Virus/trojan

6 januari, 2007

Jag har ett problem som utvecklar sig så att söknotorer såsom google skickar mig till fel adress, och inte allt för sällan till sexsidor.

Jag har provat att köra olika Virusprogram, mitt ordinarie är Nod32 men det går ett tag sen stänger virusprogrammet av sig.

Om jag t.ex går in på min dator så kommer det oftast fram en sida med texten att det är någor explorer fel och fönstret stängs ned.

Jag har kört Hi jack och felloggen blev denna.

[log]Logfile of HijackThis v1.99.1

Scan saved at 21:47:13, on 2007-01-06

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

C:\Program\Eset\nod32kui.exe

C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Program\OpenOffice.org 2.0\program\soffice.exe

C:\Program\OpenOffice.org 2.0\program\soffice.BIN

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Program\FirstClass\fcc32.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro/MAIN.htm'>http://www.detoate.home.ro/MAIN.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detoate.home.ro/MAIN.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [i/O Controllers] svcnet.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AHQInit] C:\Program\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE

O4 - HKLM\..\Run: [Creative Launcher] C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [i/O Controllers] svcnet.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154350350078

O17 - HKLM\System\CCS\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DAD5A91-A6E9-4B73-840D-BDEE851C8B93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5387F8-CBF2-4B59-B599-294DE8824A71}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B9EFA0D-FB5C-471D-8CBC-631118D79C41}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{86E4A8CC-62EE-4C33-94F9-F27964A8D29C}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F1E46F-F688-457B-8024-A6254E965A93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2751F3-3D20-4DCF-9AE8-1A0A1BCFA15B}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[/log]

mvh//Micke

[inlägget ändrat 2007-01-06 22:44:33 av bjulasen]

6 januari, 2007

Ladda ner FixWareout från en av dessa platser och spara t ex på Skrivbordet:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Stäng alla program eftersom datorn kommer att startas om snart.

Dubbelklicka på den just nedladdade filen för att starta programmet FixWareout.

Tryck sedan Next, Install, kolla att Run fixit är förbockad och tryck Finish.

Fixen börjar köra, följ alla anvisningar. När du blir ombedd att starta om datorn så gör det. Det är normalt att omstarten tar längre tid än vanligt.

Klistra in loggfilen C:\fixwareout\report.txt som normalt öppnas automatiskt i ditt svar.

Skanna datorn här:

http://housecall.antivirus.com/

Spara resultatet och klistra in.

Skapa sedan en ny HijackThis-logg som du klistrar in så fortsätter vi rensningen.

Kom ihåg att när du har klistrat in en logg så ska du markera (måla) den och sedan trycka på LOG-knappen.

7 januari, 2007

Detta är report från Fixwareout

[log]Fixwareout

Last edited 1/1/2006

Post this report in the forums please

...

Prerun check

»»»»» HKLM run and Winlogon System values

C:\WINDOWS\system32\kduak.exe will be moved to C:\WINDOWS\temp\kduak.ren at reboot.

»»»»» System restarted

...

Reg Entries that were deleted

...

Random Runs removed from HKLM

...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»

Search five digit cs, dm kd and jb files.

This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check

»»»»» HKLM run

»»»»» Winlogon System value

"system"=""

»»»»»

[/log]

[log]Logfile of HijackThis v1.99.1

Scan saved at 09:59:09, on 2007-01-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe