-8A1B-F17ED3D88882}\SVCHOST.EXE

O4 - HKLM\..\Run: [khmx] C:\WINNT\khmx.exe

O4 - HKLM\..\Run: [bgk] C:\WINNT\system32\Euj.exe

O4 - HKLM\..\Run: [Aeh] C:\WINNT\Akt.exe

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Roger1\LOKALA~1\Temp\keep.exe

O4 - HKLM\..\Run: [Quk] C:\WINNT\system32\Rfj.exe

O4 - HKLM\..\Run: [Tps] C:\WINNT\system32\Lpv.exe

O4 - HKLM\..\Run: [bhk] C:\WINNT\system32\Uqj.exe

O4 - HKLM\..\Run: [ieh] C:\WINNT\system32\Ven.exe

O4 - HKLM\..\Run: [Kao] C:\WINNT\system32\Eje.exe

O4 - HKLM\..\Run: [Cvb] C:\WINNT\Afm.exe

O4 - HKLM\..\Run: [Pre] C:\WINNT\Dan.exe

O4 - HKLM\..\Run: [Kac] C:\WINNT\Sna.exe

O4 - HKLM\..\RunServices: [Microsoft Netview] mssvc32.exe

O4 - HKLM\..\RunServices: [Microsoft Internet Firewall Manager] GMT16.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Depedency Rerouter] QMS32.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Kernel Functionalities] msrundll.exe

O4 - HKLM\..\RunServices: [Microsoft Data Acces Objects] msdao32.exe

O4 - HKCU\..\Run: [system Soap Pro] C:\PROGRAM\SYSTEM~1\soap.exe min

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [its] C:\WINNT\system32\Frn.exe

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {30345CF8-273A-4DAF-83E8-E61127C2DBC9} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {30345CF8-273A-4DAF-83E8-E61127C2DBC9} - (no file) (HKCU)

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.slotchbar.com

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c282.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB

 

[/log]

 

[Brynäsarn]

Du har en äldre version av hijackthis, ladda ner senaste versionen

här:http://www.majorgeeks.com/download3155.html ta en ny

log och lägg ut den.

 

 

 

 

 

 

 

[inlägget ändrat 2005-03-30 17:11:23 av Brynäsarn]

[Cecilia]

Oj, det var mycket i den loggen.

 

Avsluta dessa program från Aktivitetshanteraren:

DNTUS26.EXE

regsvc.exe

FireDaemon.EXE

rundll16.exe

Frn.exe

atau.exe

r?ndll32.exe

DMX6Fire.exe

 

Du har bland annat råkat ut för en trojan som stjäl data, loggar knappnedtryckningar, så du bör byta ut alla lösenord. Det står om den här:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.binghe.html

Skanna med denna online-skanning som förhoppningsvis kan ta bort filerna:

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Följ sedan anvisningarna för registerändringar enligt den första länken.

 

Gå till Kontrollpanelen - Lägg till och ta bort program och ta bort:

Security iGuard

Media Acess

och andra okända program.

Security iGuard är inget lämpligt program att ha, du kan läsa om det här:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

 

Ladda hem antivirus och brandvägg, finns gratis t ex från AVG, Avast resp. Sygate, Kerio.

Skanna med antivirusprogrammet och taa bort det den hittar. Stoppa alla dina otrevligheter som vill ut på internet med brndväggen, så att det inte kommer in nytt hela tiden.

 

Starta om i felsäkert läge (tryck F8 upprepade gånger under uppstarten) och skanna med antivirusprogram, Ad-aware och Spybot Search & Destroy.

 

Starta om i normalt läge. Uppdatera HijackThis till den nya versionen 1.99.1 som Brynäsaren skriver. Lägg ut en ny HijackThis-logg.

 

 

[Brynäsarn]

 

Gratis antivirusprogram kan du ladda ner här:

Avast http://www.avast.com

AVG http://www.grisoft.vom

 

Gratisversioner av brandväggar:

Sygate http://www.sygate.com

Kerio http://www.kerio.com

 

 

 

 

[Ulsy]

Tack för svaret!

De program Du ville att jag skulle stänga finns ej.

De jag skulle ta bort finns inte med under "Lägg till och ta bort program.

 

Skanna online gick inte , fick följande meddelande:

Unable to run Virus Detection

 

In order to run Virus Detection you must be using Microsoft Internet Explorer 5.0 or higher with ActiveX and Scripting enabled.

 

När jag skulle fixa i registret fanns inte det jag skulle ta bort. Men där hittade jag något som heter "sp rundll32 C:\..........\temp\se.dll, DllInstall"

 

Det verkar skumt, hur ska jag gör tro?

 

[Cecilia]

Antivirus och brandvägg först. Sedan en ny logg-fil från nya versionen av HijackThis, så får vi försöka med den direkt.

 

[Mr Boogie]

Hej,

har testat det du föreslog. Lyckades ånyo ta bort 2 trojaner när jag scannade i felsäkert läge. Men när jag skulle logga in på internet (får alltid about:blank) och ändrade till min riktiga startsida så återkom smartsecurity desc top. Har laddat ned den nyare verisonen av hijack this men tycker mig inte se någon större skillnad. Är det bara att formatera datorn tror du? Eller kan jag ta bort några nycklar ifrån hijack this?

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 19:29:04, on 2005-03-31

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\SYSTEM32\DNTUS26.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE

C:\WINNT\system32\MSTask.exe

c:\winnt\system32\Microsoft\Crypto\backup\msriff\rundll16.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINNT\system32\Frn.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\system32\atau.exe

C:\WINNT\system32\r?ndll32.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Internet Explorer\iexplore.exe

C:\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Roger1\LOKALA~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4AA97A8D-EE6B-49F4-9BFD-A44ADC57D964} - C:\WINNT\system32\gkoe.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AE14983F-07F6-2602-867A-5DB0C81F35CF} - C:\WINNT\system32\odtok.dll

O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Microsoft Netview] mssvc32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Internet Firewall Manager] GMT16.exe

O4 - HKLM\..\Run: [Microsoft Windows Depedency Rerouter] QMS32.exe

O4 - HKLM\..\Run: [Microsoft Data Acces Objects] msdao32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [security iGuard] C:\Program\Security iGuard\Security iGuard.exe

O4 - HKLM\..\Run: [its] C:\WINNT\system32\Frn.exe

O4 - HKLM\..\Run: [service Host] C:\WINNT\system32\Services\{35170FDE-8E24-41B5-8A1B-F17ED3D88882}\SVCHOST.EXE

O4 - HKLM\..\Run: [khmx] C:\WINNT\khmx.exe

O4 - HKLM\..\Run: [bgk] C:\WINNT\system32\Euj.exe

O4 - HKLM\..\Run: [Aeh] C:\WINNT\Akt.exe

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Roger1\LOKALA~1\Temp\keep.exe

