about:blank

October 15, 2004

Finns det verkligen ingen som kan lösa problemet med kapad startsida.

Jag är drabbad ännu en gång.

ADaware och diverse andra verktyg hittar ju inte detta problem.

Förra gången fick jag hjälp av en klok "inläggare" som sa:

Starta om i felsäkert läge.

Kör virusscanning.

Gå till .txt-filen "den och den" och ta bort en IP-adress som skapats. (det ska bara vara en IP-adress kvar).

Jag, min idiot, noterade inte vad .txt-filen hetta, kommer inte ihåg var jag hittade inlägget, vet bara att jag blev av med "Search the web".

Någon som kan friska upp minnet?

October 15, 2004

Ladda ner HijackThis och scanna dator med det och skicka hit loggen sen så ska vi ta en titt på den.

http://koti.mbnet.fi/pattaya1/HijackThis.exe

October 18, 2004

Here it is!

Logfile of HijackThis v1.98.2

Scan saved at 16:07:44, on 04-10-18

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\NORTON~1\navapw32.exe

C:\WINDOWS\system32\GSICON.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\dslagent.exe

C:\Program\Microsoft Hardware\Keyboard\type32.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program\Winamp3\winampa.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Delade filer\Real\Update_OB\rnathchk.exe

C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Documents and Settings\PC\Skrivbord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PC\LOKALA~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PC\LOKALA~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PC\LOKALA~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PC\LOKALA~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PC\LOKALA~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PC\LOKALA~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C:/Documents%20and%20Settings/PC/Mina%20dokument/Hemsidor/startsidan/index.html"); (C:\Documents and Settings\PC\Application Data\Mozilla\Profiles\default\n8ykdwmt.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\PC\Application Data\Mozilla\Profiles\default\n8ykdwmt.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6C580465-3B26-4E19-A295-FB18D33449A8} - C:\WINDOWS\System32\hngnah.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\PC\LOKALA~1\Temp\ins5CF.tmp /R

O4 - HKLM\..\Run: [intelliType] "C:\Program\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [TkBellExe] C:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [Miconrec] C:\Program\Miconrec\conspy.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9701F900-7759-4A8A-95FE-9499689EBC02}: NameServer = 195.67.199.30 195.67.199.31

O18 - Filter: text/html - {E01BC2D7-618B-4086-B769-8B5DC0E5119B} - C:\WINDOWS\System32\hngnah.dll

O18 - Filter: text/plain - {E01BC2D7-618B-4086-B769-8B5DC0E5119B} - C:\WINDOWS\System32\hngnah.dll

October 18, 2004

Ladda ner DllCompare.exe

http://download.broadbandmedic.com/DllCompare.exe

Öppna den och klicka Run Locate.com

Sen klicka Compare och vänta tills den analyserar färdigt

Sen klicka Make Log of what was found

Sen kopiera texten nedan i notepad

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv

ren windows1.hiv windows.txt

Spara den på skrivbordet med namn Appinit.bat

i Filformat sätter du alla filer

Sen dubbelklicka på Appinit.bat på skrivbordet och ut kommer windows.txt logg.

Kopiera båda loggar och skicka hit dom

DllCompare logg

windows.txt logg

October 18, 2004

detta programmet funkar väl ungefär som

fixnfind? du får fram dll filer som är själva boven

October 18, 2004

Jepp man letar efter om dolda dll filen är med som inte syns i Hijack loggen.

October 21, 2004

Logfiler

* DLLCompare Log version(1.0.0.125)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

O^E says: "There were no files found :)"

________________________________________________

1 287 items found: 1 287 files, 0 directories.

Total of file sizes: 257 513 576 bytes 245,58 M

Administrator Account = True

--------------------End log---------------------

och

regf

hmm... konstigt, eller?

October 21, 2004

>regf

hmm... konstigt, eller?<

Alltså du har kopierat bara överdelen av windows.txt loggen.

Titta längre ner och kopiera hit det.

Skicka också en ny Hijack logg.

October 21, 2004

Nytt försök. Lika konstigt??!!

* DLLCompare Log version(1.0.0.125)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

O^E says: "There were no files found :)"

________________________________________________

1 287 items found: 1 287 files, 0 directories.

Total of file sizes: 257 513 576 bytes 245,58 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.98.2

Scan saved at 21:20:43, on 04-10-21

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\NORTON~1\navapw32.exe

C:\WINDOWS\system32\GSICON.EXE

C:\WINDOWS\system32\dslagent.exe

C:\Program\Microsoft Hardware\Keyboard\type32.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Winamp3\winampa.exe

C:\Program\Messenger Plus! 3\MsgPlus.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe

c:\program\intern~1\iexplore.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Delade filer\Real\Update_OB\rnathchk.exe

C:\Documents and Settings\PC\Skrivbord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yzeumqfvaqtywyixjl.net/0ITliMaZhJeWDce4HEsqmNsq5PxlvPQnjXipmgNKKEJsBIJFtzOMnzjAZHcCK//H.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C:/Documents%20and%20Settings/PC/Mina%20dokument/Hemsidor/Startsidan/index.html"); (C:\Documents and Settings\PC\Application Data\Mozilla\Profiles\default\n8ykdwmt.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\PC\Application Data\Mozilla\Profiles\default\n8ykdwmt.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5A8679A3-E1E2-900B-EDD4-CC2911653A84} - C:\DOCUME~1\PC\APPLIC~1\ABOUTS~1\ONE 64.exe

O2 - BHO: (no name) - {6C580465-3B26-4E19-A295-FB18D33449A8} - C:\WINDOWS\System32\hngnah.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\PC\LOKALA~1\Temp\ins5CF.tmp /R

O4 - HKLM\..\Run: [intelliType] "C:\Program\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [TkBellExe] C:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [Miconrec] C:\Program\Miconrec\conspy.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [site team slow obj] C:\Documents and Settings\All Users\Application Data\partbaitsiteteam\Win Roam.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [castsafe] C:\DOCUME~1\PC\APPLIC~1\CLOSES~1\IDLE GLOBAL OOZE.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background