Just nu i M3-nätverket
Gå till innehåll

Trojaner


Mr Boogie

Rekommendera Poster

OK,

skall kolla när jag kommer hem igen. Har gjort sökning efter filer och mappar via startmenyn. Utan att lyckas hitta dessa, vilket jag rimligtvis borde ha gjort när jag ändrat inställningarna för visning av filer och mappar? Vet inte hur jag annars ska kunna söka dem? Kan ju i och för sig även kolla igenom c:\winnt katalogen och c.\winnt\system32.

 

Funderar om jag kan gå vägen via kör: Regedit och sedan deleta om jag hittar dessa rader?

 

winlogon.exe = helper.exe

notepad2.exe = popuper.exe

 

om jag hittar dem förstås.

 

Tror mig veta att jag har haft winlogon.exe länge i min aktivitetshanterare, är därför inte så säker att mitt nuvarande problem påverkas för det.

 

 

Skall även ta bort katalogen

C:\WINNT\system32\x3yy

 

Länk till kommentar
Dela på andra webbplatser

> Kan ju i och för sig även kolla igenom c:\winnt katalogen och c.\winnt\system32. <

 

Ja..gör det och dolda filer synliga

 

> sedan deleta om jag hittar dessa rader? <

 

Scanna dom först här

 

helper.exe

popuper.exe

 

http://virusscan.jotti.org/

 

och är dom infekterade så ta bort dom

 

> Skall även ta bort katalogen

C:\WINNT\system32\x3yy <

 

Det finns väl bara konstiga filer där ex.nkdhoipx.exe som tydligen byter namn vid varje start.

Jag tycker att man kan ta bort mappen.

 

 

Förresten när du tittar igenom c:\winnt och c.\winnt\system32. mappar

titta samtidigt om du ser såna här konstiga korta filer

 

ex.

 

Rfj.exe

Lpv.exe

Uqj.exe

Ven.exe

 

 

 

 

 

[inlägget ändrat 2005-04-04 14:19:11 av Zipp.]

[inlägget ändrat 2005-04-04 15:25:26 av Zipp.]

Länk till kommentar
Dela på andra webbplatser

Nja, har scannat och hittade iaf inte

 

helper.exe

popuper.exe

 

katalogen C:\WINNT\system32\x3yy hittar jag inte längre och detta trots att jag får meddelande in i brandväggen. Har endast hittat denna mapp vi ett tillfälle och då vågade jag inte ta bort den.

 

filerna:

 

Rfj.exe

Lpv.exe

Uqj.exe

Ven.exe

 

har funnits förr men finns inte längre.

 

Problemet är C:\WINNT\system32\unic2_32.dll som innehåller flera olika trojaner och spyware. Panda virusscan desinfekterar filen, men sedan hittar jag filen i system32 mappen och tar sedan bort den i felsäkert läge. När jag sedan kommer in i windows är filen tillbaka igen. Verkar vara ett program som installerar sig själv. Och det är väl denna fil som är boven i dramat? Antar att det är formatering som gäller nu?

 

pandavirus logg ser alltid ut så här oavsett vad jag gör:

 

 

[log]

 

 

Incident Status Location

 

Virus:Trj/Downloader.BHL Disinfected Operating system

Adware:Adware/nCase No disinfected C:\Temp\FLEOK

Adware:Adware/CWS No disinfected Windows Registry

Adware:Adware/IPInsight No disinfected C:\WINNT\alchem.???

Adware:Adware/SideFind No disinfected Windows Registry

Virus:Trj/Downloader.BHL Disinfected C:\WINNT\system32\unic2_32.dll

Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\setup4002b.ini

Adware:Adware/PurityScan No disinfected C:\hijack this\backups\backup-20050401-180125-743.dll

[/log]

 

Länk till kommentar
Dela på andra webbplatser

Det är denna mapp som återskapar unic2_32.dll hela tiden

 

C:\WINNT\system32\x3yy

 

Den måste bort

 

> filerna:

 

Rfj.exe

Lpv.exe

Uqj.exe

Ven.exe

 

har funnits förr men finns inte längre. <

 

Joo jag vet men titta om du ser typ likadana filer,kan finnas fler som man inte ser i Hijack loggen,dom kan heta vad som helst och börjar med en stor bokstav. Filer ovan vad bara en exempel,3 bokstav och exe.