O4 - HKLM\..\Run: [Quk] C:\WINNT\system32\Rfj.exe

O4 - HKLM\..\Run: [Tps] C:\WINNT\system32\Lpv.exe

O4 - HKLM\..\Run: [bhk] C:\WINNT\system32\Uqj.exe

O4 - HKLM\..\Run: [ieh] C:\WINNT\system32\Ven.exe

O4 - HKLM\..\Run: [Kao] C:\WINNT\system32\Eje.exe

O4 - HKLM\..\Run: [Cvb] C:\WINNT\Afm.exe

O4 - HKLM\..\Run: [Pre] C:\WINNT\Dan.exe

O4 - HKLM\..\Run: [Kac] C:\WINNT\Sna.exe

O4 - HKLM\..\Run: [Dmm] C:\WINNT\Bnb.exe

O4 - HKLM\..\Run: [sdh] C:\WINNT\system32\Ggc.exe

O4 - HKLM\..\Run: [Jla] C:\WINNT\system32\Oqa.exe

O4 - HKLM\..\Run: [Tgc] C:\WINNT\Elv.exe

O4 - HKLM\..\Run: [Gqs] C:\WINNT\Ovo.exe

O4 - HKLM\..\Run: [Grk] C:\WINNT\system32\Vna.exe

O4 - HKLM\..\Run: [Chv] C:\WINNT\Ral.exe

O4 - HKLM\..\Run: [Jvh] C:\WINNT\Sgt.exe

O4 - HKLM\..\Run: [Lbb] C:\WINNT\system32\Skc.exe

O4 - HKLM\..\Run: [Fck] C:\WINNT\system32\Dss.exe

O4 - HKLM\..\Run: [bvk] C:\WINNT\Usv.exe

O4 - HKLM\..\Run: [som] C:\WINNT\Cbs.exe

O4 - HKLM\..\RunServices: [Microsoft Netview] mssvc32.exe

O4 - HKLM\..\RunServices: [Microsoft Internet Firewall Manager] GMT16.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Depedency Rerouter] QMS32.exe

O4 - HKLM\..\RunServices: [Microsoft Data Acces Objects] msdao32.exe

O4 - HKCU\..\Run: [system Soap Pro] C:\PROGRAM\SYSTEM~1\soap.exe min

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [its] C:\WINNT\system32\Frn.exe

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {30345CF8-273A-4DAF-83E8-E61127C2DBC9} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {30345CF8-273A-4DAF-83E8-E61127C2DBC9} - (no file) (HKCU)

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.slotchbar.com

O15 - Trusted Zone: *.iframedollars.biz (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted IP range: 213.159.117.202

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c282.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB

O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt03.com/dialer/internazionale_ver10.CAB

O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll

O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\system32\mocih.exe (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE

O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\system32\dev32.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: FireDaemon Service: rundll16 (rundll16) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE

O23 - Service: FireDaemon Service: srhost (srhost) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDaemon.EXE

 

[/log]

 

[Cecilia]

Jag tror nog att din dator ska gå att få ordning på utan formatering, ta det bara lugnt. Eftersom det är så mycket otrevligheter i den så kan det nog behövas ett antal rensningsomgångar.

 

Vad hände med antivirusprogrammet och brandväggen?

Det är säkrare att låta ett antivirusprogram ta bort otrevligheterna än att låta HijackThis göra det, men visst går det i alla fall.

 

Läs här om något du har fått in:

DNTUS26.exe program is part of DameWare Mini Remote Control. A lightweight remote control intended primarily for administrators and help desks for quick and easy deployment without external dependencies and machine reboot. It is entirely possible that this program was installed on your machine without your knowledge. If so, it is imperative that you change all your passwords for the administrator level user. If you do not have any passwords set for your computer, then it is not necessary to change any passwords. I recommend removing this, unless you, as administrator, use it daily. It can be used to remotely control your computer.

Källa: http://www.mytechsupport.ca/support/topic.asp?TOPIC_ID=8207

 

Var säker på att du förstår allt nedan innan du fortsätter, fråga annars.

 

I Kontrollpanelen - Lägg till och ta bort program, se efter om dessa finns:

Httper

Zipdix

Soap

Security iGuard

Media Acess

liknande namn

okända program

I så fall ta bort dem.

 

Dra ur internetanslutningen.

[log]Kör HijackThis och skanna. Bocka för dessa rader (om de finns kvar):

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s'>http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Roger1\LOKALA~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {4AA97A8D-EE6B-49F4-9BFD-A44ADC57D964} - C:\WINNT\system32\gkoe.dll (file missing)

O2 - BHO: (no name) - {AE14983F-07F6-2602-867A-5DB0C81F35CF} - C:\WINNT\system32\odtok.dll

O4 - HKLM\..\Run: [Microsoft Netview] mssvc32.exe

O4 - HKLM\..\Run: [Microsoft Internet Firewall Manager] GMT16.exe

O4 - HKLM\..\Run: [Microsoft Windows Depedency Rerouter] QMS32.exe

O4 - HKLM\..\Run: [Microsoft Data Acces Objects] msdao32.exe

O4 - HKLM\..\Run: [security iGuard] C:\Program\Security iGuard\Security iGuard.exe

O4 - HKLM\..\Run: [its] C:\WINNT\system32\Frn.exe

O4 - HKLM\..\Run: [service Host] C:\WINNT\system32\Services\{35170FDE-8E24-41B5-8A1B-F17ED3D8

8882}\SVCHOST.EXE

O4 - HKLM\..\Run: [khmx] C:\WINNT\khmx.exe

O4 - HKLM\..\Run: [bgk] C:\WINNT\system32\Euj.exe

O4 - HKLM\..\Run: [Aeh] C:\WINNT\Akt.exe

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Roger1\LOKALA~1\Temp\keep.exe

O4 - HKLM\..\Run: [Quk] C:\WINNT\system32\Rfj.exe

O4 - HKLM\..\Run: [Tps] C:\WINNT\system32\Lpv.exe

O4 - HKLM\..\Run: [bhk] C:\WINNT\system32\Uqj.exe

O4 - HKLM\..\Run: [ieh] C:\WINNT\system32\Ven.exe

O4 - HKLM\..\Run: [Kao] C:\WINNT\system32\Eje.exe

O4 - HKLM\..\Run: [Cvb] C:\WINNT\Afm.exe

O4 - HKLM\..\Run: [Pre] C:\WINNT\Dan.exe

O4 - HKLM\..\Run: [Kac] C:\WINNT\Sna.exe

O4 - HKLM\..\Run: [Dmm] C:\WINNT\Bnb.exe

O4 - HKLM\..\Run: [sdh] C:\WINNT\system32\Ggc.exe

O4 - HKLM\..\Run: [Jla] C:\WINNT\system32\Oqa.exe

O4 - HKLM\..\Run: [Tgc] C:\WINNT\Elv.exe

O4 - HKLM\..\Run: [Gqs] C:\WINNT\Ovo.exe

O4 - HKLM\..\Run: [Grk] C:\WINNT\system32\Vna.exe

O4 - HKLM\..\Run: [Chv] C:\WINNT\Ral.exe

O4 - HKLM\..\Run: [Jvh] C:\WINNT\Sgt.exe

O4 - HKLM\..\Run: [Lbb] C:\WINNT\system32\Skc.exe

O4 - HKLM\..\Run: [Fck] C:\WINNT\system32\Dss.exe

O4 - HKLM\..\Run: [bvk] C:\WINNT\Usv.exe

O4 - HKLM\..\Run: [som] C:\WINNT\Cbs.exe

O4 - HKLM\..\RunServices: [Microsoft Netview] mssvc32.exe

O4 - HKLM\..\RunServices: [Microsoft Internet Firewall Manager] GMT16.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Depedency Rerouter] QMS32.exe

O4 - HKLM\..\RunServices: [Microsoft Data Acces Objects] msdao32.exe

O4 - HKCU\..\Run: [system Soap Pro] C:\PROGRAM\SYSTEM~1\soap.exe min

O4 - HKCU\..\Run: [its] C:\WINNT\system32\Frn.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {30345CF8-273A-4DAF-83E8-E61127C2DBC9} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {30345CF8-273A-4DAF-83E8-E61127C2DBC9} - (no file) (HKCU)

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.slotchbar.com

O15 - Trusted Zone: *.iframedollars.biz (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted IP range: 213.159.117.202

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c282

.cab

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB

O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt03.com/dialer/internazionale_ver10.CAB

O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll

O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\system32\mocih.exe (file missing)

O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE

O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\system32\dev32.exe (file missing)

O23 - Service: FireDaemon Service: rundll16 (rundll16) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.

EXE

O23 - Service: FireDaemon Service: srhost (srhost) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDae

mon.EXE

 

Avsluta alla program och fönster förutom HijackThis.

