Just nu i M3-nätverket
Jump to content

Hijacklogg. har något kånstigt på datorn


Rikard Johansson

Recommended Posts

Rikard Johansson

Logfile of HijackThis v1.99.1

Scan saved at 04:59:15, on 2007-01-05

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Lir\Counter Strike\Steam.exe

C:\Program\Hamachi\hamachi.exe

C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\msasvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Hijackmapp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [kav] "C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [steam] "C:\Lir\Counter Strike\Steam.exe" -silent

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hamachi.lnk = C:\Program\Hamachi\hamachi.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSN Messenger\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe

 

Link to comment
Share on other sites

 

ja det har du.

 

spara filen på skrivbordet >klicka på SDFix.exe >sdfixen packas upp här: C:\SDFix.

 

starta om i felsäkert läge (F8) >gå hit: C:\SDFix >klicka på runthis.bat >välj y.

 

när scanningen är klar så tryck på valfri tangent för att starta om.

när det står finished så tryck på valfri tangent. en logg kommer automatiskt att visas, kopiera in loggen här.

 

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

 

Link to comment
Share on other sites

Rikard Johansson

 

Här kommer SDFix loggen

 

SDFix: Version 1.55

****************

 

2007-01-06 - 4:44:19,34

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Stage One - Safe Mode

 

Checking Services...

 

Service Name:

 

MsaSvc

 

File Path:

 

C:\WINDOWS\system32\msasvc.exe

 

MsaSvc Deleted...

 

Starting Registry Repairs...

 

Restoring Default Hosts File...

 

Stage One Complete

 

Rebooting...

 

Stage Two - Normal Mode

 

Checking For Malware:

--------------------

 

C:\DOCUME~1\Bappit\LOKALA~1\Temp\axs34.tmp

C:\WINDOWS\system32\msasvc.exe

 

Backing Up and Removing any Files Found...

 

Alternate Stream Check:

 

C:\WINDOWS\system32

No streams found.

Final Check:

 

Remaining Services:

------------------

 

Rootkit PE386 Found!

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"="C:\\Program\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"

"C:\\Program\\uTorrent\\utorrent.exe"="C:\\Program\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"

"C:\\Program\\Mozilla Firefox\\firefox.exe"="C:\\Program\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"C:\\Lir\\Counter Strike\\SteamApps\\lorre87@email.com\\counter-strike\\hl.exe"="C:\\Lir\\Counter Strike\\SteamApps\\lorre87@email.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Lir\\Counter Strike\\SteamApps\\lorre87@email.com\\day of defeat\\hl.exe"="C:\\Lir\\Counter Strike\\SteamApps\\lorre87@email.com\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Utforskaren"

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Checking for files with Hidden Attributes:

 

C:\NTDETECT.COM

C:\Program\Delade filer\Adobe\ESD\DLMCleanup.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\cdplayer.exe.manifest

C:\WINDOWS\system32\logonui.exe.manifest

C:\hiberfil.sys

C:\IO.SYS

C:\MSDOS.SYS

C:\pagefile.sys

C:\Documents and Settings\Bappit\Lokala inst„llningar\Temp\$b17a2e8.tmp

C:\WINDOWS\Temp\$_2341235.TMP

 

FINISHED!

 

Link to comment
Share on other sites

Rikard Johansson

Här kommer 2 st loggar, en Pelog och en Avenger logg

 

************************* Rustock.b-fix -- By ejvindh *************************

2007-01-06 16:18:23,81

 

******************* Pre-run Status of system *******************

 

Rootkit driver PE386 is found. Starting the unload-procedure....

 

Rustock.b-ADS attached to the System32-folder:

:lzx32.sys 69550

Total size: 69550 bytes.

Attempting to remove ADS...

system32: deleted 69550 bytes in 1 streams.

 

Looking for Rustock.b-files in the System32-folder:

No Rustock.b-files found in system32

 

 

******************* Post-run Status of system *******************

 

Rustock.b-driver on the system: NONE!

 

Rustock.b-ADS attached to the System32-folder:

No System32-ADS found.

 

Looking for Rustock.b-files in the System32-folder:

No Rustock.b-files found in system32

 

 

******************************* End of Logfile ********************************

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\wcarkmax

 

*******************

 

Script file located at: \??\C:\WINDOWS\blfbwjwk.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Driver PE386 unloaded successfully.

Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

Link to comment
Share on other sites

 

fixat.

 

gör en ny scan med HJT, nu ska denna rad va borta och då är allt ok

 

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe

 

 

Link to comment
Share on other sites

Rikard Johansson

Verkar som om det du nämnde är borta nu, tack för hjälpen

 

Logfile of HijackThis v1.99.1

Scan saved at 01:27:27, on 2007-01-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program\Hamachi\hamachi.exe

C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Hijackmapp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [kav] "C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [steam] "C:\Lir\Counter Strike\Steam.exe" -silent

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hamachi.lnk = C:\Program\Hamachi\hamachi.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSN Messenger\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

[inlägget ändrat 2007-01-07 02:01:16 av Rikard Johansson]

Link to comment
Share on other sites

Rikard Johansson

 

nej, gjorde en virus scan och absolut ingeting hittades, är det något jag ska söka upp manuellt och ta bort? eller ska det vara där?

 

Link to comment
Share on other sites

 

filen är borttagen sedan länge men jag tänkte på anledningen till att du kom hit, kanske va det denna fil det varna för men inte kunde ta bort.

det är bara ren spekulation

 

Link to comment
Share on other sites

Rikard Johansson

Nej, jag antog att det var något strul med en System 32 fil (var ett konstigt namn med massa nuffrer) , för när jag skulle instalera uppdateringar fick jag Bluescreen under instalation, där det stog att jag möjligtvis hade fel på en systemfil eller med grafik kortet och skulle kontakta datorleverantör yada yada, men nu funkar det toppen

 

[inlägget ändrat 2007-01-12 16:41:28 av Rikard Johansson]

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...