Just nu i M3-nätverket
Jump to content

Trolig virus? igen..Joakim Bergström


Denan Muratovic

Recommended Posts

Denan Muratovic

Jag förstår inte alls hur jag ska svara till dig och därför är jag tvungen att skriva en ny fråga. Jag hoppas att du förstår att just av den anledningen skrev jag ditt namn under rubrik och jag ber om ursäkt för detta!

 

Tack för visad intresse!

 

Här är logen som du ville ha:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:11:06, on 2007-10-30

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\notepad.exe

C:\Program\MessengerPlus! 3\MsgPlus.exe

C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hb.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O1 - Hosts: 1315771170 google.com

O1 - Hosts: 1315771170 www.google.com

O1 - Hosts: 1315771170 www.altavista.com

O1 - Hosts: 1315771170 altavista.com

O1 - Hosts: 1315771170 www.alltheweb.com

O1 - Hosts: 1315771170 alltheweb.com

O1 - Hosts: 1315771170 search.google.com

O1 - Hosts: 1315771170 search.yahoo.com

O1 - Hosts: 1315771170 search.lycos.com

O1 - Hosts: 1315771170 search.live.com

O1 - Hosts: 1315771170 search.msn.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [MessengerPlus3] 'C:\Program\MessengerPlus! 3\MsgPlus.exe'

O4 - HKLM\..\Run: [NVMixerTray] 'C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe'

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Windows Update Check] C:\WINDOWS\system32\syslodr.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://G:\ProEng\i486_nt\obj\pvx_install.exe

O20 - AppInit_DLLs: c:\windows\system32\awvvtuu.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Denan\Application Data\tmp1.tmp.exe (file missing)

O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program\Groove Networks\Groove\Bin\GrooveInstallerService.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 4370 bytes

 

SDFix: Version 1.112

 

Run by Azra on 2007-10-30 at 20:06

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

Driver

 

ImagePath:

\??\C:\WINDOWS\system32\kernelw.sys

 

Driver - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing Security Center Service

Restoring Missing SharedAccess Service

 

Rebooting...

 

Service asc3550p - Deleted after Reboot

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\Temp\System\v3xd1.g22me - Deleted

C:\Temp\System\v4xd3.ga2me - Deleted

C:\Temp\System\v4xd6.gam5e - Deleted

C:\Temp\System\v5xd2.g3ame - Deleted

C:\Temp\System\v5xd4.ga2me - Deleted

C:\Temp\System\v6xdt4.game - Deleted

C:\Temp\System\vx1dt1.game - Deleted

C:\Temp\System\vx1dt3.game - Deleted

C:\Temp\System\vx3dt2.game - Deleted

C:\Temp\System\ma1x1dd1v.game - Deleted

C:\Program\InetGet2\INSTALLEUR.0XE - Deleted

C:\Program\Temporary\_install.exe - Deleted

C:\Program\Delade filer\Yazzle1122OinUninstaller.exe - Deleted

C:\WINDOWS\system32\7_exception.nls - Deleted

C:\WINDOWS\system32\cmds.txt - Deleted

C:\WINDOWS\system32\conf.dat - Deleted

C:\WINDOWS\system32\cookie1.dat - Deleted

C:\WINDOWS\system32\dllh8jkd1q8.exe - Deleted

C:\WINDOWS\system32\kernelw.sys - Deleted

C:\WINDOWS\system32\ps1.dat - Deleted

C:\WINDOWS\system32\rc.dat - Deleted

C:\WINDOWS\system32\vx.tll - Deleted

C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted

 

 

Folder C:\Program\InetGet2 - Removed

Folder C:\Program\Temporary - Removed

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

'%windir%\\system32\\sessmgr.exe'='%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019'

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

'%windir%\\system32\\sessmgr.exe'='%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019'

 

Remaining Files:

---------------

catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-30 20:11:45

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

Sat 8 Sep 2007 541,093 ..SH. --- 'C:\WINDOWS\twvxxx.tmp'

Wed 17 Aug 2005 1,694,208 ..SH. --- 'C:\Program\Messenger\msmsgs.exe'

Wed 17 Aug 2005 18,463 A.SH. --- 'C:\Program\Windows Media Player\mplayer2.exe'

Wed 17 Aug 2005 73,728 A.SH. --- 'C:\Program\Windows Media Player\wmplayer.exe'

Sun 22 Oct 2006 31,760 A.SHR --- 'C:\Temp\System\bot80F5.tmp'

Tue 24 Oct 2006 31,760 A.SHR --- 'C:\Temp\System\bot861B.tmp'

Tue 30 Oct 2007 31,760 A.SHR --- 'C:\Temp\System\hd89.tmp'

 

Finished!

 

 

 

Link to comment
Share on other sites

det är bara klicka på besvara knappen

 

har du återställt hosts filen?

O1 - Hosts: 1315771170

osv

 

ta bort den här mappen, ev i felsäkert läge

C:\Temp\System

 

hämta detta program, spara det på skrivbordet.

http://www.atribune.org/ccount/click.php?id=4

starta programmet >klicka på scan for vundo >klicka på remove vundo.

välj ta bort filerna, vid fråga.

starta om, ev kan det bli aktuellt med flera omstarter.

posta loggen som finns här C:\vundofix.txt och en ny HJT logg

 

[inlägget ändrat 2007-10-30 22:46:37 av 927]

Link to comment
Share on other sites

Denan Muratovic

Tjena Joakim!

 

Jag tog bort Mappen c:temp/system, men är osäker hur återställa filen som du nämnde!

 

Här är den nya logen:

 

 

VundoFix V6.5.11

 

Checking Java version...

 

 

Sun Java not detected

Scan started at 18:01:39 2007-10-31

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

Mvh: student

 

Link to comment
Share on other sites

jag frågade om du återställt hotsfilen men jag antar att du inte gjort det eller förstår vad det är

 

gör en ny scan med hjt, bocka för dessa rader

 

O1 - Hosts: 1315771170 google.com

O1 - Hosts: 1315771170 www.google.com

O1 - Hosts: 1315771170 www.altavista.com

O1 - Hosts: 1315771170 altavista.com

O1 - Hosts: 1315771170 www.alltheweb.com

O1 - Hosts: 1315771170 alltheweb.com

O1 - Hosts: 1315771170 search.google.com

O1 - Hosts: 1315771170 search.yahoo.com

O1 - Hosts: 1315771170 search.lycos.com

O1 - Hosts: 1315771170 search.live.com

O1 - Hosts: 1315771170 search.msn.com

 

O4 - HKLM\..\Run: [Windows Update Check] C:\WINDOWS\system32\syslodr.exe

 

O20 - AppInit_DLLs: c:\windows\system32\awvvtuu.dll

 

klicka på knappen fix checked.

starta om och posta en ny HJT logg.

 

http://www.uploads.ejvindh.net/rootchk.exe

spara filen på skrivbordet, kör den,får du frågor från brandväggen så svara ja/ok. efter en stund visas en logg som du postar

 

[inlägget ändrat 2007-10-31 19:13:53 av 927]

Link to comment
Share on other sites

Denan Muratovic

Jag har nu fixat allt och här är logen:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:53:58, on 2007-10-31

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\MessengerPlus! 3\MsgPlus.exe

C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\WINDOWS\system32\slserv.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hb.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [MessengerPlus3] 'C:\Program\MessengerPlus! 3\MsgPlus.exe'

O4 - HKLM\..\Run: [NVMixerTray] 'C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe'

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://G:\ProEng\i486_nt\obj\pvx_install.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Denan\Application Data\tmp1.tmp.exe (file missing)

O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program\Groove Networks\Groove\Bin\GrooveInstallerService.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 3766 bytes

 

 

Link to comment
Share on other sites

Denan Muratovic

Den logen också:

 

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh

2007-10-31 20:00:25,12

 

Driver Driver (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.

 

********************************* ROOTCHK-LOG-end

 

 

catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-31 20:00:25

Windows 5.1.2600 Service Pack 2

scanning hidden processes ...

? [1452]

 

scanning hidden services &amp system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

hidden processes: 1

hidden services: 0

hidden files: 0

 

 

Link to comment
Share on other sites

kolla om du hittar dessa filer, ta bort om dom finns

c:\windows\system32\awvvtuu.dll

C:\WINDOWS\system32\syslodr.exe

 

start >kör >skriv: services.msc >ok

srolla ner till DomainService >dubbelklicka på raden och välj stoppa och där det står startmetod väljer du inaktiverad >ok.

ta bort den här filen om den finns

C:\Documents and Settings\Denan\Application Data\tmp1.tmp.exe

 

kör ROOTCHK igen, posta den loggen

 

hämta smitfraudfix.exe >spara den på skrivbordet.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

dubbelklicka på SmitfraudFix.exe >välj tillåt om brandväggen frågar >klicka på valfri tangent >skriv 1 >enter.

posta loggen som visas automatiskt

 

[inlägget ändrat 2007-10-31 21:17:24 av 927]

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...