 

Tryck på Fix checked.

 

Starta om i felsäkert läge (F8 upprepade gånger under uppstarten).

 

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Ta bort dessa filer om de finns kvar (om det inte står någon mapp så får du leta reda på dem, troligen i C:\WINNT\system32 eller C:\WINNT):

C:\WINNT\system32\gkoe.dll

C:\WINNT\system32\odtok.dll

mssvc32.exe

GMT16.exe

QMS32.exe

msdao32.exe

C:\WINNT\khmx.exe

C:\WINNT\system32\Euj.exe

C:\WINNT\Akt.exe

C:\WINNT\system32\Frn.exe

C:\WINNT\system32\Rfj.exe

C:\WINNT\system32\Lpv.exe

C:\WINNT\system32\Uqj.exe

C:\WINNT\system32\Ven.exe

C:\WINNT\system32\Eje.exe

C:\WINNT\Afm.exe

C:\WINNT\Dan.exe

C:\WINNT\Sna.exe

C:\WINNT\Bnb.exe

C:\WINNT\system32\Ggc.exe

C:\WINNT\system32\Oqa.exe

C:\WINNT\Elv.exe

C:\WINNT\Ovo.exe

C:\WINNT\system32\Vna.exe

C:\WINNT\Ral.exe

C:\WINNT\Sgt.exe

C:\WINNT\system32\Skc.exe

C:\WINNT\system32\Dss.exe

C:\WINNT\Usv.exe

C:\WINNT\Cbs.exe

C:\PROGRAM\SYSTEM~1\soap.exe (där ~1 står för ett antal godtyckliga tecken)

C:\WINNT\SYSTEM32\drct16.dll

C:\WINNT\system32\mocih.exe

C:\WINNT\system32\DNTUS26.EXE

C:\WINNT\system32\DWRCS.EXE

C:\WINNT\system32\DWRCS.INI

C:\WINNT\system32\DWRCK.DLL

C:\WINNT\system32\DWRCSET.DLL

C:\WINNT\system32\DWRCSHELL.DLL

C:\WINNT\system32\dev32.exe

C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.

EXE

C:\WINNT\system32\r?ndll32.exe Obs! Ej rundll32.exe

 

Ta bort dessa mappar om de finns kvar:

C:\Program\Security iGuard

C:\WINNT\system32\Services\{35170FDE-8E24-41B5-8A1B-F17ED3D8

8882}

C:\Program\Httper

C:\Program Files\Httper

C:\Program\Zipdix

C:\Program Files\Zipdix

C:\PROGRAM\SYSTEM~1 (mappen där soap.exe fanns)

 

Töm denna mapp:

C:\DOCUME~1\Roger1\LOKALA~1\Temp

där ~1 står för ett antal godtyckliga tecken.

 

Starta om datorn i normalt läge och ta ut en ny HijackThis-logg.

Anslut internet igen.

Skriv i ditt svar här vad du har gjort, hur det har gått samt bifoga den nya loggen.[/log]

 

[Mr Boogie]

Tack för all information. Har installerat avast antivirus och sygate firewall.

Har scannat datorn ett antal gånger även med macafee och panda virusscan. Dek top problemen kvarstår fortfarande. Kan inte ändra mitt skrivbordunderlägg, vilket förmodligen är en trojan i sig. Har inte sett till desk topen med smartsecurity reklamen har inte varit synlig nu på ett tag.

Har vid ett flertal tillfällen tagit bort en trojan med namnet AdClicker-CK som hittats i filer med namnen desktop.htt och desktop.html. Antagligen är det där problemet finns.

 

Har även tagit bort dntus26.exe och firedaemon men de tycks åter finnas med i loggen. Hittade även svchost i sytem32 katalogen men blev osäker om jag skulle ta bort den eller ej, men jag antar att den skall bort? Funderar även på en fil som ligger i c:\winnt katalogen och heter a95kfrhe.exe och i temp katalogen finns även en fil som heter shagent-cdt1004.exe och båda har samma röda ikon. Antar att de skall tas bort?

 

Blev också lite osäker när du skrev att jag skulle tömma c.\docume~1\roger1\lokala~1\temp. Hittade ingen sådan katalog. Antar att du inte menade den vanliga tempkatalogen? Allstå den med lokala inställningar?

 

Verkar vara hopplöst. Kanske lika bra att kasta in handuken?

 

En sista fråga. Jag har inget password till min dator men väl till min internetuppkoppling, men den skriver jag aldrig in med tangenterna utan klickar fram med musen. Borde jag ändra på min inloggning iaf?

 

Här kommer iaf den nya loggen.

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 19:54:00, on 2005-04-01

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\system32\atau.exe

C:\WINNT\system32\r?ndll32.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\hijack this\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\system32\mocih.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - Unknown owner - C:\WINNT\SYSTEM32\DNTUS26.EXE (file missing)

O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\system32\dev32.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: FireDaemon Service: rundll16 (rundll16) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe

O23 - Service: FireDaemon Service: srhost (srhost) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDaemon.EXE

 

[/log]

 

[Mr Boogie]

Atau.exe

Winlogon.exe

Svchost.exe

rÅndll32.exe

 

Körs i aktivitetshanteraren. Vilka av dessa borde bort?

 

[Brynäsarn]

Verkar vara hopplöst,kanske lika bra att kasta in handduken

 

Nejdå, inte skall du kasta in handduken,med lite tålamod ordnar

det sig,även om det kanske ser hopplöst ut just nu.

 

 

 

 

[inlägget ändrat 2005-04-02 13:18:50 av Brynäsarn]

[Cecilia]

Bra att du har installerat antivirus och brandvägg.

 

Hittade även svchost i sytem32 katalogen men blev osäker om jag skulle ta bort den eller ej, men jag antar att den skall bort?

Nej, det är en riktig och viktig Windows-fil.

 

a95kfrhe.exe och shagent-cdt1004.exe är delar av spionprogrammet AdWare.Sahat.o troligen.

 

Blev också lite osäker när du skrev att jag skulle tömma c.\docume~1\roger1\lokala~1\temp. Hittade ingen sådan katalog. Antar att du inte menade den vanliga tempkatalogen? Allstå den med lokala inställningar?

~1 står för ett antal godtyckliga tecken, det brukar vara (åtminstone på en XP-dator):

c:\Documents and Settings\roger1\Lokala inställningar\Temp

dvs Temp-mappen i Lokala inställningar, inte med lokala inställningar.

 

Verkar vara hopplöst. Kanske lika bra att kasta in handuken?

Oh nej då, instämmer helt med Brynäsarn. Loggen ser mycket mycket bättre ut nu. Nu står det file missing efter en av FireDaemon och DNTUS26 så de några filer är borta nu och loggen är mycket kortare.

 

Borde jag ändra på min inloggning iaf?

Jag vet inte exakt vad spionprogrammet kan få fram, men jag skulle nog göra det för säkerhets skull. Likaså passwords till olika internet-sidor, internet-bank och liknande.

 

Dra ur internetanslutningen.

[log]Skanna med HijackThis och bocka för:

 

O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\system32\mocih.exe (file missing)

O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - Unknown owner - C:\WINNT\SYSTEM32\DNTUS26.EXE (file missing)

O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\system32\dev32.exe (file missing)

O23 - Service: FireDaemon Service: rundll16 (rundll16) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.

EXE (file missing)

O23 - Service: FireDaemon Service: srhost (srhost) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDae

mon.EXE

 

Avsluta alla program och fönster förutom HijackThis.

 

Tryck på Fix checked.

 

Starta om i felsäkert läge (F8 upprepade gånger under uppstarten).

