Just nu i M3-nätverket
Jump to content

Msn virus, toolbar888, m.m


Jiggen

Recommended Posts

Hejsan

 

Igår var jag såpass duktig att jag skaffade mig ett fint litet virus vid namn "Toolbar888" antar att många andra fått tag på detta också. Nu har jag tagit bort msn, toolbar, och skannat med de massa olika spyware/virus program. Men sen fortsatte detta att bråka med datorn så jag kollade på tidigare inlägg och där såg jag ett program vid namn "SUPERAntispyware" så jag har nu startat datorn i felsäkert läge och skannat med detta program. Hittade några trojaner och annat. Men vad är nästa steg?

 

Skulle bli väldigt glad om jag fick lite hjälp.

 

 

 

Link to comment
Share on other sites

Starta SUPERAntispyware, tryck på Preferences, välj filken Statistics/Logs

Dubbelklicka på den äldsta SUPERAntiSpyware Scan Log så att loggen kommer upp i Anteckningar.

Bifoga loggen i ditt svar.

 

Sedan HijackThis:

http://www.thespykiller.co.uk/files/HJTsetup.exe

Installera, kör, skanna och spara loggen (inget annat).

Bifoga loggen i ditt svar.

 

I ditt svar bifogar du en logg på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

Link to comment
Share on other sites

Här är loggen från SuperAntispyware.

 

[log]

SUPERAntiSpyware Scan Log

Generated 12/04/2006 at 01:12 PM

 

Application Version : 3.3.1020

 

Core Rules Database Version : 3141

Trace Rules Database Version: 1157

 

Scan type : Complete Scan

Total Scan Time : 00:47:31

 

Memory items scanned : 240

Memory threats detected : 0

Registry items scanned : 3764

Registry threats detected : 20

File items scanned : 25080

File threats detected : 28

 

Trojan.Update-Mcboo

[{88BA5DBE-0BB0-1053-1201-03040506002e}] C:\PROGRAM\DELADE FILER\{88BA5DBE-0BB0-1053-1201-03040506002E}\UPDATE.EXE

C:\PROGRAM\DELADE FILER\{88BA5DBE-0BB0-1053-1201-03040506002E}\UPDATE.EXE

C:\WINDOWS\Prefetch\UPDATE.EXE-16CF7150.pf

 

Trojan.VGraph/Win

HKLM\Software\Classes\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}#AppID

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\Control

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\InprocServer32

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\InprocServer32#ThreadingModel

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\MiscStatus

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\MiscStatus\1

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\ProgID

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\ToolboxBitmap32

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\TypeLib

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\Version

HKCR\CLSID\{12355F3E-90C3-41AA-8705-15969AF7F210}\VersionIndependentProgID

C:\WINDOWS\VGRAPH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12355F3E-90C3-41AA-8705-15969AF7F210}

 

Adware.Tracking Cookie

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@cgi-bin[2].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@as1.falkag[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@cgi-bin[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@mediaplex[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@tradedoubler[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@statcounter[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@ad.adtoma[2].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@msnportal.112.2o7[2].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@se.winantivirus[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@www.winantivirus[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@advertising[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@revenue[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@adtech[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@doubleclick[1].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@atdmt[2].txt

C:\Documents and Settings\Johan Jansson\Cookies\johan jansson@ad.yieldmanager[2].txt

 

Adware.IPWins

HKU\S-1-5-21-1177238915-2147189981-725345543-1004\Software\IpWins

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IpWins

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IpWins#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IpWins#UninstallString

 

Unclassified.Unknown Origin/System

C:\DOCUMENTS AND SETTINGS\JOHAN JANSSON\LOKALA INSTäLLNINGAR\TEMP\B122.EXE

 

Trojan.Freeprod

C:\DOCUMENTS AND SETTINGS\JOHAN JANSSON\LOKALA INSTäLLNINGAR\TEMPORARY INTERNET FILES\CONTENT.IE5\4HQZ89MV\INSTALL[1].EXE