 

 

C:\Temp\FLEOK < ta bort

C:\WINNT\alchem.??? < ta bort men titta för att det blir rätt fil

C:\WINNT\Downloaded Program Files\setup4002b.ini

- ta bort setup4002b.ini

 

> Nja, har scannat och hittade iaf inte

 

helper.exe

popuper.exe <

 

Konstigt att du inte hittar dom.

 

Dolda filer du har väl bockat i

 

Show hidden files and folders.

 

och bockat av

 

Hide protected operating system files

 

 

 

 

[inlägget ändrat 2005-04-04 19:57:29 av Zipp.]

Länk till kommentar
Dela på andra webbplatser

Jag hitta lite mera skräp när jag hade lite tid att titta närmare på StartupList logg.

 

C:\WINNT\system32\vdmt16.sys

C:\WINNT\system32\winlow.sys

 

Ladda ner HSFix.zip

 

http://www.atribune.org/downloads/HSFix.zip

 

Skapa en ny mapp på skrivbordet och döp den till HSFix

Sen unzippa HSFix.zip i HSFix mappen

Starta sen i felsäkert läge och öppna HSFix mappen och dubbelklicka på hsfix.bat

Låt den scanna klar och sen stara normalt och skicka hit loggen C:/hslog.txt

 

 

 

Länk till kommentar
Dela på andra webbplatser

Nu har jag i alla fall lyckats bli av med unic2_32.dll och har i alla fall min ordinare startsida till internet. Desktopen går tydligen inte bli av med.

 

Hittar inte

helper.exe

popuper.exe

och JA JAG HAR bockat för dolda filer och mappar och dölj skyddade operativsytem filer. De går inte att hitta i alla fall. Går inte heller att hitta setup4002b.ini. Har letat den tidigare också. Verkar som om jag får leva med det eller formatera.

 

Hittar ej heller några exe filer med 3 bokstäver och stor bokstav.

 

Här är i all fall senaste panda virus scan loggen:

 

[log]

Incident Status Location

 

Adware:Adware/CWS No disinfected Windows Registry

Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\setup4002b.ini

Adware:Adware/PurityScan No disinfected C:\hijack this\backups\backup-20050401-180125-743.dll

[/log]

 

Och här hijack this startuplist

 

[log]

StartupList report, 2005-04-04, 22:24:08

StartupList version: 1.52.2

Started from : C:\hijack this\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\WINNT\Explorer.EXE

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\hijack this\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Roger1\Start-meny\Program\Autostart]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]

DMX 6fire 2496 ControlPanel.lnk = C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Synchronization Manager = mobsync.exe /logon

NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

LVCOMS = C:\Program\Delade filer\Logitech\QCDriver2\LVCOMS.EXE

NeroCheck = C:\WINNT\system32\NeroCheck.exe

QuickTime Task = "C:\Program\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

avast! = C:\Program\ALWILS~1\Avast4\ashDisp.exe

SmcService = C:\Program\Sygate\SPF\smc.exe -startgui

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

NvMediaCenter = RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

x3yy = C:\WINNT\system32\x3yy\agadmded.exe

Zfhbzpz = C:\WINNT\system32\r?ndll32.exe

Bgk = C:\WINNT\system32\Euj.exe

Gvi = C:\WINNT\Bil.exe

Jio = C:\WINNT\Cnr.exe

Mkd = C:\WINNT\system32\Hfr.exe

Ien = C:\WINNT\Moq.exe

Tsi = C:\WINNT\system32\Oft.exe

Gcb = C:\WINNT\Nhq.exe

Tok = C:\WINNT\system32\Dtl.exe

Nkl = C:\WINNT\Sao.exe

Sla = C:\WINNT\Mbq.exe

Gja = C:\WINNT\Nuu.exe

Jre = C:\WINNT\Ghl.exe

Aero = C:\WINNT\system32\atau.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *

StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\System32\ie4uinit.exe

 

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *

StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINNT\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=explorer.exe

SCRNSAVE.EXE=C:\WINNT\system32\ssmarque.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINNT\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINNT\Explorer\Explorer.exe: not present

C:\WINNT\System\Explorer.exe: not present

C:\WINNT\System32\Explorer.exe: not present

C:\WINNT\Command\Explorer.exe: not present

C:\WINNT\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINNT

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registereditorn'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\Program\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[DirectAnimation Java Classes]

CODEBASE = file://C:\WINNT\Java\classes\dajava.cab

OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

 

[Microsoft XML Parser for Java]

CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab

OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

[QuickTime Object]

InProcServer32 = C:\Program\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\System32\macromed\Shockwave 10\Download.dll

CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

 

[symantec AntiVirus scanner]

InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

 

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

[ActiveScan Installer Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll

CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.3293171296

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINNT\System32\rnr20.dll

NameSpace #2: C:\WINNT\System32\winrnr.dll

Protocol #1: C:\WINNT\system32\msafd.dll

Protocol #2: C:\WINNT\system32\msafd.dll

Protocol #3: C:\WINNT\system32\msafd.dll

Protocol #4: C:\WINNT\system32\rsvpsp.dll

Protocol #5: C:\WINNT\system32\rsvpsp.dll

Protocol #6: C:\WINNT\system32\msafd.dll

Protocol #7: C:\WINNT\system32\msafd.dll

Protocol #8: C:\WINNT\system32\msafd.dll

Protocol #9: C:\WINNT\system32\msafd.dll

Protocol #10: C:\WINNT\system32\msafd.dll

Protocol #11: C:\WINNT\system32\msafd.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Trace network connections: C:\WINNT\system32\mocih.exe (disabled)

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)

Alerter: %SystemRoot%\System32\services.exe (manual start)

Application Management: %SystemRoot%\system32\services.exe (manual start)

aswRdr: \??\C:\WINNT\system32\drivers\aswRdr.sys (manual start)

avast! iAVS4 Control Service: "C:\Program\Alwil Software\Avast4\aswUpdSv.exe" (autostart)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard-IDE/ESDI-hårddiskstyrenhet: System32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Ljud-stub-drivrutin: System32\DRIVERS\audstub.sys (manual start)

avast! Antivirus: "C:\Program\Alwil Software\Avast4\ashServ.exe" (autostart)

avast! Mail Scanner: "C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)

avast! Web Scanner: "C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)

Computer Browser: %SystemRoot%\System32\services.exe (autostart)

Avkodare för dold text: system32\drivers\ccdecode.sys (manual start)

CD-ROM-drivrutin: System32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

DHCP Client: %SystemRoot%\System32\services.exe (autostart)

Diskdrivrutin: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Drivrutin för hanterare för logiska diskar: System32\DRIVERS\dmio.sys (system)

Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)

Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)

DMX6fire WDM Audio: system32\drivers\dmx6fire.sys (manual start)

DNS Client: %SystemRoot%\System32\services.exe (autostart)

DameWare NT Utilities 2.6: %SYSTEMROOT%\SYSTEM32\DNTUS26.EXE (disabled)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)

Fax Service: %systemroot%\system32\faxsvc.exe (manual start)

Drivrutin för diskettstyrenhet: System32\DRIVERS\fdc.sys (manual start)

Diskettdrivrutin: System32\DRIVERS\flpydisk.sys (manual start)

