Just nu i M3-nätverket
Jump to content

Spy sheriff mm


sjoare

Recommended Posts

Hej!

Jag som många andra har fått detta virus som förökar sig och byter namn.

Har också en röd rund ikon med ett kryss i som talar om att jag är infekterad. Har provat runt med andra inläggs svar men det blir inte bättre.

Skulle vara jätte tacksam om nån kan hjälpa mig.

 

MVH Lena

 

Link to comment
Share on other sites

[log]Logfile of HijackThis v1.99.1

Scan saved at 12:25:06, on 2006-04-14

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\netbtd.exe

C:\Norman\Npf\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\Smartscaps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Norman\bin\ZLH.EXE

C:\Program\QuickTime\qttask.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Npf\BIN\npfmsg2.exe

c:\tool2.exe

C:\Norman\bin\NJEEVES.EXE

C:\Norman\Nvc\BIN\nipsvc.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\bin\cclaw.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Lena J\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leta.se/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=explorer.exe "C:\Program\Delade filer\Microsoft Shared\Web Folders\ibm00003.exe"

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program\Acesoft\Tracks Eraser Pro\te.exe min

O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe

O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe (file missing)

[/log]

 

 

 

 

Link to comment
Share on other sites

[log]Logfile of HijackThis v1.99.1

Scan saved at 12:25:06, on 2006-04-14

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\netbtd.exe

C:\Norman\Npf\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\Smartscaps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Norman\bin\ZLH.EXE

C:\Program\QuickTime\qttask.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Npf\BIN\npfmsg2.exe

c:\tool2.exe

C:\Norman\bin\NJEEVES.EXE

C:\Norman\Nvc\BIN\nipsvc.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\bin\cclaw.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Lena J\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leta.se/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=explorer.exe "C:\Program\Delade filer\Microsoft Shared\Web Folders\ibm00003.exe"

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program\Acesoft\Tracks Eraser Pro\te.exe min

O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe

O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe (file missing)

[/log]

 

 

 

 

Link to comment
Share on other sites

Go morgon!

 

Jag försökte att köra den men det händer ingenting när jag klickar på smitfraudfix.cmd.

 

Mvh/Lena

 

 

Link to comment
Share on other sites

Det kommer upp en ruta som säger att det saknas en fil och att jag ska trycka på vilken tangent som helst, gör jag så händer ingenting sen.

 

Link to comment
Share on other sites

Släng den SmitfraudFix.zip och SmitfraudFix mappen du har och ladda ner den på nytt.

Om din antivirus varnar/vill ta bort Process.exe så ta inte bort den.

Sen pröva att köra den igen.

 

Link to comment
Share on other sites

Här kommer resultatet.

 

SmitFraudFix v2.29

 

Scan done at 11:21:54,34, 2006-04-15

Run from C:\Documents and Settings\Lena J\Skrivbord\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600]

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\amcompat.tlb FOUND !

C:\WINDOWS\system32\bin29a.log FOUND !

C:\WINDOWS\system32\nscompat.tlb FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lena J\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»»

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

 

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

Link to comment
Share on other sites

 

Ladda ner Ewido

 

http://www.ewido.net/en/download/

 

installera och uppdatera den

 

Starta sen datorn i felsäkert läge.

 

Ta bort med dolda filer synliga om hittas

 

C:\Program\Delade filer\Microsoft Shared\Web Folders\ibm00003.exe"

 

Sen scanna och rensa med Ewido och spara loggen.

Efter det öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Clean = klicka 2 och Enter

Sen vänta tills den jobbar klart.

På frågan "Registry cleaning - Do you want to clean the registry ?"

svara Yes med att klicka Y och Enter

Om wininet.dll är infekterad får du frågan "Replace infected file ?"

svara Yes med att klicka Y och Enter.

Om inte datorn startar om automatiskt så starta den i normalläge.

 

Skicka sen en ny Hijack logg och C:\rapport.txt och Ewido loggen

 

Link to comment
Share on other sites

Ok, ska göra det i kväll men nu måste jag tyvärr till jobbet.

Tack så jätte mycket så länge och ha en riktigt bra dag.

