Just nu i M3-nätverket
Jump to content

W32/SecRisk-ProcessPatcher-based!Maximus


NLI

Recommended Posts

Hej

 

Mitt Antivirusprogram F-Prot Antivirus varnar för att jag har fått en spion som liknar W32/SecRisk-ProcessPatcher-based!Maximus. Tyvärr klarar själva antivirusprogrammet inte av att fixa problemet. Jag har själv inte lyckats få bort "skräpet" trots körningar med ett halvt dussin av olika antispywareprogram.

 

Jag bifogar en HijackThis logg och ber om någon kan ta en titt på den.

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 23:39:40, on 2006-09-14

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\CTsvcCDA.exe

C:\WINNT\System32\svchost.exe

C:\Program\FSI\F-Prot\fpavupdm.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\devldr32.exe

C:\WINNT\system32\ZONELABS\minilog.exe

C:\Program\Creative\SBLive\AudioHQ\AHQTB.EXE

C:\Program\Real\RealPlayer\RealPlay.exe

C:\tora\geo\faxmaker\FMSTART.EXE

C:\WINNT\kdx\KHost.exe

C:\Program\FSI\F-Prot\F-Sched.exe

C:\Program\FSI\F-Prot\F-StopW.EXE

C:\Program\iTunes\iTunesHelper.exe

C:\Program\QuickTime\qttask.exe

C:\program\yahoo!\YCentral\YahooCentral.exe

C:\WINNT\system32\iid.exe

C:\WINNT\system32\internat.exe

C:\Program\Zinio\ZDLM.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe

C:\WINNT\System32\SCardSvr.exe

C:\Program\Novell\iFolder\trayapp.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\Palm\HOTSYNC.EXE

C:\Program\Yahoo!\WidgetEngine\YahooWidgetEngine.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINNT\System32\HPZipm12.exe

C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\NOTEPAD.EXE

C:\Program\Hijackthis\Rensa.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cf.se/'>http://www.cf.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cf.se/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy1.telia.com:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://login1.telia.com;http://10.0.0.6;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [speed racer] C:\Program\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINNT\Updreg.exe

O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [FMStart] C:\tora\geo\faxmaker\FMSTART.EXE

O4 - HKLM\..\Run: [Protection] C:\WINNT\runtask.exe C:\WINNT\protection.exe

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Prein] C:\Program\DelFin\PromulGate\patchme.exe

O4 - HKLM\..\Run: [WinPLOSION] "C:\Program\WinPLOSION\WinPlosion.exe"

O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program\FSI\F-Prot\F-Sched.exe STARTUP

O4 - HKLM\..\Run: [F-StopW] C:\Program\FSI\F-Prot\F-StopW.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [YCentral] c:\program\yahoo!\YCentral\YahooCentral.exe

O4 - HKLM\..\Run: [Net iD] C:\WINNT\system32\iid.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [Zinio DLM] C:\Program\Zinio\ZDLM.exe /hide

O4 - HKCU\..\Run: [KillAndClean] "C:\Program\KillAndClean\KillAndClean.exe"

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - Startup: HotSync Manager.lnk = C:\Program\Palm\HOTSYNC.EXE

O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program\Yahoo!\WidgetEngine\YahooWidgetEngine.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Novell iFolder.lnk = C:\Program\Novell\iFolder\trayapp.exe

O4 - Global Startup: hpoddt01.exe.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00614BD00001} (Sydbanks NetBank) - https://netbank.sydbank.dk/ssydbankibp1400ib100.cab

O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00614BD01001} (Sydbanks NetBank) - https://netbank.sydbank.dk/ssydbankibp1401ib100.cab

O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00615BD00001} (Sydbanks NetBank) - https://netbank.sydbank.dk/ssydbankibp1500ib100.cab

O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00619BD00001} (Sydbanks NetBank) - https://netbank.sydbank.dk/ssydbankibp1900ib100.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020909/qtinstall.info.apple.com/sikes/se/win/QuickTimeInstaller.exe

O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123584592343

O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.telia.com/vspta3.cab

O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab

O16 - DPF: {DBC47AF6-7180-11D3-A326-000000000000} (Wit ActiveX Control) - http://62.50.36.130/Download/AXWit.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://eaglepoint.webex.com/client/latest/webex_674/ieatgpc.cab

O16 - DPF: {E2A96175-32D0-4651-B228-B474C2408346} (DacomDownload Control) - http://program.webhard.co.kr/Plus/active_download/DacomDownload.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/kontiki/kontiki/current/kdx.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{77B9FB95-069B-46D3-9E88-93E705A140D7}: NameServer = 81.216.65.11,81.216.65.12

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.105

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.105

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.105

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program\FSI\F-Prot\fpavupdm.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

 

[/log]

 

 

/NLI

 

Link to comment
Share on other sites

KillAndClean är ett olämpligt program: http://spywarewarrior.com/rogue_anti-spyware.htm

Avinstallera från Kontrollpanelen - Lägg till eller ta bort program

 

Installera en Java utan så mycket säkerhetshål här: http://www.java.com/sv/

 

Kontrollpanelen - Lägg till eller ta bort program

Om följande finns där så ta bort.

WareOut

UnSpyPC

SpyBlocs

liknande namn

 

Ladda ner FixWareout från en av dessa platser och spara t ex på Skrivbordet:

http://downloads.subratam.org/Fixwareout.exe

http://swandog46.geekstogo.com/Fixwareout.exe

 

Spara filen på Skrivbordet.

 

Stäng alla program eftersom datorn kommer att startas om snart.

 

Dubbelklicka på den just nedladdade filen för att starta programmet FixWareout.

[log]Tryck sedan Next, Install, kolla att Run fixit är förbockad och tryck Finish.

Fixen börjar köra, följ alla anvisningar. När du blir ombedd att starta om datorn så gör det. Det är normalt att omstarten tar längre tid än vanligt.

Så småningom så kommer HijackThis att starta av sig själv. Välj Scan och bocka för dessa rader (om de finns kvar):

 

Skanna med HijackThis och bocka för:

 

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Protection] C:\WINNT\runtask.exe C:\WINNT\protection.exe

O4 - HKLM\..\Run: [Prein] C:\Program\DelFin\PromulGate\patchme.exe

O4 - HKCU\..\Run: [KillAndClean] "C:\Program\KillAndClean\KillAndClean.exe"

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://eaglepoint.webex.com/client/latest/webex_674/ieatgpc.cab

O16 - DPF: {E2A96175-32D0-4651-B228-B474C2408346} (DacomDownload Control) - http://program.webhard.co.kr/Plus/active_download/DacomDownload.c

ab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/kontiki/kontiki/current/kdx.

cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.105

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.105

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.105

 

Tryck Fix checked.

Avsluta HijackThis och tryck OK för att fortsätta.

Eventuellt så behöver du starta om datorn igen.

 

Klistra in loggfilen C:\fixwareout\report.txt och en ny HijackThis-logg i ditt svar samt skriv hur det har gått och hur datorn uppför sig.[/log]

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...