Just nu i M3-nätverket
Jump to content

Hjälp med HJT-logg


rimag

Recommended Posts

Hej!

Jag skulle vara grymt tacksam om någon kunnig här skulle kunna ta en titt i min HJTlogg och se vad jag ska ta bort! Antivirusprogrammet varnar om trojaner titt som tätt men kan inte ta bort dem, reklampopups, ett program som kallar sig för vista antivirus 2008 dyker upp konstant...

tack på förhand.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:51, on 2008-07-08
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\GLOCAL~1\backweb\1334833\Program\SERVIC~1.EXE
C:\Program\Glocalnet\Bredbandscenter\BredbandscenterUpdater.exe
C:\Program\Cisco Systems\VPN Client\cvpnd.exe
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsgk32st.exe
C:\Program\Glocalnet\Bredbandscenter\Launcher.exe
C:\Program\Logitech\iTouch\iTouch.exe
C:\Program\Glocalnet Säkerhetspaket\backweb\1334833\program\fsbwsys.exe
C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\FSGK32.EXE
C:\Program\Glocalnet Säkerhetspaket\backweb\1334833\Program\fspex.exe
C:\Program\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program\Glocalnet Säkerhetspaket\Common\FSM32.EXE
C:\Program\Glocalnet Säkerhetspaket\Common\FSMA32.EXE
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fssm32.exe
C:\Program\Glocalnet Säkerhetspaket\FSGUI\ispnews.exe
C:\Program\Glocalnet Säkerhetspaket\Common\FSMB32.EXE
C:\Program\VAV\vav.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Glocalnet Säkerhetspaket\Common\FCH32.EXE
C:\Program\Glocalnet Säkerhetspaket\FSPC\fshttps\fshttps.exe
C:\Program\Glocalnet Säkerhetspaket\Common\FAMEH32.EXE
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsqh.exe
C:\Program\Glocalnet Säkerhetspaket\FSPC\fspc.exe
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsrw.exe
C:\Program\Glocalnet Säkerhetspaket\FWES\Program\fsdfwd.exe
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsav32.exe
C:\Program\Logitech\iTouch\kbdtray.exe
C:\Program\GLOCAL~1\ANTI-S~1\fsaw.exe
C:\Program\Glocalnet Säkerhetspaket\FSGUI\fsguidll.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://watson.microsoft.com/dw/dcp.asp?CLCID=1053&EXENAME=generic&BRAND=WINDOWS
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: nqgpedlr - {61D1EA3E-A930-4BEB-B16B-D7212B5C5A4C} - C:\DOCUME~1\Puma\LOKALA~1\Temp\ac8zt2\nqgpedlr.dll (file missing)
O4 - HKLM\..\Run: [bredbandscenter] "C:\Program\Glocalnet\Bredbandscenter\Launcher.exe" /winstart
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\Glocalnet Säkerhetspaket\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\Glocalnet Säkerhetspaket\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\Glocalnet Säkerhetspaket\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program\Glocalnet Säkerhetspaket\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kddtp.exe] C:\WINDOWS\system32\kddtp.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program\VAV\vav.exe
O4 - HKLM\..\Run: [d023d5ec] rundll32.exe "C:\WINDOWS\System32\nsqgksyd.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Glocalnet Säkerhetspaket.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Blockera detta popup-fönster - C:\Program\Glocalnet Säkerhetspaket\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Glocalnet Säkerhetspaket\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\Glocalnet Säkerhetspaket\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\Glocalnet Säkerhetspaket\FSPC\fspcmsie.dll
O9 - Extra button: IE-sköld - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Glocalnet Säkerhetspaket\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-sköld... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Glocalnet Säkerhetspaket\Anti-Spyware\ieshield.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{51DBAC63-B9FF-4494-8E6E-E99852FDFA49}: NameServer = 85.255.116.134,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBA86027-B01B-47CE-AC7B-61F88D03078D}: NameServer = 85.255.116.134,85.255.112.139
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.134 85.255.112.139
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.134 85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.134 85.255.112.139
O21 - SSODL: okmdepgb - {8EFEE8C5-B277-42AF-A0F8-BB5270B233EE} - C:\WINDOWS\okmdepgb.dll (file missing)
O21 - SSODL: axrfgvek - {143DF4D6-5D5A-4CC1-9527-DCA63369D39E} - C:\WINDOWS\axrfgvek.dll (file missing)
O23 - Service: Glocalnet Säkerhetspaket (BackWeb Plug-in - 1334833) - BackWeb Technologies Inc.                          - C:\Program\GLOCAL~1\backweb\1334833\Program\SERVIC~1.EXE
O23 - Service: BredbandscenterDownloader - Glocalnet AB - C:\Program\Glocalnet\Bredbandscenter\BredbandscenterUpdater.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\Glocalnet Säkerhetspaket\backweb\1334833\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\Common\FSMA32.EXE

--
End of file - 7601 bytes

Link to comment
Share on other sites

Alright, tack för hjälpen så här långt!

