Just nu i M3-nätverket
Jump to content

Virus/trojan


bjulasen

Recommended Posts

Jag har ett problem som utvecklar sig så att söknotorer såsom google skickar mig till fel adress, och inte allt för sällan till sexsidor.

Jag har provat att köra olika Virusprogram, mitt ordinarie är Nod32 men det går ett tag sen stänger virusprogrammet av sig.

Om jag t.ex går in på min dator så kommer det oftast fram en sida med texten att det är någor explorer fel och fönstret stängs ned.

Jag har kört Hi jack och felloggen blev denna.

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 21:47:13, on 2007-01-06

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

C:\Program\Eset\nod32kui.exe

C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Program\OpenOffice.org 2.0\program\soffice.exe

C:\Program\OpenOffice.org 2.0\program\soffice.BIN

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Program\FirstClass\fcc32.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro/MAIN.htm'>http://www.detoate.home.ro/MAIN.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detoate.home.ro/MAIN.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [i/O Controllers] svcnet.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AHQInit] C:\Program\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE

O4 - HKLM\..\Run: [Creative Launcher] C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [i/O Controllers] svcnet.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154350350078

O17 - HKLM\System\CCS\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DAD5A91-A6E9-4B73-840D-BDEE851C8B93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5387F8-CBF2-4B59-B599-294DE8824A71}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B9EFA0D-FB5C-471D-8CBC-631118D79C41}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{86E4A8CC-62EE-4C33-94F9-F27964A8D29C}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F1E46F-F688-457B-8024-A6254E965A93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2751F3-3D20-4DCF-9AE8-1A0A1BCFA15B}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[/log]

mvh//Micke

 

 

[inlägget ändrat 2007-01-06 22:44:33 av bjulasen]

Link to comment
Share on other sites

Ladda ner FixWareout från en av dessa platser och spara t ex på Skrivbordet:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

 

Stäng alla program eftersom datorn kommer att startas om snart.

 

Dubbelklicka på den just nedladdade filen för att starta programmet FixWareout.

 

Tryck sedan Next, Install, kolla att Run fixit är förbockad och tryck Finish.

Fixen börjar köra, följ alla anvisningar. När du blir ombedd att starta om datorn så gör det. Det är normalt att omstarten tar längre tid än vanligt.

Klistra in loggfilen C:\fixwareout\report.txt som normalt öppnas automatiskt i ditt svar.

 

Skanna datorn här:

http://housecall.antivirus.com/

Spara resultatet och klistra in.

 

Skapa sedan en ny HijackThis-logg som du klistrar in så fortsätter vi rensningen.

 

Kom ihåg att när du har klistrat in en logg så ska du markera (måla) den och sedan trycka på LOG-knappen.

 

Link to comment
Share on other sites

Detta är report från Fixwareout

[log]Fixwareout

Last edited 1/1/2006

Post this report in the forums please

...

Prerun check

»»»»» HKLM run and Winlogon System values

C:\WINDOWS\system32\kduak.exe will be moved to C:\WINDOWS\temp\kduak.ren at reboot.

»»»»» System restarted

...

Reg Entries that were deleted

...

Random Runs removed from HKLM

...

 

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

 

»»»»» Searching by size/names...

 

»»»»»

Search five digit cs, dm kd and jb files.

This WILL/CAN also list Legit Files, Submit them at Virustotal

 

Other suspects.

 

»»»»» Misc files.

 

»»»»» Checking for older varients covered by the Rem3 tool.

