Tydning av min HijackThis-logg

[Gäst idgadmin]

Hallå!

 

Någon som skulle vilja hjälpa mig med min logg?

Vad kan jag ta bort och vad ska vara kvar?

 

Tack på förhand

Henrik

 

Logfile of HijackThis v1.97.7

Scan saved at 13:54:07, on 2004-12-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pavsrv.exe

C:\WINDOWS\System32\AVENGINE.EXE

C:\WINDOWS\System32\svchosting.exe

C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE

C:\WINDOWS\System32\wuruclt.exe

C:\Program\Panda Software\Panda Antivirus Titanium\pavProxy.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Documents and Settings\Ägare\Skrivbord\HijackThis.exe

C:\WINDOWS\System32\Sygate.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qsv8.hpwis.com/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [*windows update] wuruclt.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Media Player] mediaplayer.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Security] spvsper.exe

O4 - HKLM\..\RunServices: [sygate Personal Firewall] Sygate.exe

O4 - HKLM\..\RunServices: [*windows update] wuruclt.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe

O4 - HKCU\..\Run: [*windows update] wuruclt.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe

O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] svchosting.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Referensinformation (HKLM)

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1102020096500

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38322.9459722222

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[Zipp.]

 

Avsluta dom här processer

 

C:\WINDOWS\System32\svchosting.exe

C:\WINDOWS\System32\wuruclt.exe

C:\WINDOWS\System32\Sygate.exe

 

 

Sen scanna datorn här och ta bort det som hittas

 

http://housecall.trendmicro.com/

 

Efter det starta om datorn och skicka en ny Hijack logg med denna versionen

 

http://koti.mbnet.fi/pattaya1/HijackThis.exe

 

Skapa en ny mapp på C:/ och placera HijackThis.exe dit så C:/HjT/HijackThis.exe

 

Sen scanna och skicka loggen .

 

[Gäst idgadmin]

Jag har gjort det du sa. Här är den nya loggen:

 

 

 

Logfile of HijackThis v1.98.2

Scan saved at 15:35:47, on 2004-12-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pavsrv.exe

C:\WINDOWS\System32\AVENGINE.EXE

C:\Program\Panda Software\Panda Antivirus Titanium\pavProxy.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ftp.exe

C:\WINDOWS\explorer.exe

C:\HjT\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s

O4 - HKLM\..\RunServices: [Microsoft Windows Media Player] mediaplayer.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[Zipp.]

 

Hittade Housecall scanner något?

 

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O4 - HKLM\..\RunServices: [Microsoft Windows Media Player] mediaplayer.exe

 

 

Starta om sen och skicka en ny Hijack logg.

 

[Gäst idgadmin]

Ok, här är nya loggen. Housecall hittade 21 st smittade filer som den fixade. Varför finns det så många svchost.exe?

 

Logfile of HijackThis v1.98.2

Scan saved at 17:24:57, on 2004-12-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE

C:\WINDOWS\System32\lssrv.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pavsrv.exe

C:\WINDOWS\System32\AVENGINE.EXE

C:\Program\Panda Software\Panda Antivirus Titanium\pavProxy.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[Zipp.]

 

Det är helt normalt att ha 4-5 svchost.exe

 

Men ny har du fått en ny mask WORM_RBOT.CW

 

Har du ingen brandvägg?

 

Sätt dolda filer synliga titta här hur man gör

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe

 

 

 

Starta sen i felsäkert läge sök och ta bort

 

lssrv.exe

 

 

Starta sen normalt och skicka en ny logg.

 

 

 

 

[Gäst idgadmin]

Ok. När jag körde HjT kom den här loggen upp. Jag har alltså fått tillbaka allt skit som jag tog bort! =P

 

Nej, jag har ingen brandvägg. Har alltid kört Panda Titanium och det har funkat bra. Men vilken brandvägg är den bästa då? Vilken borde stoppa det här så att det inte kommer tillbaka när jag tar bort det.

 

Logfile of HijackThis v1.98.2

Scan saved at 18:19:40, on 2004-12-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE

C:\WINDOWS\System32\lssrv.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pavsrv.exe

C:\WINDOWS\System32\AVENGINE.EXE

C:\Program\Panda Software\Panda Antivirus Titanium\pavProxy.exe

C:\WINDOWS\System32\winupated.exe

C:\WINDOWS\System32\svchosting.exe

C:\WINDOWS\System32\wuaurlt.exe

C:\WINDOWS\System32\scvhosting.exe

C:\WINDOWS\System32\spvsper.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\System32\avhost.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe

O4 - HKLM\..\Run: [winupated.exe] winupated.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe

O4 - HKLM\..\Run: [*windows update] wuaurlt.exe

O4 - HKLM\..\Run: [starter] scvhosting.exe

O4 - HKLM\..\Run: [Microsoft Windows Security] spvsper.exe

O4 - HKLM\..\Run: [cool] avhost.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe

O4 - HKLM\..\RunServices: [winupated.exe] winupated.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe

O4 - HKLM\..\RunServices: [*windows update] wuaurlt.exe

O4 - HKLM\..\RunServices: [starter] scvhosting.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Security] spvsper.exe

O4 - HKLM\..\RunServices: [cool] avhost.exe

O4 - HKLM\..\RunOnce: [winupated.exe] winupated.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe

O4 - HKLM\..\RunOnce: [starter] scvhosting.exe

O4 - HKLM\..\RunOnce: [Microsoft Windows Security] spvsper.exe

O4 - HKLM\..\RunOnce: [cool] avhost.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[Zipp.]

Ooo..nejj..allt skit är tillbaka.

 

Vet inte att vilken brandvägg är best men jag har alltid kört med ZoneAlarm och är nöjd med den.

 

 

Avsluta dom här processer

 

C:\WINDOWS\System32\lssrv.exe

C:\WINDOWS\System32\winupated.exe

C:\WINDOWS\System32\svchosting.exe

C:\WINDOWS\System32\wuaurlt.exe

C:\WINDOWS\System32\scvhosting.exe

C:\WINDOWS\System32\spvsper.exe

C:\WINDOWS\System32\avhost.exe

 

 

Sen scanna datorn här och ta bort det som hittas

 

http://housecall.trendmicro.com/

 

Efter det starta om datorn och skicka en ny Hijack logg .

 

 

 

 

[927]

 

om du inte fattar nåt av zone alarm så testa den enkla men säkra sygate

 

[Gäst idgadmin]

Hej!

 

Så nu har jag gjort det och ja tror att jag fått bort det mesta. Men House Call lyckades inte fixa dessa två filer:

 

C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\5ZP62XSN\x[1].exe

 

C:\WINDOWS\system32\frmwrks32.exe

 

De var infekterade av de här virusen enligt programet:

 

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KORGO.V

 

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.ACM

 

Jag tog bort Panda och fixade F-secure Internet Security 2005 (antivirus och brandvägg)och scannade datorn med det. Dessa filer kunde den inte laga:

 

C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\HLTWMXIO\0006_regular[1].cab\istactivex.dll Angrepp: Trojan-Downloader.Win32.IstBar.gh

 

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\93Q4G9H4\3in1[1].exe Angrepp: Trojan-Clicker.Win32.Small.bw

 

C:\WINDOWS\DeskBikini-153315.exe Angrepp: Trojan-Dropper.Win32.Small.nm

 

C:\WINDOWS\3in1.exe Angrepp: Trojan-Clicker.Win32.Small.bw

 

Här är min nya HjT-logg:

 

Logfile of HijackThis v1.98.2

Scan saved at 23:15:15, on 2004-12-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\F-Secure Internet Security\Common\FSM32.EXE

C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program\F-Secure Internet Security\Common\FCH32.EXE

C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program\F-Secure Internet Security\FSPC\fspc.exe

C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O4 - HKLM\..\RunServices: [sygate Personal Firewall] winup.exe

O4 - HKLM\..\RunServices: [Wlan Driver] avscan.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[927]

 

bocka för och fixa

O4 - HKLM\..\RunServices: [sygate Personal Firewall] winup.exe

O4 - HKLM\..\RunServices: [Wlan Driver] avscan.exe

 

starta sen om i felsäkert läge och sök efter och ta bort

winup.exe

avscan.exe

 

starta sen om som vanligt och posta en ny logg.

 

hämta detta programmet sen http://www.cexx.org/LSPFix.exe

 

[inlägget ändrat 2004-12-05 01:04:34 av 927]

[Gäst idgadmin]

Jag gjorde som du sa, bara det att det gick inte att hitta filerna när jag skulle söka efter dom. Men sen när jag startade om så fanns dom ändå inte i HjT-loggen som du ser.

 

Ok, jag har laddat ner programmet, vad ska jag göra med det?

 

Logfile of HijackThis v1.98.2

Scan saved at 11:05:52, on 2004-12-05

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\F-Secure Internet Security\Common\FSM32.EXE

C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program\F-Secure Internet Security\Common\FCH32.EXE

C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program\F-Secure Internet Security\FSPC\fspc.exe

C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

[inlägget ändrat 2004-12-05 11:07:58 av Kenry]

[927]

 

jaha, så dök en ny trojan upp

 

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe

 

när du startar om i felsäkert och tar bort denna så när du gjort det så scanna datorn med f-secure, i felsäkert läge alltså.

 

lspfix är för att fixa 010 i loggen

 

 

[Gäst idgadmin]

Ok, nu är den borta, och här är nya loggen. Men det gick inte att starta F-secure i Felsäkert läge, så jag kunde inte scanna.

 

Men exakt vad ska jag göra med lspfix? Under "Keep" har jag följande filer:

mswsock.dll (Tcpip)

winrnr.dll (NTDS)

rsvpsp.dll ((Protocol handler))

Och under "Remove" har jag den här:

winsflt.dll ((Protocol handler))

 

Logfile of HijackThis v1.98.2

Scan saved at 16:42:33, on 2004-12-05

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\F-Secure Internet Security\Common\FSM32.EXE

C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program\F-Secure Internet Security\Common\FCH32.EXE

C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program\F-Secure Internet Security\FSPC\fspc.exe

C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[927]

 

programmet skulle vi komma till, jag ville bara få en virusfri logg först.

 

isf ska du bara klicka på finish i lspfix

 

gör sen omstart och kolla igen med hjt, då ska 010 raden va borta

 

[inlägget ändrat 2004-12-05 18:44:27 av 927]

[Gäst idgadmin]

Ok! Så nu är det gjort, här är min logg:

 

Logfile of HijackThis v1.98.2

Scan saved at 19:18:14, on 2004-12-05

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\F-Secure Internet Security\Common\FSM32.EXE

C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program\F-Secure Internet Security\Common\FCH32.EXE

C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program\F-Secure Internet Security\FSPC\fspc.exe

C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[Gäst idgadmin]

Ok! Så nu är det gjort, här är min logg:

 

Logfile of HijackThis v1.98.2

Scan saved at 19:18:14, on 2004-12-05

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\F-Secure Internet Security\Common\FSM32.EXE

C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program\F-Secure Internet Security\Common\FCH32.EXE

C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program\F-Secure Internet Security\FSPC\fspc.exe

C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe

C:\HjT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsv8.hpwis.com/'>http://qsv8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qsv8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x8

6/client/wuweb_site.cab?1101937180906

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicr

o.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE93DB70-774C-48CE-A39A-ED05D02E822F}: NameServer = 81.216.65.11,81.216.65.12

 

[Zipp.]

Loggen är Ok nu.