Aldebaran_ Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 En kveld jeg var på nettet så rant det plutselig inn med spyware/malware eller hva det nå er. Har prøvd: Spybot, CWShredder, Spysubtract, Norton, Ad-Aware, Housecall +++ uten at disse har rydda opp. Må søke hjelp hos noen som har løsninga..... Hvis jeg klikker på den røde <Virus alert> ned til høyre så kommer nettsted for SpywareQuake opp. Det er vel bare lureri vil jeg tro, gjør vondt verre.....og har holdt meg unna dette. IE er også kapret av denne linken: http://www.securitybulletin.net/ Er dette en seriøs aktør eller av den onde sorten? Her er HijackThis-log: Logfile of HijackThis v1.99.1 Scan saved at 19:38:40, on 25.04.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\Programfiler\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Programfiler\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Programfiler\Analog Devices\SoundMAX\Smtray.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Programfiler\Logitech\Video\LogiTray.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\PuXpMan.exe C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe C:\Programfiler\Outlook Express\msimn.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\TrojanHunter 4.5\THGuard.exe C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\msnmsgr.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\Programfiler\Skype\Phone\Skype.exe C:\Programfiler\AutoSizer\AutoSizer.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe C:\Programfiler\Messenger\msmsgs.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\Programfiler\Logitech\Video\FxSvr2.exe C:\Programfiler\TrojanHunter 4.5\TrojanHunter.exe C:\Programfiler\Microsoft OfficeXP\Office10\msoffice.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Logitech\Video\AlbumDB2.exe C:\a3\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpAE52.tmp O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file) O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [CheckMedi8or] C:\Programfiler\Mediator 7 Pro\CheckNewUser.exe O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\PuXpMan.exe O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINDOWS\system32\PuXpTwks.exe /TWEAK O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 4.5\THGuard.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Programfiler\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [AutoSizer] "C:\Programfiler\AutoSizer\AutoSizer.exe" O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft OfficeXP\Office10\OSA.EXE O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O8 - Extra context menu item: Convert link target to Adobe PDF - blank O8 - Extra context menu item: Convert link target to existing PDF - blank O8 - Extra context menu item: Convert selected links to Adobe PDF - blank O8 - Extra context menu item: Convert selected links to existing PDF - blank O8 - Extra context menu item: Convert selection to Adobe PDF - blank O8 - Extra context menu item: Convert selection to existing PDF - blank O8 - Extra context menu item: Convert to Adobe PDF - blank O8 - Extra context menu item: Convert to existing PDF - blank O8 - Extra context menu item: E&ksporter til Microsoft Excel - blank O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI64E3~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programfiler\TuneUp Utilities 2004\WinStylerThemeSvc.exe Håper på seriøse, gode tips. Lenke til kommentar
themanfrom Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 Aktøren er nok useriøs. HAr du husket og ta av System Restore når du har scannet og fjernet? Det må du huske, ellers finner mye veien inn igjen gjennom Restore. Husk å fjern alle .reg nøkler som tilhører spyware/virus. Ad-aware og Spybot fjerner .reg nøkler. Lenke til kommentar
berxter Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 Rob3rt linket til denne siden for et par timer siden: http://forums.afterdawn.com/thread_view.cfm/332138 Følg den for Smitfraudfjerning (og varianter) Ellers er denne siden flott for denslags: http://www.bleepingcomputer.com/forums/topic47826.html og denne er kjempefin for generell malwarefjerning: http://www.wilderssecurity.com/showthread.php?t=50662 Etterpå bør du legge ut en ny HJTlogg. Bernt K Lenke til kommentar
Aldebaran_ Skrevet 25. april 2006 Forfatter Rapporter Del Skrevet 25. april 2006 Aktøren er nok useriøs. HAr du husket og ta av System Restore når du har scannet og fjernet? Det må du huske, ellers finner mye veien inn igjen gjennom Restore. Husk å fjern alle .reg nøkler som tilhører spyware/virus. Ad-aware og Spybot fjerner .reg nøkler. 5986816[/snapback] <System Restore> er det det samme som <Systemgjenoppretting> for oss som heller til morsmålet? Har nøklene utvidelsen .reg og kan de sees/spores noe sted? Lenke til kommentar
