Just nu i M3-nätverket
Jump to content

Backdor SdBot BKV Trojan


CJ3A

Recommended Posts

Är det någon som vet hur man ska bli av med denna Trojan som XoftSpySE har hittat i mitt registry key, Xoft tar bort det och lägger i Quaratine sen scannar man igen så är strängen kvar, Har försökt att tabort den i regedit men den kommer tillbaka,

 

 

Link to comment
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 14:13:10, on 2008-01-20

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\Delade filer\Symantec Shared\ccProxy.exe

C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program\CyberLink\PowerCinema\PCMService.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program\HP\HP Software Update\HPwuSchd2.exe

C:\Program\Java\jre1.6.0_03\bin\jusched.exe

C:\Program\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\WINDOWS\system32\rundll32.exe

D:\GE.program\XoftSpySE\xoftspy.exe

C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe

C:\HP\KBD\KBD.EXE

C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

D:\GE.program\C-Pen 20\CPen20.exe

D:\GE.program\Exif Launcher\QuickDCF.exe

C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

C:\Program\Windows Desktop Search\WindowsSearchIndexer.exe

C:\Program\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\System32\svchost.exe

D:\GE.program\C-Pen 20\VeOCRApp.exe

D:\GE.program\C-Pen 20\CPenDesk.exe

c:\Program\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program\Delade filer\Teleca Shared\Generic.exe

C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\MSN Messenger\usnsvc.exe

C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program\Messenger\msmsgs.exe

c:\windows\system\hpsysdrv.exe

C:\Documents and Settings\HP_Ägaren\Skrivbord\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.se/spbasic.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.swipnet.se/Gyllkya'>http://home.swipnet.se/Gyllkya'>http://home.swipnet.se/Gyllkya'>http://home.swipnet.se/Gyllkya

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.swipnet.se/Gyllkya

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.swipnet.se/Gyllkya

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.swipnet.se/Gyllkya

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar8.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &ampGoogle - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar8.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [CTDVDDET] 'C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE'

O4 - HKLM\..\Run: [VolPanel] 'C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe' /r

O4 - HKLM\..\Run: [AudioDrvEmulator] 'C:\Program\Creative\Shared Files\Module Loader\DLLML.exe' -1 AudioDrvEmulator 'C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll'

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [HPHUPD08] c:\Program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [PCMService] 'C:\Program\CyberLink\PowerCinema\PCMService.exe'

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] 'C:\Program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe' /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] 'C:\Program\Java\jre1.6.0_03\bin\jusched.exe'

O4 - HKLM\..\Run: [CloneCDElbyCDFL] 'D:\GE.program\CloneCD\ElbyCheck.exe' /L ElbyCDFL

O4 - HKLM\..\Run: [RoxioDragToDisc] 'C:\Program\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe'

O4 - HKLM\..\Run: [TkBellExe] 'C:\Program\Delade filer\Real\Update_OB\realsched.exe' -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [ccApp] 'C:\Program\Delade filer\Symantec Shared\ccApp.exe'

O4 - HKLM\..\Run: [sony Ericsson PC Suite] 'C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe' /startoptions

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [XoftSpySE] D:\GE.program\XoftSpySE\xoftspy.exe -s

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [symantec PIF AlertEng] 'C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe' /a /m 'C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll'

O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program\QuickTime\qttask.exe' -atboottime

O4 - HKCU\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 'C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe'

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Anslutning till lokalt nätverk.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: C-Pen 20.lnk = ?

O4 - Global Startup: Exif Launcher.lnk = D:\GE.program\Exif Launcher\QuickDCF.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Windows Skrivbordssökning.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &ampWindows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&ampxportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155504644765

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.digicenter.se/aurigma/ImageUploader4.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - https://lagring.storegate.se/USER/Files/Cabs/ImageUploader3.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Norton Internet Security\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe' /m 'C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

 

 

 

 

Link to comment
Share on other sites

Ladda ner ComboFix till Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Dra ur internetanslutningen och stäng av alla program du ser inklusive antivirusprogram, antispionprogram och brandvägg.

Kör ComboFix och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram och brandvägg är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera

eller starta om datorn.

