Gå til innhold

HJT og SAS logg

Crazy_Man

Av Crazy_Man
i IKT-drift og sikkerhet

Anbefalte innlegg

Crazy_Man

Crazy_Man

Skrevet
Skrevet

Hei

 

jeg håpte på om noen kunne tatt en titt på disse loggene

 

Når jeg skriver noe helt tilfeldig i adressevinduet i FF så kommer det opp to sider som jeg mistenker noe adware står bak + at S&D sier at jeg har en trojan, men den kommer opp vær gang jeg søker på nytt selv om jeg sletter den

 

HJT-logg

Klikk for å se/fjerne innholdet nedenfor
Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 19:59:45, on 01.07.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

D:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

D:\Programfiler\Folding@Home SMP\smpd.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\RunDll32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

D:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Programfiler\Logitech\SetPoint\SetPoint.exe

C:\Programfiler\Fellesfiler\Logitech\khalshared\KHALMNPR.EXE

C:\Programfiler\MSN Messenger\msnmsgr.exe

D:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

D:\Programfiler\HijackThis\OMG liek leet program.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [amd_dc_opt] D:\Programfiler\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: vekking.wpl

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Send til &Bluetooth - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: NameServer = 85.255.116.44,85.255.112.155

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - D:\Programfiler\Folding@Home SMP\smpd.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 6740 bytes

 

SAS-logg

Klikk for å se/fjerne innholdet nedenfor
SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 07/01/2007 at 08:24 PM

 

Application Version : 3.9.1008

 

Core Rules Database Version : 3263

Trace Rules Database Version: 1274

 

Scan type : Complete Scan

Total Scan Time : 00:25:45

 

Memory items scanned : 420

Memory threats detected : 0

Registry items scanned : 5050

Registry threats detected : 0

File items scanned : 31442

File threats detected : 0

 

kthnxbye

Lenke til kommentar

Videoannonse

Videoannonse
Annonse
Gjest medlem-105082

Gjest medlem-105082

Skrevet
Skrevet (endret)

Hei.

 

Hvilke sider kommer opp? Og hva heter trojaneren S&D finner? For det kan godt være S&D tar feil om trojaneren. Så greit om du poster navnet.

Endret av medlem-105082
Lenke til kommentar
Gjest medlem-105082

Gjest medlem-105082

Skrevet
Skrevet (endret)

Last ned smitfraudfix og lagre det på skrivebordet.

 

Restart i sikkerhetsmodus -> trykk F8 til det kommer opp en meny og vel sikkerhetsmodus.

Start smitfraudfix og velg valg 2. Følg instruksene.

Maskinen vil bli restartet. Legg ut en logg fra smitfraudfix -> C:\rapport.txt

 

Så lager du en ny hijackthis logg som du poster her.

Endret av medlem-105082
Lenke til kommentar
Crazy_Man

Crazy_Man

Skrevet
  • Forfatter
Skrevet

SMF-logg

 

Klikk for å se/fjerne innholdet nedenfor

SmitFraudFix v2.197

 

Scan done at 12:07:27,45, 02.07.2007

Run from C:\Documents and Settings\Torgeir\Skrivebord\SmitfraudFix

OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!Attention, following keys are not inevitably infected!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: DhcpNameServer=208.67.220.220 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7AE9F6C9-7B38-49D0-B04C-27F5C5FC2B70}: DhcpNameServer=208.67.220.220 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: DhcpNameServer=85.255.116.44,85.255.112.155

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: DhcpNameServer=10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: NameServer=85.255.116.44,85.255.112.155

HKLM\SYSTEM\CS1\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: DhcpNameServer=208.67.220.220 208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{7AE9F6C9-7B38-49D0-B04C-27F5C5FC2B70}: DhcpNameServer=208.67.220.220 208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: DhcpNameServer=85.255.116.44,85.255.112.155

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: DhcpNameServer=10.0.0.138

HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: NameServer=85.255.116.44,85.255.112.155

HKLM\SYSTEM\CS3\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: DhcpNameServer=208.67.220.220 208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{7AE9F6C9-7B38-49D0-B04C-27F5C5FC2B70}: DhcpNameServer=208.67.220.220 208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: DhcpNameServer=85.255.116.44,85.255.112.155

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: DhcpNameServer=10.0.0.138

HKLM\SYSTEM\CS3\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: NameServer=85.255.116.44,85.255.112.155

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!Attention, following keys are not inevitably infected!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"="kdsgt.exe"

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!Attention, following keys are not inevitably infected!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

 

C:\WINDOWS\system32\kdsgt.exe not found

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

HJT-logg

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 12:14:20, on 02.07.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

D:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

D:\Programfiler\Folding@Home SMP\smpd.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\notepad.exe