Här kommer mbam och hjtloggarna:

Malwarebytes' Anti-Malware 1.20
Databasversion: 933
Windows 5.1.2600

13:34:02 2008-07-09
mbam-log-7-9-2008 (13-34-02).txt

Skanningstyp: Fullständig skanning (C:\|)
Antal skannade objekt: 86323
Förfluten tid: 25 minute(s), 51 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 3

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
C:\WINDOWS\system32\urqNGxVo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oVxGNqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxWOfc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


---

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:36:32, on 2008-07-09
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\GLOCAL~1\backweb\1334833\Program\SERVIC~1.EXE
C:\Program\Glocalnet\Bredbandscenter\BredbandscenterUpdater.exe
C:\Program\Cisco Systems\VPN Client\cvpnd.exe
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsgk32st.exe
C:\Program\Glocalnet Säkerhetspaket\backweb\1334833\program\fsbwsys.exe
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\FSGK32.EXE
C:\Program\Glocalnet Säkerhetspaket\Common\FSMA32.EXE
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Glocalnet Säkerhetspaket\backweb\1334833\Program\fspex.exe
C:\Program\Glocalnet Säkerhetspaket\Common\FSMB32.EXE
C:\Program\Glocalnet Säkerhetspaket\Common\FCH32.EXE
C:\Program\Glocalnet Säkerhetspaket\Common\FAMEH32.EXE
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsqh.exe
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsrw.exe
C:\Program\Glocalnet Säkerhetspaket\FWES\Program\fsdfwd.exe
C:\Program\Glocalnet Säkerhetspaket\FSPC\fspc.exe
C:\Program\Glocalnet\Bredbandscenter\Launcher.exe
C:\Program\Logitech\iTouch\iTouch.exe
C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program\Logitech\iTouch\kbdtray.exe
C:\Program\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsav32.exe
C:\Program\Glocalnet Säkerhetspaket\Common\FSM32.EXE
C:\Program\Glocalnet Säkerhetspaket\FSGUI\ispnews.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\GLOCAL~1\ANTI-S~1\fsaw.exe
C:\Program\Glocalnet Säkerhetspaket\FSGUI\fsguidll.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://watson.microsoft.com/dw/dcp.asp?CLCID=1053&EXENAME=generic&BRAND=WINDOWS
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: nqgpedlr - {61D1EA3E-A930-4BEB-B16B-D7212B5C5A4C} - C:\DOCUME~1\Puma\LOKALA~1\Temp\ac8zt2\nqgpedlr.dll (file missing)
O4 - HKLM\..\Run: [bredbandscenter] "C:\Program\Glocalnet\Bredbandscenter\Launcher.exe" /winstart
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\Glocalnet Säkerhetspaket\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\Glocalnet Säkerhetspaket\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\Glocalnet Säkerhetspaket\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program\Glocalnet Säkerhetspaket\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kddtp.exe] C:\WINDOWS\system32\kddtp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Glocalnet Säkerhetspaket.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Blockera detta popup-fönster - C:\Program\Glocalnet Säkerhetspaket\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Glocalnet Säkerhetspaket\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\Glocalnet Säkerhetspaket\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\Glocalnet Säkerhetspaket\FSPC\fspcmsie.dll
O9 - Extra button: IE-sköld - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Glocalnet Säkerhetspaket\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-sköld... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Glocalnet Säkerhetspaket\Anti-Spyware\ieshield.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Glocalnet Säkerhetspaket (BackWeb Plug-in - 1334833) - BackWeb Technologies Inc.                          - C:\Program\GLOCAL~1\backweb\1334833\Program\SERVIC~1.EXE
O23 - Service: BredbandscenterDownloader - Glocalnet AB - C:\Program\Glocalnet\Bredbandscenter\BredbandscenterUpdater.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\Glocalnet Säkerhetspaket\backweb\1334833\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\Glocalnet Säkerhetspaket\Common\FSMA32.EXE

--
End of file - 6735 bytes


Verkar som om mbam hittade en hel del skräp första scanningen, och ett par till vid andra scanningen.

En fråga bara, nu när jag gjorde mbam-scanen och hjt scannen så var jag fortfarande uppkopplad mot nätet, samt var ej i felsäkert läge, ska jag göra om gör rätt och vara nerkopplad?

Link to comment
Share on other sites

Det går bra att köra MBAAM och HijackThis i normalt läge med internet anslutet.

Surfa till http://www.virustotal.com klistra in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen här.
C:\WINDOWS\system32\kddtp.exe

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...