 

Link to comment
Share on other sites

Hitta En tx fil som heter ComboFix i mappen ComboFix på C:

 

ComboFix 08-01-20.1 - HP_Žgaren 2008-01-20 14:55:02.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.1366 [GMT 1:00]

Running from: C:\Documents and Settings\HP_Žgaren\Skrivbord\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job

E:\Autorun.inf

 

.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))

.

 

2008-01-20 14:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-20 01:02 . <KAT> C:\Documents and Settings\HP_Ägaren\Application Data\AntiSpywareBot

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-20 00:14 --------- d-----w C:\Program\Delade filer\Symantec Shared

2008-01-04 07:31 --------- d-----w C:\Program\Norton Internet Security

2007-12-07 22:10 --------- d-----w C:\Program\Windows Live Toolbar

2007-12-07 21:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-12-07 21:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-12-07 21:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-12-07 21:07 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-12-07 21:07 --------- d-----w C:\Program\Symantec

2007-11-27 22:01 --------- d-----w C:\Documents and Settings\HP_Ägaren\Application Data\Adobe

2007-11-27 21:58 --------- d-----w C:\Program\Delade filer\Adobe

2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\lsasrv(2)(2).dll

2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll

2007-10-30 23:27 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll

2007-10-28 10:24 3,300 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP

2007-10-25 16:44 8,467,968 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll

2007-07-02 17:58 28,960 ----a-w C:\Documents and Settings\HP_Ägaren\Application Data\GDIPFONTCACHEV1.DAT

2005-09-24 06:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

2003-08-27 12:19 36,963 ----a-r C:\Program\Delade filer\SM1updtr.dll

2006-06-02 05:49 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries &amp legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'MsnMsgr'='C:\Program\MSN Messenger\MsnMsgr.exe' [2007-01-19 12:55 5674352]

'BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}'='C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe' [2006-08-30 14:05 139264]

'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 12:00 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'ftutil2'='ftutil2.dll' [2004-06-07 22:05 106496 C:\WINDOWS\system32\ftutil2.dll]

'NvCplDaemon'='C:\WINDOWS\system32\NvCpl.dll' [2006-10-31 13:35 7634944]

'nwiz'='nwiz.exe' [2006-10-31 13:35 1622016 C:\WINDOWS\system32\nwiz.exe]

'CTDVDDET'='C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE' [2003-06-18 08:00 45056]

'VolPanel'='C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe' [2005-07-11 18:34 122880]

'AudioDrvEmulator'='C:\Program\Creative\Shared Files\Module Loader\DLLML.exe' [2005-06-17 01:25 49152]

'CTHelper'='CTHELPER.EXE' [2006-06-01 10:34 17920 C:\WINDOWS\CTHELPER.EXE]

'CTxfiHlp'='CTXFIHLP.EXE' [2006-06-01 10:34 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

'UpdReg'='C:\WINDOWS\UpdReg.EXE' [2000-05-11 08:00 90112]

'HPHUPD08'='c:\Program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe' [2005-06-02 07:35 49152]

'PCMService'='C:\Program\CyberLink\PowerCinema\PCMService.exe' [2006-02-25 02:46 147456]

'Recguard'='C:\WINDOWS\SMINST\RECGUARD.EXE' [2005-07-22 22:14 237568]

'HPBootOp'='C:\Program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe' [2005-11-10 01:29 249856]

'HP Software Update'='C:\Program\HP\HP Software Update\HPwuSchd2.exe' [2005-05-12 06:12 49152]

'SunJavaUpdateSched'='C:\Program\Java\jre1.6.0_03\bin\jusched.exe' [2007-09-25 01:11 132496]

'CloneCDElbyCDFL'='D:\GE.program\CloneCD\ElbyCheck.exe' [2001-12-06 13:09 45056]

'RoxioDragToDisc'='C:\Program\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe' [2004-01-27 22:39 1179648]

'TkBellExe'='C:\Program\Delade filer\Real\Update_OB\realsched.exe' [2005-01-01 17:45 180269]

'NWEReboot'='' []

'NeroFilterCheck'='C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe' [2006-01-12 15:40 155648]

'ccApp'='C:\Program\Delade filer\Symantec Shared\ccApp.exe' [2007-03-01 11:01 52840]

'Sony Ericsson PC Suite'='C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe' [2005-10-26 15:17 159744]

'BluetoothAuthenticationAgent'='bthprops.cpl' [2004-08-04 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]