 

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Ta bort dessa filer om de finns kvar:

C:\WINNT\system32\atau.exe

C:\WINNT\system32\r?ndll32.exe Obs! Ej RUNDLL32.EXE men frågetecknet ska bytas ut mot något annat

c:\winnt\a95kfrhe.exe

 

Ta bort mappen:

C:\winnt\system32\microsoft\crypto\backup\msriff

 

Töm mappen:

c:\Documents and Settings\roger1\Lokala inställningar\Temp

 

Kör en skanning med Avast. Skriv ner om den hittar något som den inte kan ta bort, fil + otrevlighet (eller om man kan spara en logg så gör det).

 

Starta om datorn i normalt läge och anslut internet igen.

Kör de båda online-skanningarna, skriv ner om de hittar något som de inte kan ta bort, fil + otrevlighet.

 

Starta om datorn och ta ut en ny HijackThis-logg.

Skriv i ditt svar här vad du har gjort, hur det har gått, resultatet från de olika skanningarna samt bifoga den nya HijackThis-loggen.[/log]

 

[Mr Boogie]

Tack!

 

Har ny tagit bort

c:\winnt\system32\atau.exe

c:\winnt\a95kfrhe.exe

Hittade ej

r?ndll32.exe

 

Tog även bort mappen C:\winnt\system32\microsoft\crypto\backup\msriff

 

och tömde mappen:

c:\Documents and Settings\roger1\Lokala inställningar\Temp

 

det fanns en massa underkataloger, men jag vågade ej ta bort dessa.

Bl a fanns det en katalog som hette tidigare som innehöll en systemfil som hette desktop (men jag vågade inte ta bort den). Troligtvis är den filen boven i dramat?

 

Fortfarande finns det en desktop kvar (måste vara en trojan) kan ej högerklicka på skrivbordet och det går ej heller att byta underlägg via kontrollpanelen/bildskärm. Dessutom är det mycket färre ikoner där än jag hade innan. Förutom det som startar alltid internet exlorer med about:blank som startsida. Och jag upplever också att ljudet i datorn blivit lägre än förrut. Påverkas mitt ljudkort DMX6FIRE? Medge att det verkar hopplöst?

 

Körde avast scan men hittade inget och körde panda online scan som hittade en downloader.BHL trojan som oskadliggjordes.

 

Här kommer loggen från pandavirusscan:

[log]

 

Incident Status Location

 

Virus:Trj/Downloader.BHL Disinfected Operating system

Adware:Adware/nCase No disinfected C:\Temp\FLEOK

Adware:Adware/PowerScan No disinfected Windows Registry

Adware:Adware/CWS.Yexe No disinfected C:\WINNT\system32\services

Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Roger1\Application Data\sskknwrd.dll

Adware:Adware/MediaTickets No disinfected Windows Registry

Adware:Adware/IPInsight No disinfected C:\WINNT\alchem.???

Adware:Adware/SideFind No disinfected Windows Registry

Adware:Adware/Twain-Tech No disinfected C:\DOCUME~1\Roger1\LOKALA~1\Temp\THI*.tmp

Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet

Adware:Adware/TopConvert No disinfected Windows Registry

Virus:Trj/Downloader.BHL Disinfected C:\WINNT\system32\unic2_32.dll

Adware:Adware/PurityScan No disinfected C:\WINNT\system32\RNDLL3~1.EXE

Adware:Adware/IPInsight No disinfected C:\WINNT\inf\alchem.inf

Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\setup4002b.ini

Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\installer_SIAC.exe

Adware:Adware/Ucmore No disinfected C:\WINNT\ucmoreiex.exe

Spyware:Spyware/LocalNRD No disinfected C:\Documents and Settings\Roger1\Lokala inställningar\Temp\THI2E7B.tmp\localNrd.inf

Adware:Adware/TheLocalSearch No disinfected C:\Program\Virtual Maid\Virtual Maid.dll

Adware:Adware/PurityScan No disinfected C:\hijack this\backups\backup-20050401-180125-743.dll

Adware:Adware/SAHAgent No disinfected C:\temp\sahagent-cdt1004.exe

[/log]

 

Här kommer nya hijack this loggen:

[log]

Logfile of HijackThis v1.99.1

Scan saved at 14:31:50, on 2005-04-02

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\system32\r?ndll32.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\Program\Microsoft Office\Office\WINWORD.EXE

C:\hijack this\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB

O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\system32\mocih.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - Unknown owner - C:\WINNT\SYSTEM32\DNTUS26.EXE (file missing)

O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\system32\dev32.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: FireDaemon Service: rundll16 (rundll16) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe

O23 - Service: FireDaemon Service: srhost (srhost) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDaemon.EXE (file missing)

 

[/log]

 

[Mr Boogie]

Atau.exe finns fortfarande i aktivitetshanteraren. Har avslutat den nu, men den startar tydligen upp när jag går in i windows.

 

[Cecilia]

Det ska vara riskfritt att ta bort även underkatalogerna till Temp, men mappen Tidigare innehåller nog sidor som du har besökt tidigare med Internet Explorer, min innehåller även en desktop.ini som är konfigurationsinställningar för hur mappen ska visas (har dock XP). Du kan titta på innehållet i filen med hjälp av Anteckningar. Min ser ut så här:

[.ShellClassInfo]

UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}

CLSID={FF393560-C2A7-11CF-BFF4-444553540000}

 

Du har fått in en ActiveX-komponent ser jag i loggen, se över dina inställningar i Internet Explorer. Verktyg - Internet-alternativ - Säkerhet - Internet - Anpassad nivå

Ändra Hämta (o)signaerade ActiveX-kontroller och allt annat som har med ActiveX till Fråga, så att du blir tillfrågad om du vill ladda ner dem.

 

Det var mycket som Panda hittade och inte kunde ta bort, mycket annons- och spionprogram. Ladda hem och kör antispionprogrammen Ad-aware och Spybot - Search & Destroy (det har du visst redan, kolla att det är senaste versionen):

http://www.lavasoftusa.com/support/download/

http://www.safer-networking.org/en/download/index.html

Så får vi se om de kan rensa bort en del av dem, ta bort allt kritiskt resp. rödmarkerat. Finns det saker de inte kan ta bort så kör programmen i felsäkert läge också.

 

Se efter att det inte finns något i Kontrollpanelen - Lägg till och ta bort som påminner om otrevligheterna som Panda hittar, i så fall ta bort programmen.

 

Fixa denna rad i HijackThis:

O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB

 

Starta om i felsäkert läge.

I Kontrollpanelen välj Internetalternativ och välj Ta bort filer, kryssa i rutan och tryck Ok, välj Rensa tidigare. Töm Temp-mappen som tidigare, töm C:\Temp och ta bort alla filer som Panda klagade på utom filen C:\hijack this\backups\backup-20050401-180125-743.dll.

 

Starta om i normalt läge och skanna med Panda igen. Rapportera resultatet samt bifoga en ny HijackThis-logg.

 

[Mr Boogie]

Det här var knepigt. Hittar inga program som ser misstänkta ut i lägg till/ta bort program.

 

Har nu rensat det mesta från pandascannen. Men vissa filer hittade jag ej.

Tog tex åter bort filen atau.exe.

 

Har även ändrat AcitveX-kontrollern. Lyckades ta bort några spyware i spyboot bla smartsecurity men problemen kvarstår. Har fortfarande kvar min oönskade desktop. Tog INTE bort alla underkataloger till temp katalogen utan endast den som panda klagade på. Eftersom du sa åt mig att inte ta bort underkatalogen Tidigare. Dessutom finns ju underkatalogen cookies där. Var in och läste på desktop.ini som finns i underkatalogen Tidigare och där fanns samma information som på din dator. Men nu har jag upptäckt ytterligare en desktop.ini som finns i mina dokument katalogen. Var in och kollade i den men den var tom. Skall jag ta bort den filen tror du?

 

Varje gång jag kör pandavirusscan så hittar den trj/Downloader.BHL. Den tycks alltid återkomma eller också försvinner den aldrig. Körde även macafee virusscan och där hittade datorn en trojan med namn downloader-IQ. Men det är förmodligen samma trojan?

 

AdAware tycks inte kunna ta bort något från registry och jag vet inte det kanske är där felet sitter?

 

Verkar vara nåt oåterkalligt fel. Nu är formatering nära.

 

Här kommer min senaste pandalogg

 

[log]

 

 

Incident Status Location

 

Virus:Trj/Downloader.BHL Disinfected Operating system

Adware:Adware/nCase No disinfected C:\Temp\FLEOK

Adware:Adware/CWS No disinfected Windows Registry

Adware:Adware/IPInsight No disinfected C:\WINNT\alchem.???

Adware:Adware/SideFind No disinfected Windows Registry

Virus:Trj/Downloader.BHL Disinfected C:\WINNT\system32\unic2_32.dll

Adware:Adware/PurityScan No disinfected C:\WINNT\system32\RNDLL3~1.EXE

Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\setup4002b.ini

Adware:Adware/PurityScan No disinfected C:\hijack this\backups\backup-20050401-180125-743.dll

 

 

[/log]

 

 

Här kommer min sensate hijack this logg:

 

 

[log]

 

Logfile of HijackThis v1.99.1

Scan saved at 12:12:07, on 2005-04-03

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\system32\r?ndll32.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\system32\mocih.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - Unknown owner - C:\WINNT\SYSTEM32\DNTUS26.EXE (file missing)

O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\system32\dev32.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: FireDaemon Service: rundll16 (rundll16) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe

O23 - Service: FireDaemon Service: srhost (srhost) - Unknown owner - C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDaemon.EXE (file missing)

 

[/log]

 

[Zipp.]

Starta datorn i felsäkert läge

Skriv i Kör fältet services.msc sen Ok

Leta efter dom här services

 

Trace network connections (ACCRA)

DameWare NT Utilities 2.6 (DNTUS26)

Provides three management service (FreeBSD)

FireDaemon Service: rundll16 (rundll16)

FireDaemon Service: srhost (srhost)

 

 

Dubbelklicka på dom och sen Stoppa dom

Sen ändra Startmetod till Inaktiverad

Klicka Verkställ och sen Ok

 

Starta sen normalt.

 

Scanna datorn sen med denna scanner

 

http://www.spywareinfo.dk/download/mwav.exe

 

Dubbelklicka på mwav.exe sen klicka Unzip och den skapar automatiskt en ny mapp C:\Kapersky

Sen öppna Kapersky mappen och dubbelklicka på kavupd.exe och leta uppdateringar.

När den är klar så tryck på nån tangent och det blir automatiskt 2 nya mappar på C:\

 

C:\Bases

C:\Downloads

 

Öppna Downloads mappen och måla alla filer och Klipp ut

Klicka på Kapersky mappen och klistra in och svara ja till alla.

Sen öppna Kapersky mappen och dubbelklicka på mwavscan.com

Bocka i Drive och Scan All Files.

Sen klicka på Scan och låt den scanna klart.(kan ta upp till 2 timmar)

Kopiera det som blir i nedre fönster.

Först måla svart sen Ctrl+C (kopiera)

Sen Ctrl+V (klista in)

 

 

Starta om datorn efter scannen och sen skicka en ny Hijack logg och loggen från scannen (nedre fönster)

 

 

[Mr Boogie]

Har nu Inaktiverat

 

Trace network connections (ACCRA)

DameWare NT Utilities 2.6 (DNTUS26)

Provides three management service (FreeBSD)

FireDaemon Service: rundll16 (rundll16)

FireDaemon Service: srhost (srhost)

 

Och kört en kaspersky scan. Trots att jag tagit bort en massa trojaner åter igen kvarstår mina problem med min desktop och att min internet uppkoppling startar med en tom sida. Vad göra? Verkar inte går få bort detta elände.

 

Får detta meddelande i min brandvägg: system32\x3yy\nkdhoipx.exe is trying to connect to update.com. Jag nekar då tillträde till nätverket. Är detta något spyware?

 

Här är loggen från Kaspersky scannen (obs att jag tog bort FIREDAEMON.exe efteråt i felsäkert läge)

 

[log]

File C:\WINNT\popup.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINNT\Igo.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINNT\She.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINNT\Nvd.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINNT\Div.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINNT\Tbq.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINNT\system32\unic2_32.dll infected by "Trojan-Downloader.Win32.Small.aph" Virus. Action Taken: File to be deleted on reboot.

File C:\WINNT\system32\Microsoft\Crypto\ISA\firedaemon.exe tagged as not-a-virus:RiskWare.RemoteAdmin.RA.3826. No Action Taken.

File C:\WINNT\system32\Microsoft\Crypto\ISA\ServUDaemon.ini infected by "Backdoor.Win32.ServU-based" Virus. Action Taken: File Renamed.

File C:\hijack this\backups\backup-20050401-180125-743.dll tagged as not-a-virus:AdWare.PurityScan.ak. No Action Taken.

File C:\hijack this\backups\backup-20050403-085447-695.dll infected by "Trojan-Clicker.Win32.Adpower.n" Virus. Action Taken: File Deleted.

File C:\hijack this\backups\backup-20050401-180125-285.dll infected by "Trojan-Clicker.Win32.Adpower.n" Virus. Action Taken: File Deleted.

File C:\cdrlab\CDR_label41 crack.zip tagged as not-a-virus:KeyGen.Win32.CDRLabel.41. No Action Taken.

File C:\cdrlab\cr-cdl41.exe tagged as not-a-virus:KeyGen.Win32.CDRLabel.41. No Action Taken.

File D:\System Volume Information\_restore{4A82E62B-BDC1-4FE2-B962-DB614C7873DE}\RP8\A0003116.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Cubase 5 full Uppackad\cubase5.r00 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg UltraVox VST v1.0\Steinberg UltraVox VST v1.0\SETUPVOX.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg QuadraFuzz v1.0\Steinberg QuadraFuzz v1.0\SETUPQFZ.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg Mastering Edition v1.0\Steinberg Mastering Edition v1.0\SETUPSME.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg Magneto v1.1\Steinberg Magneto v1.1\SETUPMAG.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg Loudness Maximizer v1.20\Steinberg Loudness Maximizer v1.20\LOUDNESS.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg GRM Tools VST v1.0\Steinberg GRM Tools VST v1.0\SETUPGRM.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg FreeFilter v1.0\Steinberg FreeFilter v1.0\FFSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg Denoiser v1.51\Steinberg Denoiser v1.51\DENOISER.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg DeClicker v1.21\Steinberg DeClicker v1.21\SETUPDCL.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg Clean v1.0\Steinberg Clean v1.0\SETUPCLN.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\VST Plugins2\Steinberg Bbox v1.0\Steinberg Bbox v1.0\SETUPBB.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Ultrafunk Sonitus FX Pack V1\SETUPSON.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\TimeWorks\TimeworksPhaser\SETUPPHZ.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\TimeWorks\TimeWorksMasterEQ\TimeWorksMasterEQ.eXe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\TC ej\TC nativ Eq\SETUPTEQ.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\TC ej\TC Native Reverb\SETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\TC ej\TC Native Essentials v1.02\SETUPTCE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\TC Native Bundle v2.0\SETUPTCB.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\T-Racks v1.10\SETUPTRK.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Steinberg GRM Tools VST v1.0\SETUPGRM.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Sonic Foundry XFX3 v1.0b\SETUPFX3.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Sonic Foundry XFX2 v1.0b\SETUPFX2.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Sonic Foundry XFX1 v1.0b\SETUPFX1.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Quartz DX Plugin Pack 3\SetupFX3.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Quartz DX Plugin Pack 2\SetupFX2.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Quartz DX Plugin Pack 1\SetupFX1.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Db Pro Comp Vst\SETUPPCV.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\kopiera\Plug-ins\Db Pro Comp Dx\SETUPPCX.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\Dump\cr-cdl41.exe tagged as not-a-virus:KeyGen.Win32.CDRLabel.41. No Action Taken.