C:\DOCUMENTS AND SETTINGS\JOHAN JANSSON\MCC.EXE

C:\WINDOWS\SYSTEM32\MCC.EXE

C:\WINDOWS\Prefetch\MCC.EXE-1AEB8951.pf

C:\WINDOWS\Prefetch\MCC.EXE-3A918225.pf

 

Trojan.Hacktool

C:\PROGRAM\DELADE FILER\{88BA5DBE-0BB0-1053-1201-03040506002E}\SYSTEM.DLL

 

Adware.ClickSpring/Yazzle

C:\WINDOWS\PREFETCH\YAZZLE1122OINADMIN.EXE-06E7DA0E.PF

C:\WINDOWS\PREFETCH\YAZZLEBUNDLE-1122.EXE-3094B456.PF

[/log]

 

Här är från HijackThis:

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 13:44:10, on 2006-12-04

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\Winamp\winampa.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\ATI Technologies\ATI.ACE\CLI.EXE

C:\Documents and Settings\Johan Jansson\Mina dokument\F?nts\?ti2evxx.exe

C:\Program\Spyware Doctor\swdoctor.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: (no name) - {CFB7A17B-46CD-461E-BF2C-4D76663556CB} - C:\WINDOWS\system32\eofn.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: (no name) - {CFB7A17B-46CD-461E-BF2C-4D76663556CB} - C:\WINDOWS\system32\eofn.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Johan Jansson\Skrivbord\winstall.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [Cfuirdiu] "C:\Documents and Settings\Johan Jansson\Mina dokument\F?nts\?ti2evxx.exe"

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL (file missing)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL (file missing)

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe

 

 

[/log]

[inlägget ändrat 2006-12-04 13:44:53 av Jiggen]

Link to comment
Share on other sites

Ibland vid dessa otrevligheter så är själva MSN-programmet infekterat så det är bäst att avinstallera det och så installera det igen när datorn är ren.

 

Bland annat finns det spionprogrammet PurityScan i loggen. Vi börjar med att åtgärda den.

 

Ladda ner http://www.mvps.org/winhelp2002/hosts.zip till Skrivbordet.

Packa upp filen. En ny mapp Hosts skapas på Skrivbordet.

Dubbelklicka på mappen för att öppna den.

Dubbelklicka på filen mvps.bat för att starta programmet.

Detta program kommer att byta ut datorns Hosts-fil så att PurityScan-otrevligheten förhindras komma i kontakt med sin skapare. Det kommer också förhindra att du kan besöka sidor som är ökända för att installera otrevligheter på datorn. Du kan läsa mer om det här:

http://www.mvps.org/winhelp2002/hosts.htm

 

Kontrollpanelen - Lägg till eller ta bort program

Om något av följande finns i listan så ta bort:

Oin

Yazzle by Oin

Purityscan by Oin

Snowballwars by Oin

eller något liknande med Oin eller Outerinfo i sig.

Zolero

Tizzletalk

MediaTickets

Cowabanga

 

Ladda ner och kör avinstallationsprogrammet

http://www.outerinfo.com/OiUninstaller.exe

Om du behöver anvisningar så finns de här: http://www.outerinfo.com/howto.html

 

Starta om datorn

 

Ladda ner ComboFix:

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

Kör den och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på Combofix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den här, samt en ny HijackThis-logg.

 

Link to comment
Share on other sites

Combofix-Log:

 

[log]

Johan Jansson - 06-12-04 14:39:08,96 Service Pack 2

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Johan Jansson\Skrivbord"

 

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Documents and Settings\Johan Jansson\Lokala inst„llningar\Temp\Utilities\bin\x86\dxcc.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program\Delade filer\{38BA5DBE-0BB0-1053-1201-03040506002e}

C:\Program\Delade filer\{88BA5DBE-0BB0-1053-1201-03040506002e}

 

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

Folders Quarantined:

 

C:\QooBox\Purity\Documents and Settings\Johan Jansson\Mina dokument\FNTS~1

C:\QooBox\Purity\Program\ASKS~1

C:\QooBox\Purity\Program\ASKS~1\?asks

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-04 to 2006-12-04 ))))))))))))))))))))))))))))))))))