'XoftSpySE'='D:\GE.program\XoftSpySE\xoftspy.exe' [2007-07-13 13:44 728576]

'KBD'='C:\HP\KBD\KBD.EXE' [2005-02-02 15:44 61440]

'Symantec PIF AlertEng'='C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe' [2007-03-12 09:22 517768]

'QuickTime Task'='C:\Program\QuickTime\qttask.exe' [2007-10-21 18:04 286720]

 

C:\Documents and Settings\Administrat”r\Start-meny\Program\AutostartPin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-01 17:04:23 27136]

 

C:\Documents and Settings\ULRIKA\Start-meny\Program\AutostartPin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-01 17:04:23 27136]

 

C:\Documents and Settings\All Users\Start-meny\Program\AutostartAdobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-31 09:25:27 110592]

Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

Bluetooth Manager.lnk - C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 20:42:42 45056]

C-Pen 20.lnk - C:\WINDOWS\Installer\{ED10A1F7-C0D9-44F4-AA62-E6EACFE9188C}\_59A4C98B11A0_41BF_8B7F_D1D5ADCFB3D8.exe [2006-05-28 20:46:35 40960]

Exif Launcher.lnk - D:\GE.program\Exif Launcher\QuickDCF.exe [2006-05-28 20:53:02 188416]

HP Digital Imaging Monitor.lnk - C:\Program\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 06:23:26 282624]

Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

Windows Skrivbordss”kning.lnk - C:\Program\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08 257752]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

'{56F9679E-7826-4C84-81F3-532071A8BCC5}'= C:\Program\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

 

R2 Automatisk LiveUpdate-schemaläggareAutomatisk LiveUpdate-schemaläggare'C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe' [2006-08-03 17:08]

R3 3xHybrid3xHybrid serviceC:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-03 21:57]

R3 ha20x2kCreative 20X HAL DriverC:\WINDOWS\system32\drivers\ha20x2k.sys [2006-06-01 10:18]

S3 CPen20C-Pen 20C:\WINDOWS\system32\Drivers\CPen20.sys [2005-02-16 08:53]

S3 pendfuPenDfu (pendfu.sys)C:\WINDOWS\system32\Drivers\pendfu.sys [2005-02-14 15:27]

S3 WN5301LIteon Wireless PCI Network Adapter ServiceC:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 18:44]

 

*Newly Created Service* - COMHOST

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

'2007-10-06 21:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job'

- C:\Program\Apple Software Update\SoftwareUpdate.exe

'2008-01-20 13:41:00 C:\WINDOWS\Tasks\Internet-tjänster.job'

 

 

 

Link to comment
Share on other sites

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Ta bort mappen C:\Documents and Settings\HP_Ägaren\Application Data\AntiSpywareBot

 

Någon förbättring?

 

Link to comment
Share on other sites

Nej, Kör jag Xoftspy hittar den fortfarande Trojanen, Med strängen i regedit.

Registry Key= system\currentcontrolset\services\navapsvc

Samt

Registry Key= system\controlset002\services\navapsvc

 

Link to comment
Share on other sites

Ladda ner SDFix till Skrivbordet:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Dubbelklicka på SDFix.exe och en ny mapp skapas, C:\SDFix.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Öppna den nya mappen C:\SDFix och dubbelklicka på RunThis.bat för att starta programmet.

Tryck Y för att fortsätta.

Det arbetar ett tag och när det är klart så kommer det upp en fråga om du vill starta om datorn.

Tryck på godtycklig tangent för att omstarten ska påbörjas.

Datorn kommer att ta lång tid på sig under uppstarten eftersom programmet kommer att gå igång och fixa till en massa.

När det är klart visas Finished.

Tryck på valfri tangent för att avsluta programmet.

 

Öppna mappen SDFix och öppna filen Report.txt i Anteckningar.

Klistra in innehållet i filen i ditt svar här.

 

Link to comment
Share on other sites

 

SDFix: Version 1.129

 

Run by HP_Žgaren on 2008-01-20 at 16:19

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-20 16:28:51

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services &amp system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d13e81]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d13e81]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001060d13e81]

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

'TracesProcessed'=dword:00000000

'TracesSuccessful'=dword:00000000

'LastTraceFailure'=dword:00000000

 

scanning hidden files ...