themanfrom Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 Jeg vet ikke om det er .reg Bruker det bare for register nøkler. Det vil si registeret. ---- Du starter opp register ved å skrive "regedit" i kjør. Her kan du fjerne nøklene manuelt, men jeg husker ikke hvordan du søker. Heller ikke hvordan du finner ut hvilken nøkkel som tilhører hva. Unnskyld, jeg er virkelig dårlig til å hjelpe. Lenke til kommentar
Aldebaran_ Skrevet 25. april 2006 Forfatter Rapporter Del Skrevet 25. april 2006 Jeg vet ikke om det er .reg Bruker det bare for register nøkler. Det vil si registeret. ---- Du starter opp register ved å skrive "regedit" i kjør. Her kan du fjerne nøklene manuelt, men jeg husker ikke hvordan du søker. Heller ikke hvordan du finner ut hvilken nøkkel som tilhører hva. Unnskyld, jeg er virkelig dårlig til å hjelpe. 5987143[/snapback] Direkte søk (F3) osv i registeret har jeg ikke noen problemer med å gjøre, men må vite hva jeg skal fjerne. Det er heller ikke problemstillinga. Spørsmålet mitt var om: <System restore> er det samme som <Systemgjenoppretting> Lenke til kommentar
zjulik Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 1. Det er det samme. 2. Se berxters innlegg for linker som forteller deg hva du skal gjøre. Lenke til kommentar
themanfrom Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 Aldebaran: Jeg så faktisk ikke spørsmålet, eller, Spørsmål tegnet. Trodde du visste at Systemgjennopretting equals System restore Lenke til kommentar
Aldebaran_ Skrevet 25. april 2006 Forfatter Rapporter Del Skrevet 25. april 2006 Rob3rt linket til denne siden for et par timer siden:http://forums.afterdawn.com/thread_view.cfm/332138 Følg den for Smitfraudfjerning (og varianter) Ellers er denne siden flott for denslags: http://www.bleepingcomputer.com/forums/topic47826.html og denne er kjempefin for generell malwarefjerning: http://www.wilderssecurity.com/showthread.php?t=50662 Etterpå bør du legge ut en ny HJTlogg. Bernt K 5987097[/snapback] Fine forslag...skal se på disse. Det virker som at flere har fått rydda bort søppelet! PS! Spybot finner også vcodec i skanninga, så jeg har nok samme mølet som så mange andre uheldige databrukere. Legger da ut ny HjT-log Lenke til kommentar
smh Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 Denne hjalp meg: http://www.norman.com/Virus/Virus_removal_tools/24789/no Lenke til kommentar
Aldebaran_ Skrevet 25. april 2006 Forfatter Rapporter Del Skrevet 25. april 2006 1. Det er det samme.2. Se berxters innlegg for linker som forteller deg hva du skal gjøre. 5987268[/snapback] Bør jeg være i sikker modus når skanning og sletting gjøres? Lenke til kommentar
berxter Skrevet 25. april 2006 Rapporter Del Skrevet 25. april 2006 Ja, etter at du har lastet ned og satt opp SmitfraudFix fra den første jeg lenket til: "* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Open Smitfraudfix folder and double-click smitfraudfix.cmd * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. " Bernt K Lenke til kommentar
Aldebaran_ Skrevet 26. april 2006 Forfatter Rapporter Del Skrevet 26. april 2006 Rob3rt linket til denne siden for et par timer siden:http://forums.afterdawn.com/thread_view.cfm/332138 Følg den for Smitfraudfjerning (og varianter) Ellers er denne siden flott for denslags: http://www.bleepingcomputer.com/forums/topic47826.html og denne er kjempefin for generell malwarefjerning: http://www.wilderssecurity.com/showthread.php?t=50662 Etterpå bør du legge ut en ny HJTlogg. Bernt K 5987097[/snapback] Her er først 'rapport.txt', som sikkert har groms i seg: SmitFraudFix v2.35 Scan done at 19:33:27,37, 26.04.2006 Run from C:\a7\SmitfraudFix OS: Microsoft Windows XP [Versjon 5.1.2600] »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\hp??.tmp FOUND ! C:\WINDOWS\system32\interf.tlb FOUND ! C:\WINDOWS\system32\ld??.tmp FOUND ! C:\WINDOWS\system32\ncompat.tlb FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\sivudro.dll FOUND ! C:\WINDOWS\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jan Olav\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Min gjeldende hjemmeside" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare" [HKEY_CLASSES_ROOT\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32] @="C:\WINDOWS\system32\sivudro.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32] @="C:\WINDOWS\system32\sivudro.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Lenke til kommentar
