Guest idgadmin Posted October 19, 2004 Share Posted October 19, 2004 Hej! Mitt mdem har blivit kapat och jag försöker fixa problemet. Jag har läst en del inlagor i forumet men behöver någon som kollar den loggfil jag fått fram med hjälp av hijackthis. Så här ser den ut: Logfile of HijackThis v1.98.2 Scan saved at 22:34:35, on 2004-10-19 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\Smartscaps.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\pctspk.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\SYSTEM32\explorer.exe C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\Tablet\TabUserW.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Henrik\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/se/sve/gen/default.htm'>http://www.euro.dell.com/countries/se/sve/gen/default.htm'>http://www.euro.dell.com/countries/se/sve/gen/default.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch'>http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch'>http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/se/sve/gen/default.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/se/sve/gen/default.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [explorer] C:\WINDOWS\SYSTEM32\explorer.exe -go -c10 -w O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Certificate Mover.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F7A56FF6-C09A-4DF9-A224-30B8E8926E87}: NameServer = 213.150.135.211 213.150.135.210 Jag skulle bli så otroligt tacksam för hjälp. Link to comment Share on other sites More sharing options...
927 Posted October 19, 2004 Share Posted October 19, 2004 har du scannat med norton, gör det för detta är nämligen en trojan. C:\WINDOWS\SYSTEM32\explorer.exe men inte säkert den har med ditt problem att göra ------------------------------------------------- den går även att ta bort om manuellt om du vill: stäng internet och bocka för dessa i hjt O4 - Startup: PowerReg SchedulerV2.exe O4 - HKLM\..\Run: [explorer] C:\WINDOWS\SYSTEM32\explorer.exe -go -c10 -w O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab ta sen bort C:\WINDOWS\SYSTEM32\explorer.exe powerreg schedulerv2.exe (du måste ev starta i felsäkert läge för att få bort de) [inlägget ändrat 2004-10-20 00:22:40 av 927] Link to comment Share on other sites More sharing options...
Guest idgadmin Posted October 20, 2004 Share Posted October 20, 2004 Halleluja! det verkar ha fungerat. Detta trots att jag inte fann någon powerreg schedulerv2.exe. Konstigt att Norton inte hittade trojanen. Jag scannade hela system 32 med en nyuppdaterad Norton utan resultat. Jag skickar med en ny logg. Det verkar som om man skall göra det. Tack så jätte mycket för hjälpen. Jag är mycket tacksam. /Henrik Logfile of HijackThis v1.98.2 Scan saved at 13:37:31, on 2004-10-20 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\Smartscaps.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\pctspk.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\Tablet\TabUserW.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Henrik\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/se/sve/gen/default.htm'>http://www.euro.dell.com/countries/se/sve/gen/default.htm'>http://www.euro.dell.com/countries/se/sve/gen/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/se/sve/gen/default.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/se/sve/gen/default.htm O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Certificate Mover.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE Link to comment Share on other sites More sharing options...
Guest idgadmin Posted October 20, 2004 Share Posted October 20, 2004 Jag hittade powerreg schedulerv2.exe. fast den låg i C:\WINDOWS\Prefetch. Skall jag ta bort den?? Vad gäller poängbedömningen av ditt inlägg så blev det bara 1 för jag fattar inte hur man gör för att ge fler pinnar. Med vänligaste hälsningar/Henrik Link to comment Share on other sites More sharing options...
927 Posted October 20, 2004 Share Posted October 20, 2004 ja, även om det till 100% inte är ett spyware program Link to comment Share on other sites More sharing options...
927 Posted October 20, 2004 Share Posted October 20, 2004 jag vet inte exakt hur ett antivirusprogram funkar men om dom lagt in filen explorer.exe i definitionfilera till norton så skulle ju norton indikera virus i väldigt många datorer eftersom en windowsfil heter just explorer.exe Link to comment Share on other sites More sharing options...
.thumb.JPG.a7f98fcf4231ab407810fba3dc9b4085.JPG)
.thumb.png.71a73be41d8bf63826729db87e16f1ce.png)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.