 

[/log]

 

Här kommer nya Hijack this loggen

 

[log]

 

Logfile of HijackThis v1.99.1

Scan saved at 17:14:55, on 2005-04-03

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\system32\r?ndll32.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\hijack this\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe

 

 

[/log]

 

[Zipp.]

Jag tror att du har fått nån ny variant i datorn som inte upptäckts av olika antivirusprogram.

Då är det svårt att veta vad man ska ta bort och var.

 

Scanna dessa filer

 

C:\WINNT\system32\r?ndll32.exe

C:\WINNT\system32\x3yy\nkdhoipx.exe

 

Här och meddela resultat

 

http://virusscan.jotti.org/

 

Finns det nåt annat i C:\WINNT\system32\x3yy\ mappen eller bara nkdhoipx.exe

 

 

Skicka en StartupList logg från Hijackken

Config..> Misc Tools

Bocka i dom 2 små rutor

List also...

List empty...

Sen scanna

 

 

 

[inlägget ändrat 2005-04-03 18:19:40 av Zipp.]

[Mr Boogie]

Hittade inte

 

C:\WINNT\system32\r?ndll32.exe

C:\WINNT\system32\x3yy\nkdhoipx.exe

 

Så jag kunde inte scanna dess filer. Hittade inte ens katalogen x3yy.

 

Startade dock i felsäkert läge och ställde om visningen av filer och mappar. Hittade då en sak som gjorde mig misstänksam. Det fanns 2 filer som hette rundll32.exe och en hade en suddig ikon och var mycket större.

Atau.exe hade tex också en suddig ikon. Dessutom hade filen info om att filen var senast ändrad 28/3 -05 och kan det gjorde mig ännu mer misstänkt eftersom jag tror det var den dagen eller dagen efter jag fick in viruset. Men jag vågade inte ta bort den filen.

 

Verkar inte gå fixa detta.

 

Här kommer startuplist loggen:

 

[log]

 

StartupList report, 2005-04-03, 20:55:04

StartupList version: 1.52.2

Started from : C:\hijack this\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\system32\r?ndll32.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\Program\Internet Explorer\iexplore.exe

C:\hijack this\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Roger1\Start-meny\Program\Autostart]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]

DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Synchronization Manager = mobsync.exe /logon

NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

LVCOMS = C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

NeroCheck = C:\WINNT\system32\NeroCheck.exe

QuickTime Task = "C:\Program\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

avast! = C:\Program\ALWILS~1\Avast4\ashDisp.exe

SmcService = C:\Program\Sygate\SPF\smc.exe -startgui

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

NvMediaCenter = RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *

StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\System32\ie4uinit.exe

 

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *

StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINNT\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=explorer.exe

SCRNSAVE.EXE=C:\WINNT\system32\ssmarque.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINNT\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINNT\Explorer\Explorer.exe: not present

C:\WINNT\System\Explorer.exe: not present

C:\WINNT\System32\Explorer.exe: not present

C:\WINNT\Command\Explorer.exe: not present

C:\WINNT\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINNT

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registereditorn'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\Program\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[DirectAnimation Java Classes]

CODEBASE = file://C:\WINNT\Java\classes\dajava.cab

OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

 

[Microsoft XML Parser for Java]

CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab

OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

[{00000075-9980-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/voxacm.CAB

 

[QuickTime Object]

InProcServer32 = C:\Program\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\System32\macromed\Shockwave 10\Download.dll

CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

 

[symantec AntiVirus scanner]

InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

 

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

 

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

[ActiveScan Installer Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll

CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.3293171296

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINNT\System32\rnr20.dll

NameSpace #2: C:\WINNT\System32\winrnr.dll

Protocol #1: C:\WINNT\system32\msafd.dll

Protocol #2: C:\WINNT\system32\msafd.dll

Protocol #3: C:\WINNT\system32\msafd.dll

Protocol #4: C:\WINNT\system32\rsvpsp.dll

Protocol #5: C:\WINNT\system32\rsvpsp.dll

Protocol #6: C:\WINNT\system32\msafd.dll

Protocol #7: C:\WINNT\system32\msafd.dll

Protocol #8: C:\WINNT\system32\msafd.dll

Protocol #9: C:\WINNT\system32\msafd.dll

Protocol #10: C:\WINNT\system32\msafd.dll

Protocol #11: C:\WINNT\system32\msafd.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Trace network connections: C:\WINNT\system32\mocih.exe (disabled)

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)

Alerter: %SystemRoot%\System32\services.exe (manual start)

Application Management: %SystemRoot%\system32\services.exe (manual start)

aswRdr: \??\C:\WINNT\system32\drivers\aswRdr.sys (manual start)

avast! iAVS4 Control Service: "C:\Program\Alwil Software\Avast4\aswUpdSv.exe" (autostart)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard-IDE/ESDI-hårddiskstyrenhet: System32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Ljud-stub-drivrutin: System32\DRIVERS\audstub.sys (manual start)

avast! Antivirus: "C:\Program\Alwil Software\Avast4\ashServ.exe" (autostart)

avast! Mail Scanner: "C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)

avast! Web Scanner: "C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)

Computer Browser: %SystemRoot%\System32\services.exe (autostart)

Avkodare för dold text: system32\drivers\ccdecode.sys (manual start)

CD-ROM-drivrutin: System32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

DHCP Client: %SystemRoot%\System32\services.exe (autostart)

Diskdrivrutin: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Drivrutin för hanterare för logiska diskar: System32\DRIVERS\dmio.sys (system)

Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)

Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)

DMX6fire WDM Audio: system32\drivers\dmx6fire.sys (manual start)

DNS Client: %SystemRoot%\System32\services.exe (autostart)

DameWare NT Utilities 2.6: %SYSTEMROOT%\SYSTEM32\DNTUS26.EXE (disabled)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)

Fax Service: %systemroot%\system32\faxsvc.exe (manual start)

Drivrutin för diskettstyrenhet: System32\DRIVERS\fdc.sys (manual start)

Diskettdrivrutin: System32\DRIVERS\flpydisk.sys (manual start)

Provides three management service: C:\WINNT\system32\dev32.exe (disabled)

Drivrutin för volymhanterare: System32\DRIVERS\ftdisk.sys (system)

Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

hardlock: \??\C:\WINNT\system32\drivers\hardlock.sys (autostart)

Haspnt: \??\C:\WINNT\system32\drivers\Haspnt.sys (autostart)

hpt3xx: System32\DRIVERS\hpt3xx.sys (system)

hptpro: System32\DRIVERS\hptpro.sys (system)

Drivrutin för i8042 Keyboard och PS/2 Mouse Port: System32\DRIVERS\i8042prt.sys (system)

IntelIde: System32\DRIVERS\intelide.sys (system)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

Drivrutin för Pnp ISA/EISA-buss: System32\DRIVERS\isapnp.sys (system)

Tangentbordsklassdrivrutin: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\System32\services.exe (autostart)

Workstation: %SystemRoot%\System32\services.exe (autostart)

TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)

Messenger: %SystemRoot%\System32\services.exe (autostart)

NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)

Musklassdrivrutin: System32\DRIVERS\mouclass.sys (system)

BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)

Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)

Tjänstproxy för Microsoft-direktuppspelning: system32\drivers\MSKSSRV.sys (manual start)

Klockproxy för Microsoft-direktuppspelning: system32\drivers\MSPCLOCK.sys (manual start)

