Just nu i M3-nätverket
Jump to content

Hjälp med virus.


Dempwolf

Recommended Posts

Har en kompis som råkat ut för något/några slags virus. Har kört hijackthis på hans dator, men jag är inte riktigt hemma på vad som är ok och vad som spökar till det. Kan någon kika igenom loggen nedan och tala om vad som bör göras?

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 20:41:45, on 2007-04-15

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Video ActiveX Object\isamntr.exe

C:\Program\Video ActiveX Object\pmsnrr.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Real\RealPlayer\RealPlay.exe

C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\lsass2.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\svehost.exe

C:\WINDOWS\System32\clcl3.exe

C:\Program\Skype\Phone\Skype.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Video ActiveX Object\pmmnt.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Video ActiveX Object\isamini.exe

C:\Program\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe

C:\Program\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Tommy Blohm\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac'>http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet7_48.dll

O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program\Video ActiveX Object\isadd.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program\Video ActiveX Object\iesplugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dkjpjpxw.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] wuagrd.exe

O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe

O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Task manager] lsass2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [intel system tool] C:\WINDOWS\System32\svehost.exe

O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe

O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe

O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe

O4 - HKLM\..\RunServices: [Task manager] lsass2.exe

O4 - HKCU\..\Run: [Microsoft Win Tool] ooojkydtth.exe

O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe

O4 - HKCU\..\Run: [Task manager] lsass2.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\RunServices: [Microsoft Update Machine] wuagrd.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?

O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lmnbdo32.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Tommy Blohm\ie_updater.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[/log]

 

Link to comment
Share on other sites

 

Ladda ner SmitfraudFix på skrivbordet och unzippa den där.

 

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

 

Sen öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Search = klicka 1 och Enter

Kopiera loggen som kommer ut och skicka hit.

 

I ditt svar bifogar du loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

 

 

 

Link to comment
Share on other sites

Spelar det någon roll från vart man kör smitfraudfix? ordnade en sådan logg också, men inte från skrivbordet.

 

[log]

SmitFraudFix v2.126

 

Scan done at 20:49:42,40, 2007-04-15

Run from G:\Program\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tommy Blohm

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tommy Blohm\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

C:\DOCUME~1\ALLUSE~1\START-~1\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\START-~1\Security Troubleshooting.url FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TOMMYB~1\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

C:\DOCUME~1\ALLUSE~1\SKRIVB~1\Security Troubleshooting.url FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

C:\Program\Key Generator\ FOUND !

C:\Program\Video ActiveX Object\ FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"="curdler"

 

[HKEY_CLASSES_ROOT\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32]

@="C:\WINDOWS\System32\qzviz.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32]

@="C:\WINDOWS\System32\qzviz.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[/log]

 

Link to comment
Share on other sites

 

Flytta den på Skrivbordet.

 

Ladda ner SDFix till Skrivbordet:

 

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

 

[log]Dubbelklicka på SDFix.exe och en ny mapp skapas, C:\SDFix.

 

Starta om datorn i felsäkert läge

 

Sen öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Clean = klicka 2 och Enter

Sen vänta tills den jobbar klart.

På frågan "Registry cleaning - Do you want to clean the registry ?"

svara Yes med att klicka Y och Enter

Om wininet.dll är infekterad får du frågan "Replace infected file ?"

svara Yes med att klicka Y och Enter.

 

Fortfarande i felsäkert läge.

 

 

Öppna den nya mappen C:\SDFix och dubbelklicka på RunThis.bat för att starta programmet.

Tryck Y för att fortsätta.

Det arbetar ett tag och när det är klart så kommer det upp en fråga om du vill starta om datorn.

Tryck på godtycklig tangent för att omstarten ska påbörjas.

Datorn kommer att ta lång tid på sig under uppstarten eftersom programmet kommer att gå igång och fixa till en massa.

När det är klart visas Finished.

Tryck på valfri tangent för att avsluta programmet.

 

Skicka report.txt från SDFix mappen och en ny Hijack logg + C:\rapport.txt [/log]

 

[inlägget ändrat 2007-04-15 23:22:00 av Zipp.]

Link to comment
Share on other sites

Ok. Ska åka över till polaren i morgon kväll och göra som du beskriver.

Jag får tacka så länge.

 

Link to comment
Share on other sites

Ok. Har gjort som beskrivits. Här kommer loggarna

Tyvärr blev inte rapporten efter att smitfraudfix inte kvar, utan jag gjorde en ny scan.

 

[log]

 

SDFix: Version 1.78

 

Run by Tommy Blohm - 2007-04-16 - 19:21:59,48

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

Microsoft IEUpdater2

 

ImagePath:

C:\Documents and Settings\Tommy Blohm\ie_updater.exe /start

 

Microsoft IEUpdater2 - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted

C:\Documents and Settings\Tommy Blohm\ie_updater.exe - Deleted

C:\WINDOWS\system32\o - Deleted

C:\WINDOWS\system32\RunOnce.t__ - Deleted

C:\WINDOWS\system32\RunOnce.tm_ - Deleted

C:\WINDOWS\system32\svehost.exe - Deleted

C:\WINDOWS\system32\TFTP1800 - Deleted

C:\WINDOWS\system32\TFTP204 - Deleted

C:\WINDOWS\system32\TFTP2116 - Deleted

C:\WINDOWS\system32\TFTP220 - Deleted

C:\WINDOWS\system32\TFTP2256 - Deleted

C:\WINDOWS\system32\TFTP2456 - Deleted

C:\WINDOWS\system32\TFTP2512 - Deleted

C:\WINDOWS\system32\TFTP2604 - Deleted

C:\WINDOWS\system32\TFTP2616 - Deleted

C:\WINDOWS\system32\TFTP2908 - Deleted

C:\WINDOWS\system32\TFTP2976 - Deleted

C:\WINDOWS\system32\TFTP3048 - Deleted

C:\WINDOWS\system32\TFTP3140 - Deleted

C:\WINDOWS\system32\TFTP3304 - Deleted

C:\WINDOWS\system32\TFTP3312 - Deleted

C:\WINDOWS\system32\TFTP3472 - Deleted

C:\WINDOWS\system32\TFTP3488 - Deleted

C:\WINDOWS\system32\TFTP3700 - Deleted

C:\WINDOWS\system32\TFTP3732 - Deleted

C:\WINDOWS\system32\TFTP3884 - Deleted

C:\WINDOWS\system32\TFTP3956 - Deleted

C:\WINDOWS\system32\TFTP3976 - Deleted

C:\WINDOWS\system32\TFTP4040 - Deleted

C:\WINDOWS\system32\TFTP4056 - Deleted

C:\WINDOWS\system32\TFTP4064 - Deleted

C:\WINDOWS\system32\TFTP4084 - Deleted

C:\WINDOWS\system32\TFTP412 - Deleted

C:\WINDOWS\system32\TFTP4120 - Deleted

C:\WINDOWS\system32\TFTP4472 - Deleted

C:\WINDOWS\system32\TFTP476 - Deleted

C:\WINDOWS\system32\TFTP6080 - Deleted

C:\WINDOWS\system32\TFTP6084 - Deleted

C:\WINDOWS\system32\TFTP616 - Deleted

C:\WINDOWS\system32\TFTP6796 - Deleted

C:\WINDOWS\system32\TFTP768 - Deleted

C:\WINDOWS\system32\TFTP916 - Deleted

 

 

 

Removing Temp Files

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Checking For Files with Hidden Attributes:

 

C:\Compaq\internet\patch\KILLTAPI.EXE

C:\WINDOWS\system32\lsass2.exe

 

Finished

[/log]

[log]

Logfile of HijackThis v1.99.1

Scan saved at 19:45:17, on 2007-04-16

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Real\RealPlayer\RealPlay.exe

C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\clcl3.exe

C:\WINDOWS\System32\lsass2.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Skype\Phone\Skype.exe

C:\Program\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Skype\Plugin Manager\skypePM.exe

C:\Program\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Tommy Blohm\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet7_48.dll

O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program\Video ActiveX Object\isadd.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program\Video ActiveX Object\iesplugin.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [storageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe

O4 - HKLM\..\Run: [Task manager] lsass2.exe

O4 - HKLM\..\RunServices: [Task manager] lsass2.exe

O4 - HKCU\..\Run: [Microsoft Win Tool] ooojkydtth.exe

O4 - HKCU\..\Run: [Task manager] lsass2.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\RunServices: [Microsoft Update Machine] wuagrd.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?

O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lmnbdo32.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[/log]

[log]

SmitFraudFix v2.126

 

Scan done at 19:46:28,32, 2007-04-16

Run from C:\Documents and Settings\Tommy Blohm\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tommy Blohm

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tommy Blohm\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TOMMYB~1\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"="curdler"

 

[HKEY_CLASSES_ROOT\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32]

@="C:\WINDOWS\System32\qzviz.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32]

@="C:\WINDOWS\System32\qzviz.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[/log]

 

Link to comment
Share on other sites

Kan även nämna att datorn fortfarande inte går att använda för att ta sig ut på nätet. Varken via Internet Explorer eller Skype.

 

Link to comment
Share on other sites

Scanna med vad? Kan inte gå ut på nätet med den datorn. Sparade loggarna på en extern hd och skickade dom via en annan dator.

Sitter nu hemma och besvarar detta men ska till polaren i morgon em igen.

 

Link to comment
Share on other sites

 

> Kan inte gå ut på nätet med den datorn <

 

Visst ja

 

[log]Avinstallera via Kontrollpanelen om hittas = NewDotNet

 

Ladda ner winsockxpfix

 

http://www.snapfiles.com/get/winsockxpfix.html

 

Skapa en ny mapp på C:\ och placera HijackThis.exe dit så C:\HjT\HijackThis.exe

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och klicka Fix checked

 

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet7_48.dll

O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program\Video ActiveX Object\isadd.dll (file missing)

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program\Video ActiveX Object\iesplugin.dll (file missing)

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe

O4 - HKLM\..\Run: [Task manager] lsass2.exe

O4 - HKLM\..\RunServices: [Task manager] lsass2.exe

O4 - HKCU\..\Run: [Microsoft Win Tool] ooojkydtth.exe

O4 - HKCU\..\Run: [Task manager] lsass2.exe

O4 - HKCU\..\RunServices: [Microsoft Update Machine] wuagrd.exe

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lmnbdo32.dll (file missing)

 

 

Starta sen i felsäkert läge och ta bort om hittas

 

wuagrd.exe

ooojkydtth.exe

C:\WINDOWS\System32\lsass2.exe

C:\WINDOWS\System32\clcl3.exe

C:\Program\NewDotNet

starta sen normalt och funkar inte nätet så kör winsockxpfix[/log]

 

Link to comment
Share on other sites

Sparade loggarna på en extern hd och skickade dom via en annan dator.

Går att göra med filen som skulle behöva skannas också.

 

Link to comment
Share on other sites

Kan nu komma ut med datorn på nätet, men det finns fortfarande skit kvar i den. Har en blinkande ikon som påtalar att virus finns och denna skall inte finnas där, mig veterligen är den väl ett virus i sig. Skulle tro att jag slängs ut på någon skitsida om jag klickar på den.

Har scannat KILLTAPI.EXE och samtliga antivirusprogram påstår att inga virus hittades, men har lagt loggen nedan.

