Popup och eventuellt virus

[Gäst idgadmin]

Det hela startade med att undertecknad yrvaken öppnade ett mail av en polare, innehållandes följande:

 

In order to read the attach you have to use the following password:

 

 

 

mrrstovkas.gif (1.0 KB)

 

 

 

Your_complaint.zip (21.6 KB)

 

 

Precis när jag klickat på bildlänken tänkte jag; Nej! vad gör jag?

Men då var det givetvis försent.

 

Loggen ser ut som följer:

 

Logfile of HijackThis v1.97.7

Scan saved at 01:03:50, on 2004-10-23

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program\D-Tools\daemon.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

E:\Program\na\Norton.Firewall.2004.PRO\IAMAPP.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\Microsoft Hardware\Keyboard\type32.exe

C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\bundle.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Documents and Settings\Administratör\Application Data\ssow.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Program\na\Norton.Firewall.2004.PRO\NISUM.EXE

C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

E:\Program\na\Norton.Firewall.2004.PRO\SymProxySvc.exe

E:\Program\na\Norton.Firewall.2004.PRO\NISSERV.EXE

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton AntiVirus\SAVScan.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Internet Explorer\iexplore.exe

E:\Download\HijackThis.exe

E:\Program\ICQ\ICQLite.exe

 

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll

O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [iamapp] E:\Program\na\Norton.Firewall.2004.PRO\IAMAPP.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "E:\Program\Clone\ElbyCheck.exe" /L ElbyCDFL

O4 - HKLM\..\Run: [Windows Registry Scan] regscan.exe

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\aincvm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program\Microsoft Hardware\Mouse\point32.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [sAHBundle] C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\bundle.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WebRebates0] "C:\Program\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe

O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe

O4 - HKCU\..\Run: [uode] C:\Documents and Settings\Administratör\Application Data\ssow.exe

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscif.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O8 - Extra context menu item: Web Rebates - file://C:\Program\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: Referensinformation (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=be2e9ae8355f127418dc4f2da7ade549c50759577b958b177e09d4d98c097dbdc4e6e4b14ef20acb7b301b1134a60a787a0805f03bf7a773ae14dc805290d2:b771fac3b8ea1c06fba4f3abd0557676

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2595473e50a6f617fc20/netzip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093216854656

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F2D95CC4-B43D-45C2-A91D-E0CF563AEE9C}: NameServer = 81.26.226.3

 

Om någon kände sig manad att hjälpa en stackare i nöd skulle det uppskattas.

 

 

[927]

 

jag är för trött för att tanka nu men du får säkert hjälp med hjtloggen ändå...

 

du har ju norton, varna/togs inte mailet bort!?

vad heter ditt virus, eller va det inget virus?

 

[inlägget ändrat 2004-10-23 02:15:26 av 927]

[Zipp.]

 

Skicka en ny Hijack logg med nyaste versionen

 

http://koti.mbnet.fi/pattaya1/HijackThis.exe

 

[Gäst idgadmin]

Logfile of HijackThis v1.98.2

Scan saved at 01:55:34, on 2004-10-26

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

E:\Program\na\Norton.Firewall.2004.PRO\IAMAPP.EXE

C:\Program\Microsoft Hardware\Keyboard\type32.exe

C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\bundle.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Documents and Settings\Administratör\Application Data\ssow.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Program\na\Norton.Firewall.2004.PRO\NISUM.EXE

C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

E:\Program\na\Norton.Firewall.2004.PRO\NISSERV.EXE

E:\Program\na\Norton.Firewall.2004.PRO\SymProxySvc.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton AntiVirus\SAVScan.exe

E:\Download\HijackThis.exe

 

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll

O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll

O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [iamapp] E:\Program\na\Norton.Firewall.2004.PRO\IAMAPP.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "E:\Program\Clone\ElbyCheck.exe" /L ElbyCDFL

O4 - HKLM\..\Run: [Windows Registry Scan] regscan.exe

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\aincvm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program\Microsoft Hardware\Mouse\point32.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [sAHBundle] C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\bundle.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WebRebates0] "C:\Program\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe

O4 - HKCU\..\Run: [uode] C:\Documents and Settings\Administratör\Application Data\ssow.exe

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscif.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O8 - Extra context menu item: Web Rebates - file://C:\Program\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=be2e9ae8355f127418dc4f2da7ade549c50759577b958b177e09d4d98c097dbdc4e6e4b14ef20acb7b301b1134a60a787a0805f03bf7a773ae14dc805290d2:b771fac3b8ea1c06fba4f3abd0557676

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2595473e50a6f617fc20/netzip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093216854656

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F2D95CC4-B43D-45C2-A91D-E0CF563AEE9C}: NameServer = 81.26.226.3

O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msehek.dll

O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\System32\msc.cpl

 

Jeg ber om tack för det snabba svaret... och om ursäkt för mitt fördröjda (internet har varit nere).

Men här är loggen.

 

Glömde säga att viruset förmodligen är/var någon variant av kournikova(om det var så det kallades)

[inlägget ändrat 2004-10-26 02:00:27 av Stillaway]

[Zipp.]

 

Putsa datorn med Ad-Aware

 

http://www.majorgeeks.com/download506.html

 

 

Efter det skapa en ny mapp på C:/ och placera HijackThis.exe dit så C:/HjT/HijackThis.exe

 

Gör en ny scann med Hijack och skicka hit loggen.