Så var det dax igen

[roger_malmö]

Suck pust och stön , har fått ngt spyware och hacking tools IGEN

 

Sänder med en hijacklog så ni snälla kan titta och komma med tips

[log]

Logfile of HijackThis v1.99.1

Scan saved at 15:42:26, on 2006-01-06

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Java\jre1.5.0_04\bin\jusched.exe

C:\Program\QuickTime\qttask.exe

C:\Program\Analog Devices\SoundMAX\SMTray.exe

C:\Program\CA\eTrust PestPatrol\PPActiveDetection.exe

C:\Program\Symantec\Norton Ghost\Agent\GhostTray.exe

C:\Program\D-Tools\daemon.exe

C:\Program\The Cleaner\tca.exe

C:\Program\The Cleaner\tcm.exe

C:\Program\Labtec\Mouse\2.1\moffice.exe

C:\Program\Labtec\Media Keyboard\V5.0\KbdAp32A.exe

C:\Program\Telia\Telias Sakerhetstjanster\Common\FSM32.EXE

C:\Program\Winamp\winampa.exe

C:\Program\Martins program\E-KOLLEN\E-kollen.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Eraser\eraser.exe

C:\Program\Gadwin Systems\PrintScreen\PrintScreen.exe

C:\Program\Spyware Doctor\swdoctor.exe

C:\Program\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE

C:\Program\D-Link AirPlus\AirPlus.exe

C:\Program\Plextor\PlexTool.exe

C:\Program\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program\Rainlendar\Rainlendar.exe

C:\Program\Telia\TELIAS~1\backweb\7836882\Program\SERVIC~1.EXE

C:\Program\Telia\Telias Sakerhetstjanster\Anti-Virus\fsgk32st.exe

C:\Program\Telia\Telias Sakerhetstjanster\backweb\7836882\program\fsbwsys.exe

C:\Program\Telia\Telias Sakerhetstjanster\backweb\7836882\Program\fspex.exe

C:\Program\Telia\Telias Sakerhetstjanster\Anti-Virus\FSGK32.EXE

C:\Program\Telia\Telias Sakerhetstjanster\Common\FSMA32.EXE

C:\WINDOWS\System32\GEARSec.exe

C:\Program\Telia\Telias Sakerhetstjanster\Anti-Virus\fssm32.exe

C:\Program\Telia\Telias Sakerhetstjanster\Common\FSMB32.EXE

C:\Program\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program\Telia\Telias Sakerhetstjanster\Common\FCH32.EXE

C:\Program\Labtec\Mouse\2.1\MOUSE32A.EXE

C:\Program\Telia\Telias Sakerhetstjanster\Common\FAMEH32.EXE

C:\Program\Spyware Doctor\sdhelp.exe

C:\Program\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program\Telia\Telias Sakerhetstjanster\Anti-Virus\fsav32.exe

C:\Program\Telia\Telias Sakerhetstjanster\FWES\Program\fsdfwd.exe

C:\WINDOWS\System32\alg.exe

C:\Program\Telia\Telias Sakerhetstjanster\FSGUI\fsguiexe.exe

C:\Program\Internet Explorer\iexplore.exe

C:\hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program\CA\eTrust PestPatrol\PPActiveDetection.exe"

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [tcactive] C:\Program\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program\The Cleaner\tcm.exe

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program\Labtec\Mouse\2.1\moffice.exe

O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program\Labtec\Media Keyboard\V5.0\KbdAp32A.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\Telia\Telias Sakerhetstjanster\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\Telia\Telias Sakerhetstjanster\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\Telia\Telias Sakerhetstjanster\FSGUI\FSSW.EXE" /reboot

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [E-KOLLEN] C:\Program\Martins program\E-KOLLEN\E-kollen.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TClockEx] C:\Program\TClockEx\TCLOCKEX.EXE

O4 - HKCU\..\Run: [Eraser] C:\Program\Eraser\eraser.exe -hide

O4 - HKCU\..\Run: [Gadwin PrintScreen 3.0] C:\Program\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Rainlendar.lnk = C:\Program\Rainlendar\Rainlendar.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE

O4 - Global Startup: D-Link AirPlus.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PlexTools Professional.lnk = C:\Program\Plextor\PlexTool.exe

O4 - Global Startup: Service Manager.lnk = C:\Program\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~3\tools\iesdpb.dll

O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130785558390

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {78D80081-F388-11D3-9161-00105A07EA40} (LEAD MCMP/MJPEG Decoder) - http://www.leadtools.com/cabs/LCODCCMPE.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Telias säkerhetstjänster (BackWeb Plug-in - 7836882) - Unknown owner - C:\Program\Telia\TELIAS~1\backweb\7836882\Program\SERVIC~1.EXE

O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\Telia\Telias Sakerhetstjanster\Anti-Virus\fsgk32st.exe

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\Telia\Telias Sakerhetstjanster\backweb\7836882\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\Telia\Telias Sakerhetstjanster\FWES\Program\fsdfwd.exe

O23 - Service: FSMA - F-Secure Corporation - C:\Program\Telia\Telias Sakerhetstjanster\Common\FSMA32.EXE

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program\Spyware Doctor\sdhelp.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

 

[/log]

 

[Zipp.]

 

> har fått ngt spyware <

 

Loggen är ok är det nån program som hittar spyware eller?

 

[Brynäsarn]

 

Gör en virusskanning online http://www.pandasoftware.com/activescan

 

[roger_malmö]

Kör en scanning med Panda som säger att jag har 2 spyware och en sorts hackingtools, dessutom så regerade virusprogrammet men kunde inte ta bort , tyckte att det låg ngt i systemfilerna

 

[Zipp.]

 

Skicka hit Panda report så tar vi en titt på den.

 

[roger_malmö]

ok tar en stund till scannen är inte färdig

 

[roger_malmö]

Här är Panda rapporten

Incident Status Location

 

Adware:adware/powerstrip Not disinfected Windows Registry

Spyware:Cookie/Aftonbladet Not disinfected C:\Documents and Settings\Admin\Cookies\admin@aftonbladet[1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Admin\Skrivbord\Säkerhet\smitRem\Process.exe

 

 

[Zipp.]

 

Adware:adware/powerstrip

 

Detta är igen hot för att det finns ingen fil med... men vill du ta bort den så gå in i registret sök och ta bort men om du har programmet Powerstrip på datan så blanda dom inte.

 

Dom andra 2 är inget att bry sig om en Cookie och smitrem och smitrem kan du ta bort om du vill.

 

[roger_malmö]

ok . som vanligt ett stort tack