Kvalitetshanteringsproxy för Microsoft-direktuppspelning: system32\drivers\MSPQM.sys (manual start)

Tee/Sink-to-Sink-konverterare för Microsoft-direktuppspelning: system32\drivers\MSTEE.sys (manual start)

Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)

NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS-protokoll för I/O i användarläge: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBT: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

nv: System32\DRIVERS\nv4_mini.sys (manual start)

NVIDIA Driver Helper Service: %SystemRoot%\system32\nvsvc32.exe (autostart)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

Drivrutin för parallellklass: System32\DRIVERS\parallel.sys (manual start)

Drivrutin för parallellport: System32\DRIVERS\parport.sys (system)

Drivrutin för PCI-buss: System32\DRIVERS\pci.sys (system)

PCIIde: System32\DRIVERS\pciide.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Protected Storage: %SystemRoot%\system32\services.exe (autostart)

Drivrutin för direkt parallell: System32\DRIVERS\ptilink.sys (manual start)

Logitech QuickCam Express(PID_0840): System32\DRIVERS\LVCD.sys (manual start)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Direkt parallell: System32\DRIVERS\raspti.sys (manual start)

Network Raw Channel Access för Microsoft-direktuppspelning: system32\drivers\RCA.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

Filterdrivrutin för uppspelning av digitalt CD-ljud: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)

Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)

FireDaemon Service: rundll16: C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE (disabled)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)

RunAs Service: %SystemRoot%\system32\services.exe (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum-filterdrivrutin: System32\DRIVERS\serenum.sys (manual start)

Drivrutin för seriell port: System32\DRIVERS\serial.sys (system)

BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)

Sygate Personal Firewall: C:\Program\Sygate\SPF\smc.exe (autostart)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

FireDaemon Service: srhost: C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDaemon.EXE (disabled)

Srv: System32\DRIVERS\srv.sys (manual start)

BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)

Drivrutin för programvarubuss: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)

Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)

Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)

Drivrutin för Microsoft USB Universal Host Controller: System32\DRIVERS\uhcd.sys (manual start)

Drivrutin för mikrokodsuppdatering: System32\DRIVERS\update.sys (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

Drivrutin för Microsoft USB-standardnav (hub): System32\DRIVERS\usbhub.sys (manual start)

Microsoft USB-skrivarklass: System32\DRIVERS\usbprint.sys (manual start)

Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)

VIRTwin: \??\C:\WINNT\system32\vdmt16.sys (system)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Windows Time: %SystemRoot%\System32\services.exe (manual start)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)

SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)

SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)

SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)

SCNDmem: \??\C:\WINNT\system32\winlow.sys (autostart)

Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)

wpsdrvnt: \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (system)

World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)

Automatiska uppdateringar: %systemroot%\system32\svchost.exe -k wugroup (autostart)

Konfiguration för trådlös kommunikation: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute =

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

notepad.exe = msmsgs.exe

winlogon.exe = helper.exe

notepad2.exe = popuper.exe

 

--------------------------------------------------

 

End of report, 29 695 bytes

Report generated in 0,125 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

[/log]

 

[Zipp.]

> Hittade inte <

 

Denna ser man i Hijack loggen

 

C:\WINNT\system32\r?ndll32.exe

 

Konstigt om du inte hittar den.

 

Får detta meddelande i min brandvägg: system32\x3yy\nkdhoipx.exe is trying to connect to update.com.

 

Då måste den ju finnas.

 

Har du dolda filer synliga när du letar

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Sök också dessa filer

 

helper.exe

popuper.exe

 

Och scanna dom här

 

http://virusscan.jotti.org/

 

Jag vet att det är mycket att göra men vågar inte säga att du ska ta bort filer,om man inte vet vad det är.

 

Detta kan du också pröva

 

Kontrollpanelen > Utseende och teman > Bilskärm > Skrivbord > Anpassa skrivbordet > Webb

 

Ser du där Security eller nåt liknande så ta bort det.

 

 

 

 

 

 

 

 

 

 

 

[inlägget ändrat 2005-04-03 22:54:52 av Zipp.]

[Mr Boogie]

Har gjort onsynliga filer och mappar synliga men hittar ändå inte.

 

Scannade den ena av rundll32.exe som hade en annorlunda ikon och den VAR infekterad.

Fick dessa meddelanden: trojan.Dropper.purityscan.I. Samt not-a-virus:AdWarePurityscan.he.

 

Måste väl ta bort den filen?

 

När jag går in i kontrollpanelen hittar jag desktop som skrivbordsunderlägg men jag kan INTE ta bort den eller ändra mitt skrivbordsunderlägg den är inte aktiverad.

 

En annan sak jag undrar över: när jag går in i windows har jag Adobe Gamma Loader i autostart och microsoft office med en underlig flaggsymbol. Är det nåt som jag borde fixa? Har dessutom denna flagga som jag inte känner igen i lägg till/ta bort program menyn, men det står att det är microsofts program. Men det kan ju vara nåt annat förstås.

 

Vad göra?

 

[Zipp.]

> Måste väl ta bort den filen? <

 

Gör det

 

> Är det nåt som jag borde fixa? <

 

Du kan ta bort dom från autostarten om du vill.

 

Hur gick det med detta

 

Sök också dessa filer

 

helper.exe

popuper.exe

 

Och scanna dom här

 

http://virusscan.jotti.org/

 

 

[Mr Boogie]

Tog bort den ena av rundll32.exe. Hittade även atau.exe igen trots att jag tagit bort den ett otal gånger. Hittade en del filer i system32/x3yy men dock inte nkdhoipx.exe. Provade scanna dessa med jotti.org virusscan men då hittades inte den katalogen. Vågade därför inte ta bort filerna.

 

Hittar inte

helper.exe

popuper.exe

 

Deskupen kvastår. Och tydligen får jag tillbaka alla filer jag tar bort. Vad göra?

 

Körde en ny kaspersky scan efter uppdatering hittade endast denna trojan

File C:\WINNT\system32\unic2_32.dll infected by "Trojan-Downloader.Win32.Small.aph" Virus. Action Taken: File to be deleted on reboot.

 

Här är nya hijackthis loggen

[log]

Logfile of HijackThis v1.99.1

Scan saved at 12:35:23, on 2005-04-04

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\hijack this\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab'>http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe'>http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab'>http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab'>http://www.pandasoftware.com/activescan/as5/asinst.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe

 

[/log]

 

Här är nya startuplist loggen:

 

[log]

StartupList report, 2005-04-04, 12:37:34

StartupList version: 1.52.2

Started from : C:\hijack this\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\hijack this\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Roger1\Start-meny\Program\Autostart]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]

DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Synchronization Manager = mobsync.exe /logon

NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

LVCOMS = C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

NeroCheck = C:\WINNT\system32\NeroCheck.exe

QuickTime Task = "C:\Program\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

avast! = C:\Program\ALWILS~1\Avast4\ashDisp.exe

SmcService = C:\Program\Sygate\SPF\smc.exe -startgui

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

NvMediaCenter = RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *

StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\System32\ie4uinit.exe

 

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *

StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINNT\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=explorer.exe

SCRNSAVE.EXE=C:\WINNT\system32\ssmarque.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINNT\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINNT\Explorer\Explorer.exe: not present

C:\WINNT\System\Explorer.exe: not present

C:\WINNT\System32\Explorer.exe: not present

C:\WINNT\Command\Explorer.exe: not present

C:\WINNT\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINNT

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registereditorn'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\Program\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[DirectAnimation Java Classes]

CODEBASE = file://C:\WINNT\Java\classes\dajava.cab

OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

 

[Microsoft XML Parser for Java]

CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab

OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

[{00000075-9980-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/voxacm.CAB

 

[QuickTime Object]

InProcServer32 = C:\Program\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\System32\macromed\Shockwave 10\Download.dll

CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

 