 

»»»»» Postrun check

»»»»» HKLM run

»»»»» Winlogon System value

"system"=""

»»»»»

[/log]

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 09:59:09, on 2007-01-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program\OpenOffice.org 2.0\program\soffice.exe

C:\Program\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\system32\HPZipm12.exe

C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Program\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro/MAIN.htm'>http://www.detoate.home.ro/MAIN.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detoate.home.ro/MAIN.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AHQInit] C:\Program\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE

O4 - HKLM\..\Run: [Creative Launcher] C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154350350078

O17 - HKLM\System\CCS\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DAD5A91-A6E9-4B73-840D-BDEE851C8B93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5387F8-CBF2-4B59-B599-294DE8824A71}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B9EFA0D-FB5C-471D-8CBC-631118D79C41}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{86E4A8CC-62EE-4C33-94F9-F27964A8D29C}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F1E46F-F688-457B-8024-A6254E965A93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2751F3-3D20-4DCF-9AE8-1A0A1BCFA15B}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-AB6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe[/log]

 

Det är vad jag fått fram just nu.

 

mvh/Micke

 

Link to comment
Share on other sites

Ta bort filen C:\WINDOWS\temp\kduak.ren

 

Har du gjort Housecall-skanningen? Vad blev resultatet?

Eller var det AVG Anti-Spyware som plockade bort trojanen som fanns i datorn förut?

 

Det är en gammal Java-version med säkerhetshål i datorn. Avinstallera alla Java i Kontrollpanelen - Lägg till eller ta bort program och installera därefter en ny: http://www.java.com/sv/

 

Skanna med HijackThis och bocka för:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro/MAIN.htm'>http://www.detoate.home.ro/MAIN.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detoate.home.ro/MAIN.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-A

B6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DAD5A91-A6E9-4B73-840D-B

DEE851C8B93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5387F8-CBF2-4B59-B599-2

94DE8824A71}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B9EFA0D-FB5C-471D-8CBC-6

31118D79C41}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{86E4A8CC-62EE-4C33-94F9-F

27964A8D29C}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F1E46F-F688-457B-8024-A

6254E965A93}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2751F3-3D20-4DCF-9AE8-1

A0A1BCFA15B}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS1\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-A

B6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

O17 - HKLM\System\CS2\Services\Tcpip\..\{241ECD2A-BF9B-4A03-9ADE-A

B6B92B8F131}: NameServer = 85.255.116.68,85.255.112.81

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.81

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn och så en ny HijackThis-logg.

 

Link to comment
Share on other sites

Jag har tagit bort filen.

 

Jo jag körde House call och den tog bort 3 st varningar, stod ej att det var trojaner och 9 cookisar samt varnade för en del ouppdaterade grejer.

Har tagit bort Java och installerart den senaste.

 

Ska jag bocka för alla grejer du listat när jag kör Hi jack?

 

Link to comment
Share on other sites

Jag läste inte ordentligt.

Jag bockade för och körde fix checked och här under kommer då senaste loggen från Hijack this.

 

Logfile of HijackThis v1.99.1

Scan saved at 11:30:50, on 2007-01-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

[log]Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program\OpenOffice.org 2.0\program\soffice.exe

C:\Program\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\system32\HPZipm12.exe

C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AHQInit] C:\Program\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE

O4 - HKLM\..\Run: [Creative Launcher] C:\Program\Creative\SBLive2k\Launcher\CTLauncher.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google-sökning - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Översätt engelskt ord - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Bakåtlänkar - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lagrad bild på sida - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Liknande sidor - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154350350078

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe[/log]

 

Link to comment
Share on other sites

Hej Cecilia.

Jag har inte hunnit kolla så mycket än men det ser ut att funka.

 

Jag tackar dig så mycket för all hjälp, du är en klippa.

 

/mvhMicke

 

Link to comment
Share on other sites

Tack själv för alla poäng! :) :)

 

Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), SUPERAntiSpyware, Spybot S&D och/eller Ad-aware regelbundet.

http://www.ewido.net/en/

http://www.superantispyware.com/

http://www.safer-networking.org/en/download/index.html

http://www.lavasoft.com

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Använd en brandvägg (bättre än den inbyggda i XP), finns gratis från t ex ZoneLabs.

http://www.zonelabs.com/store/content/home.jsp

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

http://www.spywarewarrior.com/uiuc/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.org

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...