 

 

2006-12-04 14:28 <KAT> d-------- C:\WINDOWS\SxsCaPendDel

2006-12-04 13:43 <KAT> d-------- C:\Program\Hijackthis

2006-12-04 01:25 <KAT> d-------- C:\Program\SUPERAntiSpyware

2006-12-04 01:25 <KAT> d-------- C:\Documents and Settings\Johan Jansson\Application Data\SUPERAntiSpyware.com

2006-12-04 01:05 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab

2006-12-03 23:41 <KAT> dr-h----- C:\$VAULT$.AVG

2006-12-03 23:21 <KAT> d-------- C:\Documents and Settings\Johan Jansson\Application Data\AVG7

2006-12-03 23:20 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

2006-12-03 23:20 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys

2006-12-03 23:20 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys

2006-12-03 23:20 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys

2006-12-03 23:20 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys

2006-12-03 23:20 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys

2006-12-03 23:20 <KAT> d-------- C:\Program\Grisoft

2006-12-03 23:20 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2006-12-03 23:20 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\avg7

2006-12-03 22:07 684,032 --a------ C:\WINDOWS\system32\libeay32.dll

2006-12-03 22:07 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll

2006-12-03 22:07 15,360 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2006-12-03 21:45 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys

2006-12-03 21:45 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys

2006-12-03 21:44 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2006-12-03 21:44 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

2006-12-03 21:44 <KAT> d-------- C:\Program\Spyware Doctor

2006-12-03 21:44 <KAT> d-------- C:\Documents and Settings\Johan Jansson\Application Data\PC Tools

2006-12-03 21:19 77,824 --a------ C:\WINDOWS\system32\gotgo.exe

2006-12-03 21:19 122,880 --a------ C:\WINDOWS\system32\winstall.exe

2006-12-03 20:59 77,824 --a------ C:\Documents and Settings\Johan Jansson\gotgo.exe

2006-12-03 20:59 122,880 --a------ C:\Documents and Settings\Johan Jansson\winstall.exe

2006-12-01 23:01 2,829 --a------ C:\WINDOWS\War3Unin.pif

2006-12-01 23:01 139,264 --a------ C:\WINDOWS\War3Unin.exe

2006-11-29 23:45 <KAT> d-------- C:\Program\Virtools Web Player 3.5

2006-11-23 01:14 <KAT> d-------- C:\Documents and Settings\Johan Jansson\Application Data\Help

2006-11-21 16:24 <KAT> d-------- C:\Documents and Settings\Johan Jansson\WoW-1.12.x-to-2.0.1-enGB-patch

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-04 14:39 -------- d-------- C:\Program\Delade filer

2006-12-04 01:24 -------- d-------- C:\Program\Delade filer\Wise Installation Wizard

2006-12-03 23:20 -------- d---s---- C:\Documents and Settings\Johan Jansson\Application Data\Microsoft

2006-11-23 01:14 -------- d-------- C:\Program\WinRAR

2006-11-20 17:27 -------- d--h----- C:\Program\InstallShield Installation Information

2006-11-19 19:29 -------- d-------- C:\Documents and Settings\Johan Jansson\Application Data\Ventrilo

2006-11-18 02:02 -------- d-------- C:\Program\Internet Explorer

2006-11-03 17:55 -------- d-------- C:\Documents and Settings\Johan Jansson\Application Data\InstallShield Installation Information

2006-11-03 17:54 -------- d-------- C:\Program\Delade filer\InstallShield

2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-09-13 06:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

2006-09-11 01:51 62 --ahs---- C:\Documents and Settings\Johan Jansson\Application Data\desktop.ini

2006-09-11 00:00 0 -rahs---- C:\MSDOS.SYS

2006-09-11 00:00 0 -rahs---- C:\IO.SYS

2006-09-11 00:00 0 --a------ C:\CONFIG.SYS

2006-09-11 00:00 0 --a------ C:\AUTOEXEC.BAT

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"MsnMsgr"="\"C:\\Program\\MSN Messenger\\MsnMsgr.Exe\" /background"