Aldebaran_ Skrevet 26. april 2006 Forfatter Rapporter Del Skrevet 26. april 2006 Rob3rt linket til denne siden for et par timer siden:http://forums.afterdawn.com/thread_view.cfm/332138 Følg den for Smitfraudfjerning (og varianter) Ellers er denne siden flott for denslags: http://www.bleepingcomputer.com/forums/topic47826.html og denne er kjempefin for generell malwarefjerning: http://www.wilderssecurity.com/showthread.php?t=50662 Etterpå bør du legge ut en ny HJTlogg. Bernt K 5987097[/snapback] Her er først 'rapport.txt', som sikkert har groms i seg: SmitFraudFix v2.35 Scan done at 19:33:27,37, 26.04.2006 Run from C:\a7\SmitfraudFix OS: Microsoft Windows XP [Versjon 5.1.2600] »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\hp??.tmp FOUND ! C:\WINDOWS\system32\interf.tlb FOUND ! C:\WINDOWS\system32\ld??.tmp FOUND ! C:\WINDOWS\system32\ncompat.tlb FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\sivudro.dll FOUND ! C:\WINDOWS\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jan Olav\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Min gjeldende hjemmeside" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare" [HKEY_CLASSES_ROOT\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32] @="C:\WINDOWS\system32\sivudro.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32] @="C:\WINDOWS\system32\sivudro.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End 5992734[/snapback] ....og her er 'rapport.txt' etter kjøring av SmitfraudFix: SmitFraudFix v2.35 Scan done at 19:42:24,67, 26.04.2006 Run from C:\a7\SmitfraudFix OS: Microsoft Windows XP [Versjon 5.1.2600] »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\hp??.tmp Deleted C:\WINDOWS\system32\interf.tlb Deleted C:\WINDOWS\system32\ld??.tmp Deleted C:\WINDOWS\system32\ncompat.tlb Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\sivudro.dll Deleted C:\WINDOWS\system32\1024\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» End ---------------------------------------------- HjT-logg etter cleaning prosess: Logfile of HijackThis v1.99.1 Scan saved at 20:21:30, on 26.04.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\Programfiler\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Programfiler\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe C:\Programfiler\Analog Devices\SoundMAX\Smtray.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Programfiler\Logitech\Video\LogiTray.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\PuXpMan.exe C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\msnmsgr.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Programfiler\Skype\Phone\Skype.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe C:\Programfiler\Logitech\Video\FxSvr2.exe C:\Programfiler\AutoSizer\AutoSizer.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\Programfiler\Microsoft OfficeXP\Office10\msoffice.exe C:\Programfiler\Messenger\msmsgs.exe C:\Programfiler\Outlook Express\msimn.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\a3\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file) O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [CheckMedi8or] C:\Programfiler\Mediator 7 Pro\CheckNewUser.exe O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\PuXpMan.exe O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINDOWS\system32\PuXpTwks.exe /TWEAK O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Programfiler\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [AutoSizer] "C:\Programfiler\AutoSizer\AutoSizer.exe" O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft OfficeXP\Office10\OSA.EXE O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O8 - Extra context menu item: Convert link target to Adobe PDF - blank O8 - Extra context menu item: Convert link target to existing PDF - blank O8 - Extra context menu item: Convert selected links to Adobe PDF - blank O8 - Extra context menu item: Convert selected links to existing PDF - blank O8 - Extra context menu item: Convert selection to Adobe PDF - blank O8 - Extra context menu item: Convert selection to existing PDF - blank O8 - Extra context menu item: Convert to Adobe PDF - blank O8 - Extra context menu item: Convert to existing PDF - blank O8 - Extra context menu item: E&ksporter til Microsoft Excel - blank O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI64E3~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programfiler\TuneUp Utilities 2004\WinStylerThemeSvc.exe Noen som kan fortelle meg om maskina mi er renset eller om det fortsatt er svineri som må bort. Kanskje gjorde SmitfraudFix jobben alene? Lenke til kommentar
berxter Skrevet 26. april 2006 Rapporter Del Skrevet 26. april 2006 HJT-loggen ser rein og fin ut, den, så det ser faktisk ut til at SmitfraudFix gjorde susen. Den er heretter min anbefaling til slike infeksjoner. Second opinion, noen? Bernt K Lenke til kommentar
Aldebaran_ Skrevet 26. april 2006 Forfatter Rapporter Del Skrevet 26. april 2006 HJT-loggen ser rein og fin ut, den, så det ser faktisk ut til at SmitfraudFix gjorde susen. Den er heretter min anbefaling til slike infeksjoner. Second opinion, noen? Bernt K 5994333[/snapback] Ja, det ser så langt greit ut... anbefaler alle å kjøre SmitfraudFix for å fjerne SpywareQuake, http://siri.urz.free.fr/Fix/SmitfraudFix.zip Sammen får vi rydda opp i det som mange vil ødelegge for oss Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå