Just nu i M3-nätverket
Jump to content

Virus i massor


Metalmaid

Recommended Posts

Sitter och försöker rensa ur en kraftigt infekterad dator åt en kompis.

 

Jag har hittills rensat ur 4 maskar, 40 trojaner och 282 andra spyware/adware-program med hjälp av AVG, AdAware och Spybot och kommit såpass långt att jag kan starta upp datorn i felsäkert läge och håller på att scanna av den så.

 

Än så länge går det inte att koppla ut den på nätet på grund av något XXX-relaterat downloader-program som kapar startsidan och fullkomligt översvämmar skärmen. Vad skall jag hålla ögonen på i en HiJack-logg för att kunna lokalisera det programmet? Kan som sagt inte ens ta mig ut på nätet och uppdatera av-programmen i nuläget.

 

Sne behöver jag något specialprogram för en mask, Bofra.

 

Logfile of HijackThis v1.98.2

Scan saved at 07:39:41, on 2005-03-08

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ctxma.exe

C:\WINDOWS\System32\Smtray.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\System32\ctxma.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\WINDOWS\System32\ctxma.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctxma.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

c:\program\180solutions\sais.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\GMx.exe

C:\WINDOWS\explorer.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac'>http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://10.0.0.6/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [*Microsoft Update] ctxma.exe

O4 - HKLM\..\Run: [edcr] C:\WINDOWS\edcr.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe

O4 - HKLM\..\Run: [sais] c:\program\180solutions\sais.exe

O4 - HKLM\..\Run: [jit] C:\WINDOWS\jit.exe

O4 - HKLM\..\Run: [Power Scan] C:\Program\Power Scan\powerscan.exe

O4 - HKLM\..\RunServices: [Windows Compliant] enzwen.exe

O4 - HKLM\..\RunServices: [*windows update] wkmst.exe

O4 - HKLM\..\RunServices: [Nortons AV SYSTEM] scvchost.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] ctxma.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [*Microsoft Update] ctxma.exe

O4 - HKCU\..\Run: [Windows Compliant] enzwen.exe

O4 - HKCU\..\Run: [Nortons AV SYSTEM] scvchost.exe

O4 - HKCU\..\Run: [*windows update] wkmst.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

 

 

[inlägget ändrat 2005-03-08 07:27:41 av Metalmaid]

[inlägget ändrat 2005-03-08 07:57:21 av Metalmaid]

Link to comment
Share on other sites

 

Avinstallera via Kontrollpanelen om det finns

 

Power Scan

180solutions

 

Dolda filer synliga

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKLM\..\Run: [*Microsoft Update] ctxma.exe

O4 - HKLM\..\Run: [edcr] C:\WINDOWS\edcr.exe

O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe

O4 - HKLM\..\Run: [sais] c:\program\180solutions\sais.exe

O4 - HKLM\..\Run: [jit] C:\WINDOWS\jit.exe

O4 - HKLM\..\Run: [Power Scan] C:\Program\Power Scan\powerscan.exe

O4 - HKLM\..\RunServices: [Windows Compliant] enzwen.exe

O4 - HKLM\..\RunServices: [*windows update] wkmst.exe

O4 - HKLM\..\RunServices: [Nortons AV SYSTEM] scvchost.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] ctxma.exe

O4 - HKCU\..\Run: [*Microsoft Update] ctxma.exe

O4 - HKCU\..\Run: [Windows Compliant] enzwen.exe

O4 - HKCU\..\Run: [Nortons AV SYSTEM] scvchost.exe

O4 - HKCU\..\Run: [*windows update] wkmst.exe

 

 

Starta sen i felsäkert läge sök och ta bort om du hittar

 

ctxma.exe

edcr.exe

enzwen.exe

wkmst.exe

scvchost.exe

 

C:\Program Files\Media Pass\ < mappen

 

c:\program\180solutions\ < mappen

 

C:\Program\Power Scan\ < mappen

 

Starta sen normalt och ny Hijack logg med denna version

 

http://koti.mbnet.fi/pattaya1/HijackThis.exe

 

 

 

 

 

 

Link to comment
Share on other sites

Ny logg kommer här, browsern styr fortfarande om.

 

Logfile of HijackThis v1.99.1

Scan saved at 11:22:46, on 2005-03-08

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wucxt.exe

C:\WINDOWS\System32\Smtray.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\wucxt.exe

C:\WINDOWS\System32\wucxt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\wucxt.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program\SpywareGuard\sgmain.exe

C:\Program\SpywareGuard\sgbhp.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac'>http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [*Microsoft Update] wucxt.exe

O4 - HKLM\..\RunServices: [Windows Compliant] enzwen.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] wucxt.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [*Microsoft Update] wucxt.exe

O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O23 - Service: *Microsoft Update - Unknown owner - C:\WINDOWS\System32\wucxt.exe

O23 - Service: *windows update - Unknown owner - C:\WINDOWS\System32\wkmst.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe (file missing)

 

 

 

Link to comment
Share on other sites

Dolda filer synliga

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O4 - HKLM\..\Run: [*Microsoft Update] wucxt.exe

O4 - HKLM\..\RunServices: [Windows Compliant] enzwen.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] wucxt.exe

O4 - HKCU\..\Run: [*Microsoft Update] wucxt.exe

O23 - Service: *Microsoft Update - Unknown owner - C:\WINDOWS\System32\wucxt.exe

O23 - Service: *windows update - Unknown owner - C:\WINDOWS\System32\wkmst.exe (file missing)

 

 

Starta sen i felsäkert läge sök och ta bort om hittas

 

enzwen.exe

wucxt.exe

wkmst.exe

 

Starta normalt och ny logg.

 

 

 

 

Link to comment
Share on other sites

Ny logg, verkar vara kvar...något annat förslag?

Går till

http://67.15.70.15/~black/britneynude.html

 

Logfile of HijackThis v1.99.1

Scan saved at 11:55:00, on 2005-03-08

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wucxt.exe

C:\WINDOWS\System32\Smtray.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program\SpywareGuard\sgmain.exe

C:\Program\SpywareGuard\sgbhp.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac'>http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [*Microsoft Update] wucxt.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] wucxt.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [*Microsoft Update] wucxt.exe

O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O23 - Service: *Microsoft Update - Unknown owner - C:\WINDOWS\System32\wucxt.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe (file missing)

 

 

[inlägget ändrat 2005-03-08 12:03:50 av Metalmaid]

Link to comment
Share on other sites

Ok.. tydligen måste man stoppa servicen.

 

Starta datorn i felsäkert läge

Skriv i Kör fältet services.msc sen Ok

Leta efter service med namnet

 

*Microsoft Update

 

Dubbelklicka på den och sen Stoppa den

Sen ändra Startmetod till Inaktiverad

Klicka Verkställ och sen Ok

Stäng fönstret sen.

 

Avsluta denna process

 

C:\WINDOWS\System32\wucxt.exe

 

Scanna med Hijackken bocka i och Fix:sa

 

O4 - HKLM\..\Run: [*Microsoft Update] wucxt.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] wucxt.exe

O4 - HKCU\..\Run: [*Microsoft Update] wucxt.exe

O23 - Service: *Microsoft Update - Unknown owner - C:\WINDOWS\System32\wucxt.exe

O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe (file missing)

 

 

Sen ta bort om hittas

 

wucxt.exe

 

Starta normalt och ny Hijack logg

 

 

 

Link to comment
Share on other sites

Har lyckats stänga ner servicen, den har till och med försvunnit från listan över tjänster.

 

Men wucxt går inte att stoppa via aktivitetshanteraren och det går inte att hitta den via sök heller. Dom finns kvar i HiJack-loggen så vad gör jag nu?

 

 

Link to comment
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 13:22:27, on 2005-03-08

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wucxt.exe

C:\WINDOWS\System32\Smtray.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program\SpywareGuard\sgmain.exe

C:\Program\SpywareGuard\sgbhp.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac'>http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [*Microsoft Update] wucxt.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] wucxt.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [*Microsoft Update] wucxt.exe

O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe (file missing)

 

 

 

 

Link to comment
Share on other sites

Stäng av denna service likadant som du gjorde med *Microsoft Update servicen.

 

Windows 32-bit PnP Driver

 

 

Öppna Hijackken

klicka Config..

klicka Misc Tools

klicka Delete a file on reboot

 

Sen kopiera och klistra in denna rad dit

 

C:\WINDOWS\System32\wucxt.exe

 

Öppna den dit och starta om datorn.

Skicka en ny Hijack logg

 

Link to comment
Share on other sites

Servicen är stoppad, men den där skitfilen är fortfarande kvar enligt loggen.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 13:46:45, on 2005-03-08

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wucxt.exe

C:\WINDOWS\System32\Smtray.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program\SpywareGuard\sgmain.exe

C:\Program\SpywareGuard\sgbhp.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac'>http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [*Microsoft Update] wucxt.exe

O4 - HKLM\..\RunServices: [*Microsoft Update] wucxt.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [*Microsoft Update] wucxt.exe

O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

 

 

 

Link to comment
Share on other sites

 

Scanna datorn med denna scanner

 

http://www.spywareinfo.dk/download/mwav.exe

 

Dubbelklicka på mwav.exe sen klicka Unzip och den skapar automatiskt en ny mapp C:\Kapersky

Sen öppna Kapersky mappen och dubbelklicka på kavupd.exe och leta uppdateringar.

När den är klar så tryck på nån tangent och det blir automatiskt 2 nya mappar på C:\

 

C:\Bases

C:\Downloads

 

Öppna Downloads mappen och måla alla filer och Klipp ut

Klicka på Kapersky mappen och klistra in och svara ja till alla.

Sen öppna Kapersky mappen och dubbelklicka på mwavscan.com

Bocka i Drive och Scan All Files.

Sen klicka på Scan och låt den scanna klart.(kan ta upp till 2 timmar)

Kopiera det som blir i nedre fönster.

Först måla svart sen Ctrl+C (kopiera)

Sen Ctrl+V (klista in)

 

Starta om datorn efter scannen.

 

Skicka hit loggen från scannen och en ny Hijack logg.

 

 

Link to comment
Share on other sites

Hehe, det ser ut som om AVG, AdAware och Spybot har missat en hel del. Ny logg kommer när scanningen är klar. Tur att man har en annan som fungerar ;)

 

 

Link to comment
Share on other sites

OK, här kommer nya loggar...

 

File C:\WINDOWS\System32\wucxt.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed.

File C:\GMx.exe infected by "Trojan.Win32.LowZones.p" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\ctxma.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed.

File C:\WINDOWS\System32\cxma.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed.

File C:\WINDOWS\System32\tommynub infected by "Trojan-Downloader.BAT.Ftp.i" Virus. Action Taken: File Deleted.

File C:\Documents and Settings\kaarlo federstedt.DITT-YBI30SITJ0.001\Lokala inställningar\Temporary Internet Files\Content.IE5\HSGH2P1H\dl[1].htm tagged as not-a-virus:AdWare.WinAD.ab. No Action Taken.

File C:\Documents and Settings\kaarlo federstedt.DITT-YBI30SITJ0.001\Lokala inställningar\Temporary Internet Files\Content.IE5\HSGH2P1H\prompt[1].php infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: File Deleted.

File C:\Documents and Settings\kaarlo federstedt.DITT-YBI30SITJ0.001\Lokala inställningar\Temporary Internet Files\Content.IE5\HSGH2P1H\UndergroundCorpSoftwareDownloads[1].exe tagged as not-a-virus:AdWare.WinAD.ab. No Action Taken.

File C:\Documents and Settings\kaarlo federstedt.DITT-YBI30SITJ0.001\Lokala inställningar\Temporary Internet Files\Content.IE5\QRSBUVWF\Xsteel_downloader[1].exe tagged as not-a-virus:AdWare.WinAD.ab. No Action Taken.

File C:\Documents and Settings\kaarlo federstedt.DITT-YBI30SITJ0.001\Lokala inställningar\Temporary Internet Files\Content.IE5\U4WH2ZBG\gm[1].htm infected by "Trojan.Win32.LowZones.p" Virus. Action Taken: File Deleted.

File C:\mommafuck.exe tagged as not-a-virus:AdWare.WinAD.ab. No Action Taken.

File C:\Program Files\AdTools Service\AdToolsComm.dll tagged as not-a-virus:AdWare.WinAD.z. No Action Taken.

File C:\Program Files\AdTools Service\AdToolsKeep.exe tagged as not-a-virus:AdWare.WinAD.k. No Action Taken.

File C:\sd3hesa.exe tagged as not-a-virus:AdWare.WinAD.ab. No Action Taken.

File C:\test.exe tagged as not-a-virus:AdWare.WinAD.ab. No Action Taken.

File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll infected by "Trojan-Downloader.Win32.IstBar.hg" Virus. Action Taken: File Deleted.

File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll infected by "Trojan-Downloader.Win32.IstBar.hg" Virus. Action Taken: File Deleted.

File C:\WINDOWS\Downloaded Program Files\lkir8l2gm_.dll tagged as not-a-virus:AdWare.Sahat.l. No Action Taken.

File C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\45IJCDEJ\dl[1].htm tagged as not-a-virus:AdWare.WinAD.y. No Action Taken.

File C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\85Y3CDA7\WinForm[1].exe tagged as not-a-virus:AdWare.WinAD.k. No Action Taken.

File D:\CPQS\TOOLS\REBOOT.COM tagged as not-a-virus:Tool.DOS.Reboot. No Action Taken.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 15:14:50, on 2005-03-08

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\Smtray.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\SpywareGuard\sgmain.exe

C:\Program\SpywareGuard\sgbhp.exe

C:\HJT\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac'>http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

 

Link to comment
Share on other sites

Där satt den

 

File C:\WINDOWS\System32\wucxt.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed

 

Hijack loggen är ok.

 

Avinstallera via Kontrollpanelen om det finns

 

AdTools Service

 

Starta i felsäkert läge och ta bort dessa

 

C:\mommafuck.exe

C:\sd3hesa.exe

C:\test.exe

C:\WINDOWS\Downloaded Program Files\lkir8l2gm_.dll

 

C:\Program Files\AdTools Service\ < mappen

 

Töm Temporary Internet Files

 

Starta sen normalt och hämta + installera alla viktiga uppdateringar till datorn (Windows Update)

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...