"MSMSGS"="\"C:\\Program\\Messenger\\MSMSGS.EXE\" /background"

"Spyware Doctor"="\"C:\\Program\\Spyware Doctor\\swdoctor.exe\" /Q"

"SUPERAntiSpyware"="C:\\Program\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SoundMan"="SOUNDMAN.EXE"

"ATICCC"="\"C:\\Program\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""

"WinampAgent"="C:\\Program\\Winamp\\winampa.exe"

"AVG7_CC"="C:\\Program\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00, 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff, ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00, 00,00,01,00,00,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"Spyware Doctor"="\"C:\\Program\\Spyware Doctor\\swdoctor.exe\" /Q"

"AVG7_Run"="C:\\Program\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"Spyware Doctor"="\"C:\\Program\\Spyware Doctor\\swdoctor.exe\" /Q"

"AVG7_Run"="C:\\Program\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

Completion time: 06-12-04 14:42:15.84

C:\ComboFix.txt ... 06-12-04 14:42

[/log]

 

HijackThis-Logg:

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 14:45:29, on 2006-12-04

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\Winamp\winampa.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Spyware Doctor\swdoctor.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe

 

 

[/log]

 

Link to comment
Share on other sites

Gå till http://www.virustotal.com/ klistra in ett av följande filnamn i rutan, tryck på Send och vänta tills resultatet är klart (Status blir Finished). Klistra in resultatet (inkl. filstorlek) här. Upprepa med nästa filnamn.

C:\WINDOWS\system32\gotgo.exe

C:\WINDOWS\system32\winstall.exe

C:\Documents and Settings\Johan Jansson\gotgo.exe

C:\Documents and Settings\Johan Jansson\winstall.exe

 

 

Link to comment
Share on other sites

[log]

AntiVir 7.2.0.46 12.04.2006 Worm/Licat.I.1

Authentium 4.93.8 12.01.2006 no virus found

Avast 4.7.892.0 12.04.2006 Win32:VB-AXQ

AVG 386 12.04.2006 no virus found

BitDefender 7.2 12.04.2006 Win32.Worm.IM.Licat.C

CAT-QuickHeal 8.00 12.04.2006 I-Worm.Licat.i

ClamAV devel-20060426 12.04.2006 Worm.Licat-4

DrWeb 4.33 12.04.2006 no virus found

eSafe 7.0.14.0 12.03.2006 SuspiciousR-Mytob3

eTrust-InoculateIT 23.73.75 12.03.2006 no virus found

eTrust-Vet 30.3.3230 12.04.2006 no virus found

Ewido 4.0 12.04.2006 Trojan.Small

Fortinet 2.82.0.0 12.04.2006 suspicious

F-Prot 3.16f 12.01.2006 no virus found

F-Prot4 4.2.1.29 12.01.2006 no virus found

Ikarus 1.0.26 12.03.2006 no virus found

Kaspersky 4.0.2.24 12.04.2006 IM-Worm.Win32.Licat.i

McAfee 4909 12.01.2006 no virus found

Microsoft 1.1804 12.04.2006 no virus found

NOD32v2 1898 12.04.2006 no virus found

Norman 5.80.02 12.04.2006 no virus found

Panda 9.0.0.4 12.03.2006 Suspicious file

Prevx1 V2 12.04.2006 Polynomial.Code.Exploit

Sophos 4.12.0 12.04.2006 W32/Blowhen-A

Sunbelt 2.2.907.0 11.30.2006 no virus found

TheHacker 6.0.3.127 12.01.2006 no virus found

UNA 1.83 12.04.2006 no virus found

VBA32 3.11.1 12.03.2006 no virus found

VirusBuster 4.3.15:9 12.04.2006 no virus found

 

 

Aditional Information

File size: 77824 bytes

MD5: 6cddd4ab39532004ea6d62134a9f845d

SHA1: b2bc20162bf6a47d3f4ed37e8d0709a2c25da285

[/log]

 

[log]

