Just nu i M3-nätverket
Jump to content

Urflippad dator med ”Fejkantivirus”??? ”Antivirus 360”


Ultra

Recommended Posts

Hejsan,

 

Hoppas att jag kan få hjälp här med det här problemet.

 

När jag kom tillbaka till min dator efter helgen så har nåt slags "Antivirus-program" installerats på den, "Antivirus 360". Det vill skanna och vill att man ska registrera för att kunna använda det till att ta bort allt det skadliga den hittar.

 

Jag hittar ingenstans det går att avinstallera programmet (lägg till/ta bort) och det finns inte med i startmenyn. Är man ute på internet så blockeras vissa sidor ibland, antingen kommer det upp ett blankt fönster med "About blank" i adressfältet eller så kommer det upp ett fält under menyraden där det står: "The page you are opening is probably contains spyware, adware, etc.. Your system might be at risk, Click here to protect your system with Antivirus 360."

 

Jag har sökt på nätet men inte direkt hittat nåt om "Antivirus 360". Ungefär var 3-5 minut så kom det upp blått över hela skärmen där det stod att ett virus var hittat och man var tvungen att starta om datorn och registrera "Antivirus 360" för att lösa problemet. Den blå skärmen är kvar en stund sen ”startar datorn om” eller i alla fall ser det ut som det men jag tror att det är en fejk Windows-logga med den blå listen som åker fram och tillbaka som kommer upp och sen ”öppnas” datorn upp igen med samma saker framme som innan.

 

Jag tog mod till mig och rensade så mycket jag vågade ”manuellt” och efter det har det blivit lite bättre. Ikonerna nere i aktivitetsfältet bredvid klockan har försvunnit, den blå skärmen med ”omstarten” har också försvunnit. Det som är kvar är det där som kommer upp när man är ute på Internet. Tex så går det inte att skicka iväg det här meddelandet från min dator (det kommer bara upp en tom ruta med texten om att man ska använda Antivirus 360) utan jag fick göra det från en annan dator.

 

Jag kör XP Home och här kommer en HjT-log, hoppas nån vänlig själ kan komma med tips och råd om vad jag ska göra.

 

Mvh

 

 

 

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:46:01, on 2008-12-15

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program\Norman\Npm\Bin\eLogsvc.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Ahead\InCD\InCDsrv.exe

C:\Program\Norman\Npm\Bin\Zanda.exe

C:\Program\Norman\npm\bin\nvoy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

C:\Program\Telia\Supportassistent\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Norman\Npm\bin\NVCSCHED.EXE

C:\Program\Norman\Npm\bin\NJEEVES.EXE

C:\Program\Norman\nse\bin\NSESVC.EXE

C:\WINDOWS\System32\alg.exe

C:\Program\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program\CyberLink\PowerDVD\PDVDServ.exe

C:\Program\Ahead\InCD\InCD.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program\Java\jre6\bin\jusched.exe

C:\Program\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program\Microsoft IntelliType Pro\type32.exe

C:\Program\Microsoft IntelliPoint\point32.exe

C:\Program\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program\Dantz\RETROS~1\RetroExpress.exe

C:\Program\Telia\Supportassistent\bin\sprtcmd.exe

C:\Program\Norman\Npm\Bin\ZLH.EXE

C:\Program\Delade filer\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\DAEMON Tools\daemon.exe

C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program\Norman\Nvc\Bin\Nip.exe

C:\Program\Norman\Nvc\Bin\cclaw.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Allians\Data\AlliansPathfinder.exe

C:\Program\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe

C:\Program\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program\Dantz\RETROS~1\retrospect.exe

C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\SolidWorksLicTemp.0001

C:\Program\Delade filer\SolidWorks Shared\Service\SolidWorksLicensing.exe

C:\Program\Dantz\RETROS~1\retrorun.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\HPBPRO.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leta.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll

O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1B0140CC-9ED1-4EFF-8BED-7E35009604C0} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {56B5D4DE-17F6-40A2-AB03-8D292107A79D} - C:\WINDOWS\system32\jkhhf.dll (file missing)

O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\puifmncx.dll (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {A820B5AD-2C66-44B0-9A54-B722BF2BFCC8} - C:\WINDOWS\system32\mljgh.dll (file missing)

O2 - BHO: (no name) - {ACA1D85D-EE60-4256-B34B-E4F304CC61FD} - C:\WINDOWS\system32\vtsqr.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: (no name) - {D67C7F5A-1255-4237-A00C-E6AF249AA6E7} - C:\WINDOWS\system32\awtqo.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EF7C999D-43DD-43C3-A25B-2DB1A881664A} - C:\WINDOWS\system32\awtqnol.dll (file missing)

O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [HPWPTOOLBOX] C:\Program\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe "-i"

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [statusClient 2.6] C:\Program\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RetroExpress] C:\Program\Dantz\RETROS~1\RetroExpress.exe /h

O4 - HKLM\..\Run: [Telia] "C:\Program\Telia\Supportassistent\bin\sprtcmd.exe" /P Telia

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [solidWorks_CheckForUpdates] "C:\Program\Delade filer\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [19315659727956550006290962610381] C:\Program\A360\av360.exe

O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Alliansserver.lnk = Data\AlliansPathfinder.exe

O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094135850609

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webbkamera.stofair.se/activex/AxisCamControl.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f009.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://194.22.238.31/activex/AMC.cab

O20 - Winlogon Notify: jkkjk - C:\WINDOWS\system32\jkkjk.dll (file missing)

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program\Delade filer\Autodata Limited Shared\Service\ADCDLicSvc.exe (file missing)

O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\Bin\eLogsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program\Ahead\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Program\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Npm\bin\NVCSCHED.EXE

O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program\Norman\npm\bin\nvoy.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\retrorun.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program\Delade filer\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: SupportSoft Sprocket Service (telia) (sprtsvc_telia) - SupportSoft, Inc. - C:\Program\Telia\Supportassistent\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program\Delade filer\SupportSoft\bin\ssrc.exe

O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\navsvc.exe (file missing)

 

 

End of file - 12909 bytes

[/log]

Flyttat LOG-taggar, det ska vara en innan loggen och en efter den.

Cecilia - Moderator för Virus, skadliga program & botemedel

 

[inlägget ändrat 2008-12-15 15:47:19 av Cecilia]

Link to comment
Share on other sites

 

[log]Ladda ner Malwarebytes Anti-Malware (MBAM) från en av dessa länkar:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-108

04572.html

http://projects.securitywonks.net/projects/details.php?file=158

Dubbelklicka på mbam-setup för att installera programmet.

 

Se till i slutet av installationen att det är bockar för:

Uppdatera Malwarebytes' Anti-Malware

Starta Malwarebytes' Anti-Malware

Tryck på Slutför

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj "Utför snabb skanning" och tryck på Skanna.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan "Visa resultat".

Bocka för allt och tryck sedan Ta bort markerade.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om det blir ett felmeddelande Error loading... efter omstarten så starta om datorn än en gång.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på fliken Loggar i MBAM.

Kopiera loggen och klistra in den i ditt svar tillsammans med en ny HijackThis-logg.

 

 

I ditt svar bifogar du loggar på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen[/log]

[inlägget ändrat 2008-12-15 15:51:36 av Zipp.]

Link to comment
Share on other sites

 

Hej och tack för hjälpen Zipp.

 

Här kommer de efterfrågade loggarna:

 

 

[log]

Malwarebytes' Anti-Malware 1.31

Databasversion: 1506

Windows 5.1.2600 Service Pack 2

 

2008-12-16 09:47:28

mbam-log-2008-12-16 (09-47-28).txt

 

Skanningstyp: Snabb skanning

Antal skannade objekt: 64799

Förfluten tid: 6 minute(s), 41 second(s)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 13

Infekterade registervärden: 4

Infekterade registerdataposter: 0

Infekterade mappar: 1

Infekterade filer: 5

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b0140cc-9ed1-4eff-8bed-7e35009604c0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkjk (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1b0140cc-9ed1-4eff-8bed-7e35009604c0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68d5cf1d-ec5c-4bdd-a9ef-f0e517565d50} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{68d5cf1d-ec5c-4bdd-a9ef-f0e517565d50} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ef7c999d-43dd-43c3-a25b-2db1a881664a} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{68d5cf1d-ec5c-4bdd-a9ef-f0e517565d50} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ef7c999d-43dd-43c3-a25b-2db1a881664a} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ef7c999d-43dd-43c3-a25b-2db1a881664a} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ef7c999d-43dd-43c3-a25b-2db1a881664a} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19315659727956550006290962610381 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

C:\Program\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

 

Infekterade filer:

C:\WINDOWS\system32\jkkjk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winsrc.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Program\A360\df.doc (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\explorer32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[/log]

 

 

 

 

[log]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:49:03, on 2008-12-16

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program\Norman\Npm\Bin\eLogsvc.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Ahead\InCD\InCDsrv.exe