 

Mvh/ Lena

 

Link to comment
Share on other sites

[log]Logfile of HijackThis v1.99.1

Scan saved at 09:51:32, on 2006-04-16

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Lena J\Skrivbord\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=explorer.exe "C:\Program\Delade filer\Microsoft Shared\Web Folders\ibm00005.exe"

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program\Acesoft\Tracks Eraser Pro\te.exe min

O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing)

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe

O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe (file missing)

[/log]

 

 

Link to comment
Share on other sites

 

Du glömde C:\rapport.txt och Ewido loggen

 

[log]Skapa en ny mapp på C:\ och placera HijackThis.exe dit så C:\HjT\HijackThis.exe

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

F2 - REG:system.ini: Shell=explorer.exe "C:\Program\Delade filer\Microsoft Shared\Web Folders\ibm00005.exe"

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe

O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

 

Starta sen datorn ifelsäkert läge och ta bort om hittas

 

C:\Program\Delade filer\Microsoft Shared\Web Folders\ibm00005.exe

C:\WINDOWS\system32\winbrume.dll

 

Skriv sen i Kör fältet services.msc och Ok

Leta efter service med namn

 

NetBTD(ntbtd) (NetBTD

 

dubbelklicka på den och ändra Startmetod till inaktiverad Verkställ och Ok.

Gör likadant med detta service = SymWMI Service (SymWSC

Starta sen normalt och ny logg.[/log]

 

Link to comment
Share on other sites

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 09:45:41, 2006-04-16

+ Report-Checksum: 9B0F186

 

+ Scan result:

 

:mozilla.7:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup

:mozilla.9:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned without backup

:mozilla.10:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup

:mozilla.17:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup

:mozilla.24:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned without backup

:mozilla.25:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup

:mozilla.26:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup

:mozilla.29:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup

:mozilla.30:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.31:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.32:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.33:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.34:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.35:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.36:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.37:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.38:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.39:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

:mozilla.40:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup

:mozilla.41:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup

:mozilla.47:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup

:mozilla.48:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup

:mozilla.49:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup

:mozilla.57:C:\Documents and Settings\Administratör\Application Data\Mozilla\Profiles\default\c3bs0ycu.slt\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup

:mozilla.12:C:\Documents and Settings\Administratör\Application Data\Mozilla\Firefox\Profiles\d62mqju8.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup

:mozilla.14:C:\Documents and Settings\Administratör\Application Data\Mozilla\Firefox\Profiles\d62mqju8.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup

:mozilla.15:C:\Documents and Settings\Administratör\Application Data\Mozilla\Firefox\Profiles\d62mqju8.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup

C:\Documents and Settings\LocalService.NT INSTANS\Lokala inställningar\Temporary Internet Files\Content.IE5\KV39WPXQ\rfqtp[1].txt -> Hijacker.Small.kr : Cleaned with backup

C:\Documents and Settings\LocalService.NT INSTANS\Lokala inställningar\Temporary Internet Files\Content.IE5\RHCJ6CDM\nojyzscyvf[1].txt -> Downloader.Tiny.bz : Cleaned with backup

C:\Documents and Settings\LocalService.NT INSTANS\Lokala inställningar\Temporary Internet Files\Content.IE5\W52NOPQ3\owatqjgqw[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup

C:\Documents and Settings\Lena J\Lokala inställningar\Temporary Internet Files\Content.IE5\0L6ZSTQR\update[1].exe -> Adware.BHO : Cleaned with backup

C:\Documents and Settings\Lena J\Lokala inställningar\Temporary Internet Files\Content.IE5\BYOFJDO5\update[1].exe -> Adware.BHO : Cleaned with backup

C:\Documents and Settings\Lena J\Cookies\lena j@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup

C:\Program\Internet Explorer\update.exe -> Adware.BHO : Cleaned with backup

:mozilla.6:C:\Dator\portable_firefox_1.5_en-us\PortableFirefox\profile\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup

:mozilla.7:C:\Dator\portable_firefox_1.5_en-us\PortableFirefox\profile\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup

:mozilla.24:C:\Dator\portable_firefox_1.5_en-us\PortableFirefox\profile\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup

 

 

::Report End

 

Link to comment
Share on other sites

Har nu gjort som du skrev.

 

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 14:48:41, on 2006-04-16

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\ewido anti-malware\ewidoctrl.exe

C:\Program\ewido anti-malware\ewidoguard.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Norman\Npf\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\Smartscaps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Norman\bin\ZLH.EXE

C:\Program\QuickTime\qttask.exe

C:\Norman\Nvc\BIN\nipsvc.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\bin\NJEEVES.EXE

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Norman\Npf\BIN\npfmsg2.exe

C:\Documents and Settings\Lena J\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leta.se/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program\Acesoft\Tracks Eraser Pro\te.exe min

O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe

[/log]

 

 

Link to comment
Share on other sites

 

Loggen är ok är problemet borta.

Hämta + installera updateringar (Windows Update)

Byt ut alla lösenord som änvänds på datorn.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...