[symantec AntiVirus scanner]

InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

 

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/se/win/QuickTimeFullInstaller.exe

 

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

[ActiveScan Installer Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll

CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.3293171296

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINNT\System32\rnr20.dll

NameSpace #2: C:\WINNT\System32\winrnr.dll

Protocol #1: C:\WINNT\system32\msafd.dll

Protocol #2: C:\WINNT\system32\msafd.dll

Protocol #3: C:\WINNT\system32\msafd.dll

Protocol #4: C:\WINNT\system32\rsvpsp.dll

Protocol #5: C:\WINNT\system32\rsvpsp.dll

Protocol #6: C:\WINNT\system32\msafd.dll

Protocol #7: C:\WINNT\system32\msafd.dll

Protocol #8: C:\WINNT\system32\msafd.dll

Protocol #9: C:\WINNT\system32\msafd.dll

Protocol #10: C:\WINNT\system32\msafd.dll

Protocol #11: C:\WINNT\system32\msafd.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Trace network connections: C:\WINNT\system32\mocih.exe (disabled)

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)

Alerter: %SystemRoot%\System32\services.exe (manual start)

Application Management: %SystemRoot%\system32\services.exe (manual start)

aswRdr: \??\C:\WINNT\system32\drivers\aswRdr.sys (manual start)

avast! iAVS4 Control Service: "C:\Program\Alwil Software\Avast4\aswUpdSv.exe" (autostart)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard-IDE/ESDI-hårddiskstyrenhet: System32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Ljud-stub-drivrutin: System32\DRIVERS\audstub.sys (manual start)

avast! Antivirus: "C:\Program\Alwil Software\Avast4\ashServ.exe" (autostart)

avast! Mail Scanner: "C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)

avast! Web Scanner: "C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)

Computer Browser: %SystemRoot%\System32\services.exe (autostart)

Avkodare för dold text: system32\drivers\ccdecode.sys (manual start)

CD-ROM-drivrutin: System32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

DHCP Client: %SystemRoot%\System32\services.exe (autostart)

Diskdrivrutin: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Drivrutin för hanterare för logiska diskar: System32\DRIVERS\dmio.sys (system)

Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)

Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)

DMX6fire WDM Audio: system32\drivers\dmx6fire.sys (manual start)

DNS Client: %SystemRoot%\System32\services.exe (autostart)

DameWare NT Utilities 2.6: %SYSTEMROOT%\SYSTEM32\DNTUS26.EXE (disabled)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)

Fax Service: %systemroot%\system32\faxsvc.exe (manual start)

Drivrutin för diskettstyrenhet: System32\DRIVERS\fdc.sys (manual start)

Diskettdrivrutin: System32\DRIVERS\flpydisk.sys (manual start)

Provides three management service: C:\WINNT\system32\dev32.exe (disabled)

Drivrutin för volymhanterare: System32\DRIVERS\ftdisk.sys (system)

Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

hardlock: \??\C:\WINNT\system32\drivers\hardlock.sys (autostart)

Haspnt: \??\C:\WINNT\system32\drivers\Haspnt.sys (autostart)

hpt3xx: System32\DRIVERS\hpt3xx.sys (system)

hptpro: System32\DRIVERS\hptpro.sys (system)

Drivrutin för i8042 Keyboard och PS/2 Mouse Port: System32\DRIVERS\i8042prt.sys (system)

IntelIde: System32\DRIVERS\intelide.sys (system)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

Drivrutin för Pnp ISA/EISA-buss: System32\DRIVERS\isapnp.sys (system)

Tangentbordsklassdrivrutin: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\System32\services.exe (autostart)

Workstation: %SystemRoot%\System32\services.exe (autostart)

TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)

Messenger: %SystemRoot%\System32\services.exe (autostart)

NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)

Musklassdrivrutin: System32\DRIVERS\mouclass.sys (system)

BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)

Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)

Tjänstproxy för Microsoft-direktuppspelning: system32\drivers\MSKSSRV.sys (manual start)

Klockproxy för Microsoft-direktuppspelning: system32\drivers\MSPCLOCK.sys (manual start)

Kvalitetshanteringsproxy för Microsoft-direktuppspelning: system32\drivers\MSPQM.sys (manual start)

Tee/Sink-to-Sink-konverterare för Microsoft-direktuppspelning: system32\drivers\MSTEE.sys (manual start)

Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)

NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS-protokoll för I/O i användarläge: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBT: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

nv: System32\DRIVERS\nv4_mini.sys (manual start)

NVIDIA Driver Helper Service: %SystemRoot%\system32\nvsvc32.exe (autostart)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

Drivrutin för parallellklass: System32\DRIVERS\parallel.sys (manual start)

Drivrutin för parallellport: System32\DRIVERS\parport.sys (system)

Drivrutin för PCI-buss: System32\DRIVERS\pci.sys (system)

PCIIde: System32\DRIVERS\pciide.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Protected Storage: %SystemRoot%\system32\services.exe (autostart)

Drivrutin för direkt parallell: System32\DRIVERS\ptilink.sys (manual start)

Logitech QuickCam Express(PID_0840): System32\DRIVERS\LVCD.sys (manual start)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Direkt parallell: System32\DRIVERS\raspti.sys (manual start)

Network Raw Channel Access för Microsoft-direktuppspelning: system32\drivers\RCA.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

Filterdrivrutin för uppspelning av digitalt CD-ljud: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)

Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)

FireDaemon Service: rundll16: C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE (disabled)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)

RunAs Service: %SystemRoot%\system32\services.exe (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum-filterdrivrutin: System32\DRIVERS\serenum.sys (manual start)

Drivrutin för seriell port: System32\DRIVERS\serial.sys (system)

BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)

Sygate Personal Firewall: C:\Program\Sygate\SPF\smc.exe (autostart)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

FireDaemon Service: srhost: C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDaemon.EXE (disabled)

Srv: System32\DRIVERS\srv.sys (manual start)

BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)

Drivrutin för programvarubuss: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)

Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)

Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)

Drivrutin för Microsoft USB Universal Host Controller: System32\DRIVERS\uhcd.sys (manual start)

Drivrutin för mikrokodsuppdatering: System32\DRIVERS\update.sys (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

Drivrutin för Microsoft USB-standardnav (hub): System32\DRIVERS\usbhub.sys (manual start)

Microsoft USB-skrivarklass: System32\DRIVERS\usbprint.sys (manual start)

Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)

VIRTwin: \??\C:\WINNT\system32\vdmt16.sys (system)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Windows Time: %SystemRoot%\System32\services.exe (manual start)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)

SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)

SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)

SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)

SCNDmem: \??\C:\WINNT\system32\winlow.sys (autostart)

Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)

wpsdrvnt: \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (system)

World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)

Automatiska uppdateringar: %systemroot%\system32\svchost.exe -k wugroup (autostart)

Konfiguration för trådlös kommunikation: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute =

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

notepad.exe = msmsgs.exe

winlogon.exe = helper.exe

notepad2.exe = popuper.exe

 

--------------------------------------------------

 

End of report, 29 589 bytes

Report generated in 0,094 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

[/log]

 

[Zipp.]

Tydligen hör dessa ihop

 

C:\WINNT\system32\unic2_32.dll

C:\WINNT\system32\x3yy

ta bort hela x3yy mappen i felsäkert läge och unic2_32.dll om den är kvar

 

Hijack loggen är ok,vad jag kan se.

Om du har själv satt detta så låt bli,annars bocka i och Fix:sa

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init

 

 

> Hittar inte

helper.exe

popuper.exe <

 

Detta finns i StartupList logg

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Expl

orer\Run

 

notepad.exe = msmsgs.exe

winlogon.exe = helper.exe

notepad2.exe = popuper.exe

 

Alltså dom måste ju finnas någonstans, dolda filer synliga och titta en gång till