C:\Program\Norman\Npm\Bin\Zanda.exe

C:\Program\Norman\npm\bin\nvoy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

C:\Program\Telia\Supportassistent\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Norman\Npm\bin\NVCSCHED.EXE

C:\Program\Norman\Npm\bin\NJEEVES.EXE

C:\Program\Norman\nse\bin\NSESVC.EXE

C:\WINDOWS\System32\alg.exe

C:\Program\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program\CyberLink\PowerDVD\PDVDServ.exe

C:\Program\Ahead\InCD\InCD.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program\Java\jre6\bin\jusched.exe

C:\Program\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program\Microsoft IntelliType Pro\type32.exe

C:\Program\Microsoft IntelliPoint\point32.exe

C:\Program\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program\Dantz\RETROS~1\RetroExpress.exe

C:\Program\Telia\Supportassistent\bin\sprtcmd.exe

C:\Program\Norman\Npm\Bin\ZLH.EXE

C:\Program\Delade filer\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\DAEMON Tools\daemon.exe

C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program\Norman\Nvc\Bin\Nip.exe

C:\Program\Norman\Nvc\Bin\cclaw.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Allians\Data\AlliansPathfinder.exe

C:\Program\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe

C:\Program\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program\Dantz\RETROS~1\retrospect.exe

C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\SolidWorksLicTemp.0001

C:\Program\Delade filer\SolidWorks Shared\Service\SolidWorksLicensing.exe

C:\Program\Dantz\RETROS~1\retrorun.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leta.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {56B5D4DE-17F6-40A2-AB03-8D292107A79D} - C:\WINDOWS\system32\jkhhf.dll (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {A820B5AD-2C66-44B0-9A54-B722BF2BFCC8} - C:\WINDOWS\system32\mljgh.dll (file missing)

O2 - BHO: (no name) - {ACA1D85D-EE60-4256-B34B-E4F304CC61FD} - C:\WINDOWS\system32\vtsqr.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: (no name) - {D67C7F5A-1255-4237-A00C-E6AF249AA6E7} - C:\WINDOWS\system32\awtqo.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [HPWPTOOLBOX] C:\Program\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe "-i"

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [statusClient 2.6] C:\Program\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RetroExpress] C:\Program\Dantz\RETROS~1\RetroExpress.exe /h

O4 - HKLM\..\Run: [Telia] "C:\Program\Telia\Supportassistent\bin\sprtcmd.exe" /P Telia

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [solidWorks_CheckForUpdates] "C:\Program\Delade filer\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Alliansserver.lnk = Data\AlliansPathfinder.exe

O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094135850609

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webbkamera.stofair.se/activex/AxisCamControl.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f009.mail.spray.se/app/uploader/FileUploader.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://194.22.238.31/activex/AMC.cab

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program\Delade filer\Autodata Limited Shared\Service\ADCDLicSvc.exe (file missing)

O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\Bin\eLogsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program\Ahead\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Program\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Npm\bin\NVCSCHED.EXE

O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program\Norman\npm\bin\nvoy.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\retrorun.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program\Delade filer\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: SupportSoft Sprocket Service (telia) (sprtsvc_telia) - SupportSoft, Inc. - C:\Program\Telia\Supportassistent\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program\Delade filer\SupportSoft\bin\ssrc.exe

O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\navsvc.exe (file missing)

 

--

End of file - 12230 bytes

[/log]

 

 

 

 

Link to comment
Share on other sites

 

[log]Kopiera rader nedan en i taget i Kör fältet och klicka Ok efter bägge rad

 

sc stop WSMSPSVC

sc delete WSMSPSVC

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och klicka Fix checked

 

 

O2 - BHO: (no name) - {56B5D4DE-17F6-40A2-AB03-8D292107A79D} - C:\WINDOWS\system32\jkhhf.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {A820B5AD-2C66-44B0-9A54-B722BF2BFCC8} - C:\WINDOWS\system32\mljgh.dll (file missing)

O2 - BHO: (no name) - {ACA1D85D-EE60-4256-B34B-E4F304CC61FD} - C:\WINDOWS\system32\vtsqr.dll (file missing)

O2 - BHO: (no name) - {D67C7F5A-1255-4237-A00C-E6AF249AA6E7} - C:\WINDOWS\system32\awtqo.dll (file missing)

 

sen ta bort om hittas

 

C:\WINDOWS\navsvc.exe

 

är problemet borta eller?[/log]

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...