Rootkit?

2 mars, 2007

Hej!

Jag har problem med internet. När jag försöker öppna en sida så får jag ofta svaret att servern kunde inte hittas. Om jag kör en refresh på sidan så brukar det gå att komma in iaf.

Har kört programmet rootkit revealer och tror att det har hittat nåt skumt, men eftersom jag inte är så haj på datorer så kan jag inte avgöra det själv.

Postar även en HJT logg ifall nån vänlig själ vill titta på den.

Tack på förhand! Kongo

Logfile of HijackThis v1.99.1

Scan saved at 20:46:10, on 2007-03-02

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ASUS\Probe\AsusProb.exe

C:\Norman\bin\ZLH.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Canon\BJCard\Bjmcmng.exe

C:\Program Files\Eset\nod32krn.exe

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\BIN\nipsvc.exe

C:\Norman\bin\NJEEVES.EXE

C:\WINDOWS\System32\alg.exe

C:\Norman\Nvc\bin\cclaw.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leta.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O1 - Hosts: 207.68.172.246 msn.com

O2 - BHO: (no name) - {004B23E0-1E63-4ED6-BCAC-922BA26CF096} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.line6.net

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://62.181.87.189/activex/AxisCamControl.cab

O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f006.mail.spray.se/app/uploader/FileUploader.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

2 mars, 2007

du har två antivirusprogram, du kan ju börja med att ta bort ett av dom (jag skulle ta bort norman)

jag hoppas och tror att du endast använder brandväggen i detta paket annars kör du ju 3(!) antivirusprogram på samma gång,

eTrust Internet Security Suite

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

spara filen på skrivbordet >klicka på SDFix.exe >sdfixen packas upp här: C:\SDFix.

starta om i felsäkert läge (F8) >gå hit: C:\SDFix >klicka på runthis.bat >välj y.

när scanningen är klar så tryck på valfri tangent för att starta om.

när det står finished så tryck på valfri tangent. en logg kommer automatiskt att visas, kopiera in loggen här plus en ny hjt logg

[inlägget ändrat 2007-03-02 22:41:54 av 927]

2 mars, 2007

Hej 927!

Tack för att du tar dig tid att hjälpa mig.

Här kommer loggarna!

SDFix: Version 1.69

Run by Administrator - 2007-03-02 @ 23:44:05,40

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Program Files\SDFix

Safe Mode:

Checking Services:

Path:

Restoring Windows Registry Entries

Restoring Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\TFTP2944 - Deleted

C:\WINDOWS\system32\TFTP3044 - Deleted

ADS Check:

C:\WINDOWS\system32

No streams found.

Final Check:

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\Program Files\\utorrent.exe"="C:\\Program Files\\utorrent.exe:*:Enabled:µTorrent"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"

"C:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe"="C:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe:*:Enabled:D-Link AirPlus Utility"

"C:\\Program Files\\ESET\\nod32.exe"="C:\\Program Files\\ESET\\nod32.exe:*:Enabled:NOD32"

"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe"="C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe:*:Enabled:Ad-aware 6"

"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:

---------------

Backups Folder: - C:\PROGRA~1\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

Add/Remove Programs List:

Ad-aware 6 Personal

ASUS Probe V2.17.07

AsusUpdate

C-Media Audio

Canon i470D

DivX 5.0.2 Pro Bundle

Canon Utilities Easy-PhotoPrint

Easy-WebPrint

ERUNT 1.1j

HijackThis 1.99.1

Canon Utilities PhotoStitch 3.1

Canon RemoteCapture Task for ZoomBrowser EX

Canon Internet Library for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon Camera Window DVC for ZoomBrowser EX

AirPlus XtremeG

Canon MovieEdit Task for ZoomBrowser EX

Canon Camera Window DS for ZoomBrowser EX

Canon Camera Support Core Library

Canon Camera Window for ZoomBrowser EX

Microsoft Data Access Components KB870669

Line 6 Monkey 1.15 (Remove Only)

Mozilla Firefox (2.0.0.2)

Nero - Burning Rom (Web installer)

NoAdware v5.0

NOD32 Antivirus

NVIDIA Windows 2000/XP Display Drivers

PODxt Drivers 2.6.8.0 (Remove Only)

QuickTime

RealPlayer

SearchEnhancement: Bookmark

SearchEnhancement: Command

SearchEnhancement: Customize

SearchEnhancement: Error

SearchEnhancement: Filter

SearchEnhancement: Hopper

SearchEnhancement: Search

SearchEnhancement: Watcher

Spybot - Search & Destroy 1.4

Spyware Doctor 2.1

SpywareBlaster v3.5.1

TaskPatrol Personal 2.0

TPTEST 5.0.2

Tweak UI

Unlocker 1.8.1

VideoLink Pro

Winamp (remove only)

Windows Commander (Remove or Repair)

Windows XP Service Pack 2

WinRAR

Canon PhotoRecord

ACDSee 4.0.2 PowerPack Suite

CA eTrust PestPatrol Anti-Spyware

ANIWZCS2 Service

MP3 Player Utilities V1.28

Windows Genuine Advantage v1.3.0254.0

AirPlus XtremeG

ANIO Service

TuneUp Utilities 2006

WinProducer

Adobe Reader 7.0.8 - Svenska

InterVideo WinDVD

Canon ZoomBrowser EX

Minneskortprogram

ArcSoft PhotoImpression

Philips ToUcam Pro Camera

Microsoft Plus! for Windows XP

Finished