Guest idgadmin Posted May 12, 2004 Share Posted May 12, 2004 Vore tacksam för hjälp. Ett fönster ploppar upp var och varannan minut med texten Already Running!!! +att startsidan ändras,går ej bort med ad-awere eller spysweeper. Logfile of HijackThis v1.97.7 Scan saved at 20:54:19, on 2004-05-12 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe C:\Program\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ICO.EXE C:\WINDOWS\System32\Pelmiced.exe C:\Program\LEXMAR~1\ACMonitor_X83.exe C:\Program\LEXMAR~1\AcBtnMgr_X83.exe C:\Program\Delade filer\Symantec Shared\ccApp.exe C:\WINDOWS\System32\MMTray2k.exe C:\WINDOWS\System32\MMTrayLSI.exe C:\Program\QuickTime\qttask.exe C:\Program\Messenger\msmsgs.exe C:\WINDOWS\runwin32.exe C:\Program\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\windial32.exe C:\Program\Internet Explorer\iexplore.exe C:\Documents and Settings\IBM\Lokala inställningar\Temp\Temporär katalog 3 för hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://login1.telia.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O1 - Hosts: 69.50.170.21 www.yahoo.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program\SurfAssistant.com\saiemod.dll (file missing) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\Program\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\Program\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe O4 - HKCU\..\Run: [spySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37412.0086226852 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Link to comment Share on other sites More sharing options...
Mij Posted May 12, 2004 Share Posted May 12, 2004 Tyvärr har du virus. Objektet C:\WINDOWS\runwin32.exe är ett virus som du kan läsa mer om här http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html Där finns också instruktioner för hur du tar bort viruset. Du kan även prova med en onlinescanning på tex Trend Micro: http://housecall.trendmicro.com/housecall/start_corp.asp Vidare kan du ladda ner CWShredder från http://www.spywareinfo.com/~merijn/downloads.html Kör programmet. Kör sedan HiJack This igen. Om följande objekt är kvar efter det, bockar du i dessa i HJT och klickar på "Fix": [FET] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057'>http://www.searchmeup.com/search.php?aid=1057 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057 O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program\SurfAssistant.com\saiemod.dll (file missing) O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe [/FET] Posta gärna en ny logg när du är klar med ovanstående. Börja med viruset... Link to comment Share on other sites More sharing options...
Guest idgadmin Posted May 13, 2004 Share Posted May 13, 2004 Tack för hjälpen. Jag hoppas verkligen det fungerade. Logfile of HijackThis v1.97.7 Scan saved at 22:35:25, on 2004-05-13 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ICO.EXE C:\Program\LEXMAR~1\ACMonitor_X83.exe C:\Program\LEXMAR~1\AcBtnMgr_X83.exe C:\WINDOWS\System32\Pelmiced.exe C:\Program\Delade filer\Symantec Shared\ccApp.exe C:\WINDOWS\System32\MMTray2k.exe C:\WINDOWS\System32\MMTrayLSI.exe C:\Program\QuickTime\qttask.exe C:\Program\Messenger\msmsgs.exe C:\Program\Webroot\Spy Sweeper\SpySweeper.exe C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe C:\Program\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Documents and Settings\IBM\Lokala inställningar\Temp\Temporär katalog 4 för hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com'>http://login1.telia.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\Program\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\Program\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [spySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37412.0086226852 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Link to comment Share on other sites More sharing options...
Mij Posted May 13, 2004 Share Posted May 13, 2004 Så, nu är den som den skall vara...*ler* Link to comment Share on other sites More sharing options...
Guest idgadmin Posted May 13, 2004 Share Posted May 13, 2004 Man tackar & bockar. Ha det så gott. Link to comment Share on other sites More sharing options...
Mij Posted May 13, 2004 Share Posted May 13, 2004 Roligt att hjälpa....*ler* Ha det gott. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.