C:\WINDOWS\system32\RunDll32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

D:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Programfiler\Logitech\SetPoint\SetPoint.exe

C:\Programfiler\Fellesfiler\Logitech\khalshared\KHALMNPR.EXE

C:\Programfiler\Mozilla Firefox\firefox.exe

D:\Programfiler\HijackThis\OMG liek leet program.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [amd_dc_opt] D:\Programfiler\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: vekking.wpl

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Send til &Bluetooth - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: NameServer = 85.255.116.44,85.255.112.155

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - D:\Programfiler\Folding@Home SMP\smpd.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 6333 bytes

Lenke til kommentar
Gjest medlem-105082

Gjest medlem-105082

Skrevet
Skrevet

Hent Fixwareout

 

Legg filen på skrivebordet og dobbeltklikk på den. Klikk Next -> Install.

Sjekk at det er avkrysset i 'Run fixit'.

Klikk Finish og fixet vil starte. Følg instruksjonen.

Restart pc'n når du blir bedt om det. Oppstarten vil ta litt lengre tid en normalt .....

 

Når pc'n har restartet følger du bare instruksjonen som kommer på skjermen.

 

Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked':

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}: NameServer = 85.255.116.44,85.255.112.155

 

Restart pc'n

 

Post en ny HJT-logg sammen med loggen fra Fixwareout (C:\fixwareout\report.txt)

 

Kjenner du til disse adressene:

 

207.68.160.190 194.25.2.129 208.67.222.222

 

208.67.220.220,208.67.222.222

 

?

Lenke til kommentar
Crazy_Man

Crazy_Man

Skrevet
  • Forfatter
Skrevet

jeg kjenner ikke til de ip-adressene.

 

den linja du skrev ned var ikke der.

 

FixWareOut-logg

Klikk for å se/fjerne innholdet nedenfor

 

 

Fixwareout Last edited 6/27/2007

Post this report in the forums please

...

»»»»»Prerun check

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FA8A8520-C27F-455D-8B12-F5C2B52E5BF8}

"nameserver"="85.255.116.44,85.255.112.155" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A1D87E26-7207-4C3C-85EC-145A297C422A}

"DhcpNameServer"="85.255.116.44,85.255.112.155" <Value cleared.

 

DNS Resolver-bufferen ble tømt.

 

 

System was rebooted successfully.

 

»»»»» Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

....

»»»»» Misc files.

....

»»»»» Checking for older varients.

....

»»»»» Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"

"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

"C6501Sound"="RunDll32 c6501.cpl,CMICtrlWnd"

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"ZoneAlarm Client"="\"D:\\Programfiler\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"amd_dc_opt"="D:\\Programfiler\\AMD\\Dual-Core Optimizer\\amd_dc_opt.exe"

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"

"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

 

Ny HJT-logg

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 13:24:24, on 02.07.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

D:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

D:\Programfiler\Folding@Home SMP\smpd.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\RunDll32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

D:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Programfiler\Logitech\SetPoint\SetPoint.exe

C:\Programfiler\Fellesfiler\Logitech\khalshared\KHALMNPR.EXE

C:\Programfiler\Mozilla Firefox\firefox.exe

D:\Programfiler\HijackThis\OMG liek leet program.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [amd_dc_opt] D:\Programfiler\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: vekking.wpl

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Send til &Bluetooth - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Programfiler\Creative\Bluetooth-programvare\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - D:\Programfiler\Folding@Home SMP\smpd.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 6186 bytes

Lenke til kommentar
Gjest medlem-105082

Gjest medlem-105082

Skrevet
Skrevet

Da kan du kjøre Hijackhis og fjerne:

 

Klikk for å se/fjerne innholdet nedenfor
O17 - HKLM\System\CCS\Services\Tcpip\..\{74EAAB6D-C8EF-4600-A750-76C435A9B90E}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{7772071D-B4F3-47D9-B4C2-9CA58D105A93}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D87E26-7207-4C3C-85EC-145A297C422A}: NameServer = 208.67.220.220,208.67.222.222

 

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

 

Hvis du får problemer med internettkoblingen etter du har fixet det over, så kan du kjøre en Hijackthis oppretting:

 

Klikk Hijackthis.exe -> View the list of backups -> Restore

 

Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Kontrollpanel->system->systemgjenoppretting .

Sett merke framfor "Slå av Systemgjenopprettingen .....",

restart pc,

fjern merket igjen for å aktivere funksjonen.

 

Nå skal du være kvitt virusene :)

 

Men du kan skjekke om du fortsatt blir ledet til de suspekte sidene. Hvis, så si ifra. Regner med du tar en scan med S&D også, for å se om Spybot fortsatt finner infeskjonen :)

 

Ha en fin dag :)

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste
×
×
  • Opprett ny...