AntiVir 7.2.0.46 12.04.2006 ADSPY/PurityScan.U.4

Authentium 4.93.8 12.01.2006 no virus found

Avast 4.7.892.0 12.04.2006 Win32:PurityScan-AD

AVG 386 12.04.2006 Adware Generic.SCB

BitDefender 7.2 12.04.2006 Dropped:Application.Clickspring.A

CAT-QuickHeal 8.00 12.04.2006 Win95.SK

ClamAV devel-20060426 12.04.2006 no virus found

DrWeb 4.33 12.04.2006 no virus found

eSafe 7.0.14.0 12.03.2006 SuspiciousR-Mytob3

eTrust-InoculateIT 23.73.75 12.03.2006 Win32/Secdrop.HIO!Trojan

eTrust-Vet 30.3.3230 12.04.2006 Win32/Secdrop.NA

Ewido 4.0 12.04.2006 Adware.PurityScan

Fortinet 2.82.0.0 12.04.2006 Adware/PurityScan

F-Prot 3.16f 12.01.2006 no virus found

F-Prot4 4.2.1.29 12.01.2006 no virus found

Ikarus 1.0.26 12.03.2006 no virus found

Kaspersky 4.0.2.24 12.04.2006 not-a-virus:AdWare.Win32.PurityScan.u

McAfee 4909 12.01.2006 Generic LowZones.f

Microsoft 1.1804 12.04.2006 ClickSpring.PuritySCAN.Downloader

NOD32v2 1898 12.04.2006 no virus found

Norman 5.80.02 12.04.2006 W32/PurityScan.AHP

Panda 9.0.0.4 12.03.2006 Adware/MediaTickets

Prevx1 V2 12.04.2006 Downloader.Drev.A

Sophos 4.12.0 12.04.2006 Troj/Dropper-MG

Sunbelt 2.2.907.0 11.30.2006 Trojan-Downloader.Gen

TheHacker 6.0.3.127 12.01.2006 Adware/PurityScan.u

UNA 1.83 12.04.2006 Adware.PurityScan.881E

VBA32 3.11.1 12.03.2006 suspected of Embedded.Installer.Adware.PurityScan

VirusBuster 4.3.15:9 12.04.2006 no virus found

 

 

Aditional Information

File size: 122880 bytes

MD5: e3e03c8bdfd1f9c7dc9f2103689c5018

SHA1: d1d19e9a102140aaaaf9fdf11ad1a7ca2374d28c

[/log]

 

[log]

AntiVir 7.2.0.46 12.04.2006 Worm/Licat.I.1

Authentium 4.93.8 12.01.2006 no virus found

Avast 4.7.892.0 12.04.2006 Win32:VB-AXQ

AVG 386 12.04.2006 no virus found

BitDefender 7.2 12.04.2006 Win32.Worm.IM.Licat.C

CAT-QuickHeal 8.00 12.04.2006 I-Worm.Licat.i

ClamAV devel-20060426 12.04.2006 Worm.Licat-4

DrWeb 4.33 12.04.2006 no virus found

eSafe 7.0.14.0 12.03.2006 SuspiciousR-Mytob3

eTrust-InoculateIT 23.73.75 12.03.2006 no virus found

eTrust-Vet 30.3.3230 12.04.2006 no virus found

Ewido 4.0 12.04.2006 Trojan.Small

Fortinet 2.82.0.0 12.04.2006 suspicious

F-Prot 3.16f 12.01.2006 no virus found

F-Prot4 4.2.1.29 12.01.2006 no virus found

Ikarus 1.0.26 12.03.2006 no virus found

Kaspersky 4.0.2.24 12.04.2006 IM-Worm.Win32.Licat.i

McAfee 4909 12.01.2006 no virus found

Microsoft 1.1804 12.04.2006 no virus found

NOD32v2 1898 12.04.2006 no virus found

Norman 5.80.02 12.04.2006 no virus found

Panda 9.0.0.4 12.03.2006 Suspicious file

Prevx1 V2 12.04.2006 Polynomial.Code.Exploit

Sophos 4.12.0 12.04.2006 W32/Blowhen-A

Sunbelt 2.2.907.0 11.30.2006 no virus found

TheHacker 6.0.3.127 12.01.2006 no virus found

UNA 1.83 12.04.2006 no virus found

VBA32 3.11.1 12.03.2006 no virus found

VirusBuster 4.3.15:9 12.04.2006 no virus found

 

 

Aditional Information

File size: 77824 bytes

MD5: 6cddd4ab39532004ea6d62134a9f845d

SHA1: b2bc20162bf6a47d3f4ed37e8d0709a2c25da285

[/log]

 

[log]

 

AntiVir 7.2.0.46 12.04.2006 ADSPY/PurityScan.U.4

Authentium 4.93.8 12.01.2006 no virus found

Avast 4.7.892.0 12.04.2006 Win32:PurityScan-AD

AVG 386 12.04.2006 Adware Generic.SCB

BitDefender 7.2 12.04.2006 Dropped:Application.Clickspring.A

CAT-QuickHeal 8.00 12.04.2006 Win95.SK

ClamAV devel-20060426 12.04.2006 no virus found

DrWeb 4.33 12.04.2006 no virus found

eSafe 7.0.14.0 12.03.2006 SuspiciousR-Mytob3

eTrust-InoculateIT 23.73.75 12.03.2006 Win32/Secdrop.HIO!Trojan

eTrust-Vet 30.3.3230 12.04.2006 Win32/Secdrop.NA

Ewido 4.0 12.04.2006 Adware.PurityScan

Fortinet 2.82.0.0 12.04.2006 Adware/PurityScan

F-Prot 3.16f 12.01.2006 no virus found

F-Prot4 4.2.1.29 12.01.2006 no virus found

Ikarus 1.0.26 12.03.2006 no virus found

Kaspersky 4.0.2.24 12.04.2006 not-a-virus:AdWare.Win32.PurityScan.u

McAfee 4909 12.01.2006 Generic LowZones.f

Microsoft 1.1804 12.04.2006 ClickSpring.PuritySCAN.Downloader

NOD32v2 1898 12.04.2006 no virus found

Norman 5.80.02 12.04.2006 W32/PurityScan.AHP

Panda 9.0.0.4 12.03.2006 Adware/MediaTickets

Prevx1 V2 12.04.2006 Downloader.Drev.A

Sophos 4.12.0 12.04.2006 Troj/Dropper-MG

Sunbelt 2.2.907.0 11.30.2006 Trojan-Downloader.Gen

TheHacker 6.0.3.127 12.01.2006 Adware/PurityScan.u

UNA 1.83 12.04.2006 Adware.PurityScan.881E

VBA32 3.11.1 12.03.2006 suspected of Embedded.Installer.Adware.PurityScan

VirusBuster 4.3.15:9 12.04.2006 no virus found

 

 

Aditional Information

File size: 122880 bytes

MD5: e3e03c8bdfd1f9c7dc9f2103689c5018

SHA1: d1d19e9a102140aaaaf9fdf11ad1a7ca2374d28c

[/log]

 

Link to comment
Share on other sites

Ta bort filerna:

C:\WINDOWS\system32\gotgo.exe

C:\WINDOWS\system32\winstall.exe

C:\Documents and Settings\Johan Jansson\gotgo.exe

C:\Documents and Settings\Johan Jansson\winstall.exe

 

Det kan tänkas att du behöver ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Hur uppför sig datorn nu?

 

Link to comment
Share on other sites

Just nu verkar det som det funkar riktigt bra, har tagit bort filerna och det har slutat poppa upp massa reklam. Men jag får nog installera msn och checka ifall allt stämmer där.

 

 

Link to comment
Share on other sites

Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), SUPERAntiSpyware, Spybot S&D och/eller Ad-aware regelbundet.

http://www.ewido.net/en/

http://www.superantispyware.com/

http://www.safer-networking.org/en/download/index.html

http://www.lavasoft.com

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Använd en brandvägg (bättre än den inbyggda i XP), finns gratis från t ex ZoneLabs.

http://www.zonelabs.com/store/content/home.jsp

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

http://www.spywarewarrior.com/uiuc/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.org

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...