Provides three management service: C:\WINNT\system32\dev32.exe (disabled)

Drivrutin för volymhanterare: System32\DRIVERS\ftdisk.sys (system)

Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

hardlock: \??\C:\WINNT\system32\drivers\hardlock.sys (autostart)

Haspnt: \??\C:\WINNT\system32\drivers\Haspnt.sys (autostart)

hpt3xx: System32\DRIVERS\hpt3xx.sys (system)

hptpro: System32\DRIVERS\hptpro.sys (system)

Drivrutin för i8042 Keyboard och PS/2 Mouse Port: System32\DRIVERS\i8042prt.sys (system)

IntelIde: System32\DRIVERS\intelide.sys (system)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

Drivrutin för Pnp ISA/EISA-buss: System32\DRIVERS\isapnp.sys (system)

Tangentbordsklassdrivrutin: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\System32\services.exe (autostart)

Workstation: %SystemRoot%\System32\services.exe (autostart)

TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)

Messenger: %SystemRoot%\System32\services.exe (autostart)

NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)

Musklassdrivrutin: System32\DRIVERS\mouclass.sys (system)

BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)

Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)

Tjänstproxy för Microsoft-direktuppspelning: system32\drivers\MSKSSRV.sys (manual start)

Klockproxy för Microsoft-direktuppspelning: system32\drivers\MSPCLOCK.sys (manual start)

Kvalitetshanteringsproxy för Microsoft-direktuppspelning: system32\drivers\MSPQM.sys (manual start)

Tee/Sink-to-Sink-konverterare för Microsoft-direktuppspelning: system32\drivers\MSTEE.sys (manual start)

Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)

NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS-protokoll för I/O i användarläge: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBT: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

nv: System32\DRIVERS\nv4_mini.sys (manual start)

NVIDIA Driver Helper Service: %SystemRoot%\system32\nvsvc32.exe (autostart)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

Drivrutin för parallellklass: System32\DRIVERS\parallel.sys (manual start)

Drivrutin för parallellport: System32\DRIVERS\parport.sys (system)

Drivrutin för PCI-buss: System32\DRIVERS\pci.sys (system)

PCIIde: System32\DRIVERS\pciide.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Protected Storage: %SystemRoot%\system32\services.exe (autostart)

Drivrutin för direkt parallell: System32\DRIVERS\ptilink.sys (manual start)

Logitech QuickCam Express(PID_0840): System32\DRIVERS\LVCD.sys (manual start)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Direkt parallell: System32\DRIVERS\raspti.sys (manual start)

Network Raw Channel Access för Microsoft-direktuppspelning: system32\drivers\RCA.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

Filterdrivrutin för uppspelning av digitalt CD-ljud: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)

Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)

FireDaemon Service: rundll16: C:\winnt\system32\microsoft\crypto\backup\msriff\FireDaemon.EXE (disabled)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)

RunAs Service: %SystemRoot%\system32\services.exe (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum-filterdrivrutin: System32\DRIVERS\serenum.sys (manual start)

Drivrutin för seriell port: System32\DRIVERS\serial.sys (system)

BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)

Sygate Personal Firewall: C:\Program\Sygate\SPF\smc.exe (autostart)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

FireDaemon Service: srhost: C:\winnt\system32\microsoft\crypto\backup\msriff\msu\FireDaemon.EXE (disabled)

Srv: System32\DRIVERS\srv.sys (manual start)

BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)

Drivrutin för programvarubuss: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)

Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)

Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)

Drivrutin för Microsoft USB Universal Host Controller: System32\DRIVERS\uhcd.sys (manual start)

Drivrutin för mikrokodsuppdatering: System32\DRIVERS\update.sys (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

Drivrutin för Microsoft USB-standardnav (hub): System32\DRIVERS\usbhub.sys (manual start)

Microsoft USB-skrivarklass: System32\DRIVERS\usbprint.sys (manual start)

Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)

VIRTwin: \??\C:\WINNT\system32\vdmt16.sys (system)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Windows Time: %SystemRoot%\System32\services.exe (manual start)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)

SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)

SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)

SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)

SCNDmem: \??\C:\WINNT\system32\winlow.sys (autostart)

Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)

wpsdrvnt: \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (system)

World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)

Automatiska uppdateringar: %systemroot%\system32\svchost.exe -k wugroup (autostart)

Konfiguration för trådlös kommunikation: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute =

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

notepad.exe = msmsgs.exe

winlogon.exe = helper.exe

notepad2.exe = popuper.exe

 

--------------------------------------------------

 

End of report, 29 822 bytes

Report generated in 0,156 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

[/log]

 

Länk till kommentar
Dela på andra webbplatser

Jep det finns kvar

 

x3yy = C:\WINNT\system32\x3yy\agadmded.exe

Zfhbzpz = C:\WINNT\system32\r?ndll32.exe

Bgk = C:\WINNT\system32\Euj.exe

Gvi = C:\WINNT\Bil.exe

Jio = C:\WINNT\Cnr.exe

Mkd = C:\WINNT\system32\Hfr.exe

Ien = C:\WINNT\Moq.exe

Tsi = C:\WINNT\system32\Oft.exe

Gcb = C:\WINNT\Nhq.exe

Tok = C:\WINNT\system32\Dtl.exe

Nkl = C:\WINNT\Sao.exe

Sla = C:\WINNT\Mbq.exe

Gja = C:\WINNT\Nuu.exe

Jre = C:\WINNT\Ghl.exe

Aero = C:\WINNT\system32\atau.exe

 

 

Plocka bort dessa i felsäkert läge kanske dom har bytt namn om du har startat om datorn.

 

Länk till kommentar
Dela på andra webbplatser

dessa filer:

 

x3yy = C:\WINNT\system32\x3yy\agadmded.exe

Zfhbzpz = C:\WINNT\system32\r?ndll32.exe

Bgk = C:\WINNT\system32\Euj.exe

Gvi = C:\WINNT\Bil.exe

Jio = C:\WINNT\Cnr.exe

Mkd = C:\WINNT\system32\Hfr.exe

Ien = C:\WINNT\Moq.exe

Tsi = C:\WINNT\system32\Oft.exe

Gcb = C:\WINNT\Nhq.exe

Tok = C:\WINNT\system32\Dtl.exe

Nkl = C:\WINNT\Sao.exe

Sla = C:\WINNT\Mbq.exe

Gja = C:\WINNT\Nuu.exe

Jre = C:\WINNT\Ghl.exe

Aero = C:\WINNT\system32\atau.exe

 

finns i startuplist loggen men det går inte att finna på datorn. Och jag HAR ställt om inställningarna för visning. Och jag har sökt både via startmenyn och via utforskaren.

 

Jag får i alla fall inga meddelanden om att C:\WINNT\system32\x3yy\agadmded.exe försöker kontata update.com i min brandvägg längre. I och med att jag inte hittar dessa filer och kan ta bort dem återstår väl bara formatering?

 

Har scannat med hsfix.bat och här är i alla fall loggen.

 

 

[log]

 

 

Horseserver Removal Tool v1.05

by Atri

-

-

1. Registry Fix Started

-

Registry fix complete

-

2. Deleted Services

-

WINLOW

[sC] DeleteService SUCCESS

vdmt16

[sC] DeleteService SUCCESS

-

3. Finding files Located on system

-

vdmt16.sys

winlow.sys

drct16.dll

w32tm.exe

-

4. Deleting files that were found.

-

-

5. Checking for and Removing Winupdate

-

-

-

[/log]

 

Länk till kommentar
Dela på andra webbplatser

Denna mapp C:\WINNT\system32\x3yy\ måste du hitta och ta bort den.

Du hittde den ju förut .