 

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 6

 

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files:

---------------

 

 

Files with Hidden Attributes:

 

Sun 13 Aug 2006 211 A.SHR --- 'C:\BOOT.BAK'

Fri 2 Jun 2006 22 A.SH. --- 'C:\WINDOWS\SMINST\HPCD.sys'

Fri 2 Feb 2007 0 A.SH. --- 'C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp'

Fri 16 Nov 2007 0 A..H. --- 'C:\WINDOWS\SoftwareDistribution\Download\ae4fe25faed9052b39f0d1588e186e97\BIT44.tmp'

 

Finished!

 

 

 

Link to comment
Share on other sites

Inget hittas där heller.

 

Registry Key= system\currentcontrolset\services\navapsvc

navapsvc är normalt en del av Norton. Eftersom inget annat program hittar något problem med 'services' så tror jag nog att det är en felutpekning (falsklarm) av XoftSpySE.

 

Link to comment
Share on other sites

Men varför får man upp ett namn på en trojan, Kan strängen se ut som en trojan eller kan det vara något som smittar Norton antivirus

 

Link to comment
Share on other sites

Nu är ju inte XoftSpySE något särskilt bra program, men det är väl att det liknar något som denna Sdbot-trojan gör i datorn.

 

Men du kan ju kolla Norton-filen. Gå till http://www.virustotal.com/ klistra in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen samt File size här.

C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe

 

 

Link to comment
Share on other sites

Jag hadde Pc´n på under dagen igår och körde en scanning på eftermiddagen då fick jag upp det i Xoftspy och det scannas varje gång jag startar upp, Norton &amp Xoftspy har varit på pc´n hela tiden och alldrig några problem.

 

File size: 139888 bytes

MD5: 606c21d97649e5c44b94763380f07b7c

SHA1: fa013757fed92d3352bb4437036b14c25573dd21

PEiD: -

AhnLab-V3 2008.1.19.10 2008.01.18 -

AntiVir 7.6.0.48 2008.01.20 -

Authentium 4.93.8 2008.01.20 -

Avast 4.7.1098.0 2008.01.20 -

AVG 7.5.0.516 2008.01.20 -

BitDefender 7.2 2008.01.20 -

CAT-QuickHeal 9.00 2008.01.19 -

ClamAV 0.91.2 2008.01.20 -

DrWeb 4.44.0.09170 2008.01.20 -

eSafe 7.0.15.0 2008.01.16 -

eTrust-Vet 31.3.5470 2008.01.18 -

Ewido 4.0 2008.01.20 -

FileAdvisor 1 2008.01.20 -

Fortinet 3.14.0.0 2008.01.20 -

F-Prot 4.4.2.54 2008.01.19 -

F-Secure 6.70.13260.0 2008.01.20 -

Ikarus T3.1.1.20 2008.01.20 -

Kaspersky 7.0.0.125 2008.01.20 -

McAfee 5211 2008.01.18 -

Microsoft 1.3109 2008.01.20 -

NOD32v2 2808 2008.01.20 -

Norman 5.80.02 2008.01.20 -

Panda 9.0.0.4 2008.01.20 -

Prevx1 V2 2008.01.20 -

Rising 20.27.62.00 2008.01.20 -

Sophos 4.24.0 2008.01.20 -

Sunbelt 2.2.907.0 2008.01.17 -

Symantec 10 2008.01.20 -

TheHacker 6.2.9.191 2008.01.19 -

VBA32 3.12.2.5 2008.01.19 -

VirusBuster 4.3.26:9 2008.01.20 -

Webwasher-Gateway 6.6.2 2008.01.20 -

 

 

 

Link to comment
Share on other sites

Filen ser ju bra ut i alla fall.

Det kan ju antingen ha varit någon uppdatering av Xoftspy som orsakade felutpekningen eller av Norton förstås.

 

Vill du kolla upp datorn mer?

 

Link to comment
Share on other sites

Ja, man blir ju lite osäker när man får varningar av typen Severe Risk varje gång man kör spyware scanning.

Men i kväll är det nog stopp, Men har du några fler förslag eller om du kommer på något så bevakar jag tråden.

 

 

 

Link to comment
Share on other sites

Skickade en logg till supporten på Paretologic, Och svaret kom idag, Det var ett falsk larm på Xoftspy, Så dom har skickat ut en uppdatering som rätta till det.

SÅ NU ÄR DET LUGNT PÅ TROJAN fronten

 

 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...