Just nu i M3-nätverket
Jump to content

VPN takeover


Stbose

Recommended Posts

Jag har fått in nått skit som skriver över mina VPN uppkopplingar med ett telefonnummer. Nån som vet vad det är och hur man får bort det?

Jag kör Fsecure men hittar inga virus.

/Stbose

 

Link to comment
Share on other sites

[log]Logfile of HijackThis v1.99.1

Scan saved at 12:05:38, on 2006-11-25

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program\Delade filer\Virtual Token\vtserver.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe

C:\Program\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe

C:\Program\F-Secure\Common\FSMA32.EXE

C:\Program\F-Secure\Anti-Virus\fssm32.exe

C:\Program\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

c:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program\F-Secure\Common\FSM32.EXE

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program\Microsoft IntelliType Pro\type32.exe

C:\Program\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program\F-Secure\FSGUI\fsguiexe.exe

C:\EGNAPR~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

C:\Program\F-Secure\Common\FSMB32.EXE

C:\Program\F-Secure\Common\FCH32.EXE

C:\Program\F-Secure\Common\FAMEH32.EXE

C:\Program\F-Secure\Common\FNRB32.EXE

C:\Program\F-Secure\Common\FIH32.EXE

C:\Program\F-Secure\FWES\Program\fsdfwd.exe

C:\Program\F-Secure\Anti-Virus\fsav32.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Egna Program\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Egna Program\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\EGNAPR~1\COPERN~1\COPERN~1.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Egna Program\Copernic Agent\CopernicAgentExt.dll

O3 - Toolbar: Nordnet Toolbar 2 - {A601B013-3DDB-4902-948A-9879E1F6A1A7} - C:\WINDOWS\Downloaded Program Files\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program\ThinkPad\Program\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [ControlCenter] "C:\Program\IBM fingerprint software\ctlcntr.exe" /startup

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\Program\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [uC_Start] C:\Program\IBM\Updater\\ucstartup.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] c:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [iBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe

O4 - HKLM\..\Run: [QCWLICON] C:\Program\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [bMMLREF] C:\Program\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bMMMONWND] rundll32.exe C:\Program\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Egna Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r

O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program\Microsoft IntelliPoint\point32.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Genväg till E-post.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Certificate Mover.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Egna Program\Sony Ericsson\Mobile\audevicemgr.exe

O4 - Global Startup: QuoteToolServer.lnk = C:\Program\Configit Software Quote Tool\bin\QuoteToolServer.exe

O4 - Global Startup: Service Manager.lnk = C:\Program\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Nordnet Toolbar sök - res://C:\WINDOWS\Downloaded Program Files\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Translate English Word - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Egna Program\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT

O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\EGNAPR~1\COPERN~1\COPERN~1.EXE

O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\EGNAPR~1\COPERN~1\COPERN~1.EXE

O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\EGNAPR~1\COPERN~1\COPERN~1.EXE

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O11 - Options group: [JAVA_IBM] Java (IBM)

O12 - Plugin for .mpeg: C:\Program\Internet Explorer\PLUGINS\npqtplugin2.dll

O15 - Trusted Zone: http://www.paypal.co.uk

O15 - Trusted Zone: http://www.paypal.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3195CF7C-E9E2-49B2-8B61-14F285298E1C} (Access Client web loader) - https://sigssl.skane.se/wa/AccessClientLoader.cab

O16 - DPF: {33331111-1111-1111-1111-611111193423} -

O16 - DPF: {33331111-1111-1111-1111-615111193427} -

O16 - DPF: {6E1BAAF6-ECB9-4505-86C1-5D04467B02CC} (QlikView Document) - http://trubadix/QvPlugin/QvPluginSetup.exe

O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://213.115.151.90/net6helper.cab

O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - https://www.nordnet.se/NNSE/sv/toolbar/toolbar.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://imageupload.forss.net/activex/ImageUploader3.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = infocube.se

O17 - HKLM\Software\..\Telephony: DomainName = infocube.se

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = infocube.se

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = infocube.se

O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program\QlikView\QvProtocol\qvp.dll

O20 - Winlogon Notify: psfus - C:\Program\IBM fingerprint software\psfus.dll

O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\fsbwlan.exe

O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE

O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Egna Program\ipod\bin\iPodService.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program\Delade filer\Virtual Token\vtserver.exe

 

[/log]

 

Link to comment
Share on other sites

Det är en gammal Java-version med säkerhetshål i datorn. Avinstallera alla Java i Kontrollpanelen - Lägg till eller ta bort program och installera därefter en ny: http://www.java.com/sv/

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Skanna med HijackThis och bocka för:

 

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {33331111-1111-1111-1111-611111193423} -

O16 - DPF: {33331111-1111-1111-1111-615111193427} -

 

Om du inte vet vad följande är så bockar du för dem också:

O16 - DPF: {6E1BAAF6-ECB9-4505-86C1-5D04467B02CC} (QlikView Document) - http://trubadix/QvPlugin/QvPluginSetup.exe

O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program\QlikView\QvProtocol\qvp.dll

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om i normalt läge och så en ny HijackThis-logg.

Hur uppför sig datorn nu?

 

Link to comment
Share on other sites

Hej. Jag installerade om Java. Jag kom inte åt felsäkert läge men körde Hijack ändå och tog bort det du rekommenderade. Det verkar funka!

Många tack! Jag återkommer om det visar sig att det återkommer senare.

 

Link to comment
Share on other sites

Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

SpywareBlaster hade antagligen skyddat dig mot detta.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), SUPERAntiSpyware, Spybot S&D och/eller Ad-aware regelbundet.

http://www.ewido.net/en/

http://www.superantispyware.com/

http://www.safer-networking.org/en/download/index.html

http://www.lavasoft.com

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Använd en brandvägg (bättre än den inbyggda i XP), finns gratis från t ex ZoneLabs.

http://www.zonelabs.com/store/content/home.jsp

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

http://www.spywarewarrior.com/uiuc/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.org

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...