 

> finns i startuplist loggen men det går inte att finna på datorn <

 

Ok..skicka en ny startuplist logg kanske filer har bytt namn.

Vi kan pröva att ta bort dom med KillBox.

När du har skickat startuplist logg så starta inte om eller stäng av datorn.

 

HSFix:en funka så den är borta iallafall.

 

 

 

 

Länk till kommentar
Dela på andra webbplatser

Först och främst vill jag tacka både Cecilia och Zipp för deras hjälp, men jag gav upp till slut och formatterade och bytte även till XP. Får fortfarande in en massa i min brandvägg och undrar nu om jag lika fullt har kvar skit i datorn? Winlogon körs tex i aktivitetshanteraren.

 

 

Om någon skulle orka titta igen dessa hijack this loggar så vore jag tacksam.

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 16:28:55, on 2005-04-11

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\Internet Explorer\iexplore.exe

C:\DOCUME~1\Roger\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

 

[/log]

 

[log]

StartupList report, 2005-04-11, 16:29:12

StartupList version: 1.52.2

Started from : C:\DOCUME~1\Roger\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.EXE

Detected: Windows XP SP2 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\TerraTec\DMX 6fire\DMX6Fire.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\Internet Explorer\iexplore.exe

C:\DOCUME~1\Roger\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Roger\Start-meny\Program\Autostart]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]

DMX 6fire 2496 ControlPanel.lnk = ?

Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ccApp = "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"

Symantec NetDriver Monitor = C:\Program\SYMNET~1\SNDMon.exe

NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

TkBellExe = "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

SmcService = C:\Program\Sygate\SPF\smc.exe -startgui

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe

MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

 

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registereditorn'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

NAV Helper - C:\Program\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Norton AntiVirus - Sök igenom datorn.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

Protocol #1: C:\WINDOWS\system32\mswsock.dll

Protocol #2: C:\WINDOWS\system32\mswsock.dll

Protocol #3: C:\WINDOWS\system32\mswsock.dll

Protocol #4: C:\WINDOWS\system32\rsvpsp.dll

Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\mswsock.dll

Protocol #9: C:\WINDOWS\system32\mswsock.dll

Protocol #10: C:\WINDOWS\system32\mswsock.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD: \SystemRoot\System32\drivers\afd.sys (system)

Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)

Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)

Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)

Standard-IDE/ESDI-hårddiskstyrenhet: system32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Ljud-stub-drivrutin: system32\DRIVERS\audstub.sys (manual start)

Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Symantec Event Manager: "C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe" (autostart)

Symantec Password Validation Service: "C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe" (manual start)

CD-ROM-drivrutin: system32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)

COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)

DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Diskdrivrutin: system32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Logical Disk Manager Driver: System32\drivers\dmio.sys (system)

dmload: System32\drivers\dmload.sys (system)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DMX6fire WDM Audio: system32\drivers\dmx6fire.sys (manual start)

dmxsens: system32\drivers\dmxsens.sys (manual start)

DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Drivrutin för diskettstyrenhet: system32\DRIVERS\fdc.sys (manual start)

Diskettdrivrutin: system32\DRIVERS\flpydisk.sys (manual start)

FltMgr: system32\DRIVERS\fltMgr.sys (system)

Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)

Spelportsuppräknare: system32\DRIVERS\gameenum.sys (manual start)

Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

HTTP: System32\Drivers\HTTP.sys (manual start)

HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)

Drivrutin för i8042 Keyboard och PS/2 Mouse Port: system32\DRIVERS\i8042prt.sys (system)

CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)

IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)

IntelIde: system32\DRIVERS\intelide.sys (system)

IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)

IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: system32\DRIVERS\ipsec.sys (system)

Tjänst för IR-uppräkning: system32\DRIVERS\irenum.sys (manual start)

PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)

Tangentbordsklassdrivrutin: system32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel-wave-ljudMixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)

Musklassdrivrutin: system32\DRIVERS\mouclass.sys (system)