 

[log]

STATUS: FINISHEDComplete scanning result of "KILLTAPI.EXE", received in VirusTotal at 04.17.2007, 18:53:19 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.4.18.0 04.17.2007 no virus found

AntiVir 7.3.1.53 04.17.2007 no virus found

Authentium 4.93.8 04.16.2007 no virus found

Avast 4.7.981.0 04.17.2007 no virus found

AVG 7.5.0.447 04.17.2007 no virus found

BitDefender 7.2 04.17.2007 no virus found

CAT-QuickHeal 9.00 04.17.2007 no virus found

ClamAV devel-20070312 04.17.2007 no virus found

DrWeb 4.33 04.17.2007 no virus found

eSafe 7.0.15.0 04.17.2007 no virus found

eTrust-Vet 30.7.3574 04.17.2007 no virus found

Ewido 4.0 04.17.2007 no virus found

FileAdvisor 1 04.17.2007 no virus found

Fortinet 2.85.0.0 04.17.2007 no virus found

F-Prot 4.3.2.48 04.17.2007 no virus found

F-Secure 6.70.13030.0 04.17.2007 no virus found

Ikarus T3.1.1.5 04.17.2007 no virus found

Kaspersky 4.0.2.24 04.17.2007 no virus found

McAfee 5010 04.16.2007 no virus found

Microsoft 1.2405 04.17.2007 no virus found

NOD32v2 2198 04.17.2007 no virus found

Norman 5.80.02 04.17.2007 no virus found

Panda 9.0.0.4 04.17.2007 no virus found

Prevx1 V2 04.17.2007 no virus found

Sophos 4.16.0 04.16.2007 no virus found

Sunbelt 2.2.907.0 04.07.2007 no virus found

Symantec 10 04.17.2007 no virus found

TheHacker 6.1.6.088 04.09.2007 no virus found

VBA32 3.11.3 04.17.2007 no virus found

VirusBuster 4.3.7:9 04.17.2007 no virus found

Webwasher-Gateway 6.0.1 04.17.2007 no virus found

 

 

Aditional Information

File size: 24576 bytes

MD5: fb1d997c6fc93c0d3d1276d17805828b

[/log]

 

Link to comment
Share on other sites

Kommer här.

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 19:12:37, on 2007-04-17

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Real\RealPlayer\RealPlay.exe

C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\iTunes\iTunesHelper.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program\Internet Explorer\iexplore.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dempwolf.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [storageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?

O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[/log]

 

Link to comment
Share on other sites

 

Uppdatera Smitfraudfix = 4 och Enter

efter det

Välj altenativ Search = klicka 1 och Enter

Kopiera loggen som kommer ut och skicka hit.

 

 

Link to comment
Share on other sites

An error occourde while updating

 

Och efter det kommer man i stort sett inte ut på nätet igen.

Sitter med min dator nu.

 

Finns ingen brandvägg mig veterligen som kan stoppa uppdateringen

 

Link to comment
Share on other sites

Not Found

The requested URL /Fix/SmitfraudFix.zip was not found on this server.

 

Apache/ProXad [Dec 3 2006 11:06:17] Server at siri.urz.free.fr Port 80

 

Link to comment
Share on other sites

Kanske tillvärkaren håller på och updaterar den så därför funkar inte länken.

Vi får vänta en stund.

 

Nej det va nåt fel på Fixen så den är inragen.

 

[inlägget ändrat 2007-04-17 19:55:43 av Zipp.]

Link to comment
Share on other sites

Har kört Combofix, logg nedan.

 

[log]

"Tommy Blohm" - 07-04-19 12:07:43 Service Pack 1

ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Tommy Blohm\Skrivbord

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\NDNuninstall7_22.exe

C:\WINDOWS\NDNuninstall7_48.exe

C:\Program\newdotnet\newdotnet7_48.dll

C:\Program\newdotnet\readme.html

C:\Program\newdotnet\uninstall7_48.exe

C:\Program\install.log

C:\install.log

C:\Program\delfin

C:\Program\newdotnet

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-19 to 2007-04-19 ))))))))))))))))))))))))))))))))))

 

 

2007-04-17 18:42 <KAT> d-------- C:\DOCUME~1\TOMMYB~1\APPLIC~1\vlc

2007-04-17 18:09 <KAT> d-------- C:\HjT

2007-04-16 19:17 786,432 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT

2007-04-16 19:17 <KAT> dr------- C:\DOCUME~1\ADMINI~2\Start-meny

2007-04-16 19:17 <KAT> dr------- C:\DOCUME~1\ADMINI~2\Mina dokument

2007-04-16 19:17 <KAT> dr------- C:\DOCUME~1\ADMINI~2\Favoriter

2007-04-16 19:17 <KAT> d--h----- C:\DOCUME~1\ADMINI~2\Skrivare

2007-04-16 19:17 <KAT> d--h----- C:\DOCUME~1\ADMINI~2\N„tverket

2007-04-16 19:17 <KAT> d--h----- C:\DOCUME~1\ADMINI~2\Mallar

2007-04-16 19:17 <KAT> d--h----- C:\DOCUME~1\ADMINI~2\Lokala inst„llningar

2007-04-16 19:17 <KAT> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS

2007-04-16 19:17 <KAT> d-------- C:\DOCUME~1\ADMINI~2\Skrivbord

2007-04-16 19:17 <KAT> d-------- C:\DOCUME~1\ADMINI~2\APPLIC~1\InterTrust

2007-04-16 19:17 <KAT> d-------- C:\DOCUME~1\ADMINI~2\APPLIC~1\Adobe

2007-04-15 20:49 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-04-15 20:49 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2007-04-15 20:49 3,468 --a------ C:\WINDOWS\system32\tmp.reg

2007-04-15 20:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-04-15 20:49 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2007-04-15 20:46 <KAT> d-------- C:\smitfraudfix

2007-04-11 17:39 <KAT> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-04-11 17:39 <KAT> d-------- C:\Program\SpywareLocked 3.3

2007-04-10 13:09 <KAT> d-------- C:\Program\Delade filer\Skype

2007-04-10 13:09 <KAT> d-------- C:\DOCUME~1\TOMMYB~1\APPLIC~1\Skype

2007-04-10 13:07 <KAT> d-------- C:\Program\Skype

2007-04-10 13:07 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-16 19:26 47992 --a------ C:\WINDOWS\system32\perfc01d.dat

2007-04-16 19:26 315338 --a------ C:\WINDOWS\system32\perfh01d.dat

2007-04-12 18:28 0 --a------ C:\DOCUME~1\TOMMYB~1\APPLIC~1\download.tmp

2007-04-10 14:44 7680 --a-s---- C:\WINDOWS\system32\qzviz.dll

2007-04-10 14:44 -------- d-------- C:\Program\onlinetj„nster

2007-02-03 18:50 118842 -r------- C:\WINDOWS\bwunin-6.3.2.123-7836882l.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"WCOLOREAL"="C:\\Program\\COMPAQ\\Coloreal\\coloreal.exe"

"CPQEASYACC"="C:\\Program\\Compaq\\Easy Access Button Support\\StartEAK.exe"

"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"

"UpdReg"="C:\\WINDOWS\\Updreg.exe"

"AHQInit"="C:\\Program\\Creative\\SBLive\\Program\\AHQInit.exe"

"RealTray"="C:\\Program\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

"LVCOMS"="C:\\Program\\Delade filer\\Logitech\\QCDriver\\LVCOMS.EXE"

"AdaptecDirectCD"="\"C:\\Program\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

"StorageGuard"="\"C:\\Program\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"

"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"AVG7_CC"="C:\\Program\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"Zone Labs Client"="C:\\Program\\Zone Labs\\ZoneAlarm\\zlclient.exe"

"AVG7_EMC"="C:\\Program\\Grisoft\\AVGFRE~1\\avgemc.exe"

"iTunesHelper"="\"C:\\Program\\iTunes\\iTunesHelper.exe\""

"QuickTime Task"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"OM_Monitor"="C:\\Program\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"

"New.net Startup"="rundll32 C:\\Program\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"msnmsgr"="\"C:\\Program\\MSN Messenger\\msnmsgr.exe\" /background"

"OM_Monitor"="C:\\Program\\OLYMPUS\\OLYMPUS Master\\Monitor.exe -NoStart"

"Skype"="\"C:\\Program\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]

"Microsoft Update Machine"="wuagrd.exe"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Microsoft Win Tool"="ooojkydtth.exe"

"AVG7_Run"="C:\\Program\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

@=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"="curdler"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"C:\\Program\\D-Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

 

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070417-191003-113

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

backup-20070417-181255-388

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lmnbdo32.dll (file missing)

backup-20070417-181255-634

O4 - HKCU\..\RunServices: [Microsoft Update Machine] wuagrd.exe

backup-20070417-181255-109

O4 - HKCU\..\Run: [Task manager] lsass2.exe

backup-20070417-181255-441

O4 - HKCU\..\Run: [Microsoft Win Tool] ooojkydtth.exe

backup-20070417-181255-242

O4 - HKLM\..\RunServices: [Task manager] lsass2.exe

backup-20070417-181255-621

O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe

backup-20070417-181255-807

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

backup-20070417-181255-880

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program\Video ActiveX Object\iesplugin.dll (file missing)

backup-20070417-181255-443

O4 - HKLM\..\Run: [Task manager] lsass2.exe

backup-20070417-181255-569

O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program\Video ActiveX Object\isadd.dll (file missing)

backup-20070417-181255-996

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet7_48.dll

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Symantec NetDetect.job

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-19 12:13:39

C:\ComboFix-quarantined-files.txt ... 07-04-19 12:13

[/log]

 

Link to comment
Share on other sites

 

Ny funkar Smitfraudfix igen så ladda ner den och skicka loggen

Välj altenativ Search = klicka 1 och Enter

Kopiera loggen som kommer ut och skicka hit.

 

 

Link to comment
Share on other sites

smitfraudfixlog nedan

 

[log]

SmitFraudFix v2.171

 

Scan done at 12:55:07,06, 2007-04-19

Run from C:\Documents and Settings\Tommy Blohm\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Program\Real\RealPlayer\RealPlay.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\QuickTime\qttask.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Skype\Phone\Skype.exe

C:\Program\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe

C:\Program\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\qzviz.dll FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tommy Blohm

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tommy Blohm\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TOMMYB~1\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

C:\Program\SpywareLocked 3.3\ FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"="curdler"

 

[HKEY_CLASSES_ROOT\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32]

@="C:\WINDOWS\System32\qzviz.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32]

@="C:\WINDOWS\System32\qzviz.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: ZyXEL G-202 Wireless USB Adapter #2

DNS Server Search Order: 195.67.199.6

DNS Server Search Order: 192.168.1.1

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1AF8FC45-BB64-46CA-B810-C5056BAC3B77}: DhcpNameServer=195.67.199.6 192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{1AF8FC45-BB64-46CA-B810-C5056BAC3B77}: DhcpNameServer=195.67.199.6 192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{1AF8FC45-BB64-46CA-B810-C5056BAC3B77}: DhcpNameServer=195.67.199.6 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=195.67.199.6 192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=195.67.199.6 192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=195.67.199.6 192.168.1.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[/log]

 

Link to comment
Share on other sites

 

Starta datorn i felsäkert läge

 

[log]Sen öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Clean = klicka 2 och Enter

Sen vänta tills den jobbar klart.

På frågan "Registry cleaning - Do you want to clean the registry ?"

svara Yes med att klicka Y och Enter

Om wininet.dll är infekterad får du frågan "Replace infected file ?"

svara Yes med att klicka Y och Enter.

Starta sen normalt och en ny Hijack logg + C:\rapport.txt [/log]

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...