Klientomdirigerare för WebDav: system32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: system32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)

Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)

Tjänstproxy för Microsoft-direktuppspelning: system32\drivers\MSKSSRV.sys (manual start)

Klockproxy för Microsoft-direktuppspelning: system32\drivers\MSPCLOCK.sys (manual start)

Kvalitetshanteringsproxy för Microsoft-direktuppspelning: system32\drivers\MSPQM.sys (manual start)

Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)

Drivrutin för Microsoft MPU-401 MIDI UART: system32\drivers\msmpu401.sys (manual start)

Norton AntiVirus Auto Protect Service: "C:\Program\Norton AntiVirus\navapsvc.exe" (autostart)

NAVENG: \??\C:\Program\DELADE~1\SYMANT~1\VIRUSD~1\20050406.008\NAVENG.Sys (manual start)

NAVEX15: \??\C:\Program\DELADE~1\SYMANT~1\VIRUSD~1\20050406.008\NavEx15.Sys (manual start)

Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)

NDIS-protokoll för I/O i användarläge: system32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)

NetBIOS-gränssnitt: system32\DRIVERS\netbios.sys (system)

NetBT: system32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (disabled)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)

Net Logon: %SystemRoot%\system32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

nv: system32\DRIVERS\nv4_mini.sys (manual start)

IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)

Drivrutin för parallellport: system32\DRIVERS\parport.sys (manual start)

PCI Bus Driver: system32\DRIVERS\pci.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)

WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)

Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)

Direkt parallell: system32\DRIVERS\raspti.sys (manual start)

Rdbss: system32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Filterdrivrutin för uppspelning av digitalt CD-ljud: system32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)

Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)

Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

SAVRT: \??\C:\WINDOWS\system32\Drivers\SAVRT.SYS (manual start)

SAVRTPEL: \??\C:\WINDOWS\system32\Drivers\SAVRTPEL.SYS (autostart)

ScriptBlocking Service: C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Secdrv: system32\DRIVERS\secdrv.sys (manual start)

Secondary Logon Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum-filterdrivrutin: system32\DRIVERS\serenum.sys (manual start)

Drivrutin för seriell port: system32\DRIVERS\serial.sys (system)

Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Sygate Personal Firewall Pro: C:\Program\Sygate\SPF\smc.exe (autostart)

Symantec Network Drivers Service: "C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe" (manual start)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

Drivrutin för filter för Systemåterställning: system32\DRIVERS\sr.sys (system)

System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Srv: system32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)

WIA (Windows Image Acquisition): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)

Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{D429949F-1EC4-4E63-8FDC-BFB708E64EE8} (manual start)

SymEvent: \??\C:\Program\Symantec\SYMEVENT.SYS (manual start)

SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)

SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)

Microsoft Kernelsystemljudenhet: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)

Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)

Terminal Device Driver: system32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Microcode Update Driver: system32\DRIVERS\update.sys (manual start)

Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

USB2-aktiverat nav: system32\DRIVERS\usbhub.sys (manual start)

Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)

Drivrutin för Microsoft WINMM WDM-ljudkompatibilitet: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)

SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)

SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)

SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)

wpsdrvnt: \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (system)

Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\system32\webcheck.dll

SysTray: C:\WINDOWS\system32\stobject.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

End of report, 29 865 bytes

Report generated in 0,110 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

[/log]

 

Länk till kommentar
Dela på andra webbplatser

För att skydda din dator i framtiden så kommer här några fler rekommendationer.

 

Uppdatera från Windows Update (i kväll ska nya uppdateringar komma) och kör antispionprogrammen Ad-aware och Spybot S&D regelbundet.

http://www.lavasoft.com

http://www.safer-networking.org/en/download/index.html

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.se

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

Länk till kommentar
Dela på andra webbplatser

Arkiverat

Det här ämnet är nu arkiverat och är stängt för ytterligare svar.

×
×
  • Skapa nytt...