Virus alert! hvordan få bort?

PsykoRage · August 15, 2006

Tror jeg har spurt om dette før, men husker ikke hvordan jeg fikk det bort sist.

Jeg surfet rundt på nettet, plutselig dukket det opp et tegn nede på verktøylinjen.

Det er et tegn som skifter mellom disse: Uten_navn.bmp

Denne kommer også opp samtidig: Uten_navn2.bmp

Pluss at når jeg skal starte Ad-Aware så søker den, etter 30sec kommer det opp at explorer.exe ikke svarer, og så kan jeg velge send eller ikke send rapport, hvis jeg bare lar det være, restarter maskinen uten forvarsel.

Hjelp mottas med takk

berxter · August 15, 2006

Ah, en liten Smitfraudinfeksjon (variant Spyfalcon, sannsynligvis). Medisinen finner du her:

http://siri.geekstogo.com/SmitfraudFix.php

Du kan like gjerne kjøre alternativ 2 (clean) med det samme, da diagnosen er entydig.. Husk at den må kjøres i safe mode.

Etterpå legger du ut en logg fra HijackThis (du finner'n f eks hos www.merijn.org), "do a scan and save a log", i tilfelle det skulle være mer grums.

Bernt K

PsykoRage · August 15, 2006

Pc'en restarter fortsann når jeg kjører Ad-Aware.

Men her er HiJackThis-loggenSkjult tekst: (Marker innholdet i feltet for å se teksten):

Logfile of HijackThis v1.99.1

Scan saved at 14:13:29, on 15.08.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Programfiler\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Programfiler\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\Programfiler\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Ideazon\Zboard Software\Driver\ZboardTray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\D-Tools\daemon.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe

C:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe

C:\Programfiler\ClamWin\bin\ClamTray.exe

C:\Programfiler\QuickTime\qttask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe

C:\WINDOWS\system32\85190b72.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\HDD Thermometer\HDD Thermometer.exe

C:\Programfiler\HACE\Mmm\Mmm.exe

C:\Programfiler\Ideazon\Zboard Software\Driver\Zboard.exe

C:\PROGRA~1\SCURIT~1\msiexec.exe

C:\Programfiler\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Gunnar Gulbrandsen\Mine dokumenter\?racle\w?auclt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\regsvr32.exe

C:\Programfiler\WinRAR\WinRAR.exe

C:\DOCUME~1\GUNNAR~1\LOKALE~1\Temp\Rar$EX00.578\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.diskusjon.no/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.logitech.com/?BW=2&OS=05.0...=nor&PI=IT&CT=D

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: (no name) - {B744941D-2AF0-270F-DBF7-5217B6850AC4} - C:\WINDOWS\system32\ldpntch.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll

O2 - BHO: (no name) - {B744941D-2AF0-270F-DBF7-5217B6850AC4} - C:\WINDOWS\system32\ldpntch.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ClamWin] "C:\Programfiler\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe

O4 - HKLM\..\Run: [85190b72.exe] C:\WINDOWS\system32\85190b72.exe

O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programfiler\HDD Thermometer\HDD Thermometer.exe

O4 - HKCU\..\Run: [Mmm] "C:\Programfiler\HACE\Mmm\Mmm.exe"

O4 - HKCU\..\Run: [steam] "e:\spill\steam\steam.exe" -silent

O4 - HKCU\..\Run: [Eurn] "C:\PROGRA~1\SCURIT~1\msiexec.exe" -vt yazr

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [85190b72.exe] C:\Documents and Settings\Gunnar Gulbrandsen\Lokale innstillinger\Programdata\85190b72.exe

O4 - Startup: CCleaner.lnk = C:\Programfiler\CCleaner\ccleaner.exe

O4 - Startup: Xfire.lnk = C:\Programfiler\Xfire\Xfire.exe

O8 - Extra context menu item: &Google-søk - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Oversett engelsk ord - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Koblinger bakover - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Lignende sider - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Øyeblikksbilde av siden i hurtigbufferen - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmcache.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136727398062

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\scanregw.dll

O20 - Winlogon Notify: h618 - C:\WINDOWS\g519093.dll

O20 - Winlogon Notify: h619 - C:\WINDOWS\g5716328.dll

O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FELLES~1\Stardock\mcpstub.dll (file missing)

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winzoa32 - C:\WINDOWS\SYSTEM32\winzoa32.dll

O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Programfiler\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

berxter · August 15, 2006

Ikke bare en Smitfraudsak, plukk ned og bruk cwshredder (du finner den hos Trend, bruk google).

Og så tror jeg nesten du bør slå til med Ewido kjørt i safe mode. Setup går fram av sida.

Denne:

C:\Documents and Settings\Gunnar Gulbrandsen\Mine dokumenter\?racle\w?auclt.exe

bruker du Killbox på, ta hele mappa c:\..\..\?racle\

Vi skal også prøve L2Mfix, da jeg synes en 020-sak minner om det: Prøv denne framgangsmåten:

http://www.computing.net/security/wwwboard/forum/17828.html, kjør bare alt 1, og legg ut loggen.

Etterpå ser vi gjerne en blodfersk HJTlogg.

Jeg regner med at det vil fortsatt være igjen noe snusk, men vi får se.

Bernt K

PsykoRage · August 15, 2006

cwshredder finner ingen feil.

Killbox finner ikke: C:\Documents and Settings\Gunnar Gulbrandsen\Mine dokumenter\?racle\w?auclt.exe

Men skal prøve resten

Edited August 15, 2006 by PsykoRage

berxter · August 15, 2006

Du har bedt windows om å vise deg systemfiler, skjulte filer osv, ja?

Finner du folderen

C:\Documents and Settings\Gunnar Gulbrandsen\Mine dokumenter\?racle\

tar du hele møkka. Hele folderen er svineri.

Bernt K

PsykoRage · August 28, 2006

Har ikke hatt tid til å sjekke med ewido før nå, men her har du en logg Skjult tekst: (Marker innholdet i feltet for å se teksten):

Logfile of HijackThis v1.99.1

Scan saved at 16:01:42, on 28.08.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Programfiler\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Programfiler\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\Programfiler\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Ideazon\Zboard Software\Driver\ZboardTray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\D-Tools\daemon.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe

C:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe

C:\Programfiler\ClamWin\bin\ClamTray.exe

C:\Programfiler\QuickTime\qttask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe

C:\Programfiler\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programfiler\HDD Thermometer\HDD Thermometer.exe

C:\Programfiler\HACE\Mmm\Mmm.exe

E:\spill\steam\steam.exe

C:\PROGRA~1\SCURIT~1\msiexec.exe

C:\Programfiler\Ideazon\Zboard Software\Driver\Zboard.exe

C:\Programfiler\MSN Messenger\msnmsgr.exe

C:\Programfiler\?dobe\?hkntfs.exe

C:\FRAPS\FRAPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\WinRAR\WinRAR.exe

C:\DOCUME~1\GUNNAR~1\LOKALE~1\Temp\Rar$EX00.047\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.diskusjon.no/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.logitech.com/?BW=2&OS=05.0...=nor&PI=IT&CT=D

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

R3 - URLSearchHook: (no name) - {CEA4CE06-2BEE-7443-9D84-0022558A7CC8} - C:\WINDOWS\system32\mfse.dll (file missing)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - {92F79C57-2CB3-2111-97FE-772223FF7AC3} - C:\WINDOWS\system32\odu.dll (file missing)

R3 - URLSearchHook: (no name) - {A81A9CD0-7A39-75C2-1FA5-72F2CE7113C6} - C:\WINDOWS\system32\ghahekg.dll

O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll

O2 - BHO: (no name) - {92F79C57-2CB3-2111-97FE-772223FF7AC3} - C:\WINDOWS\system32\odu.dll (file missing)

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll (file missing)

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\system32\compstuih.dll

O2 - BHO: (no name) - {A81A9CD0-7A39-75C2-1FA5-72F2CE7113C6} - C:\WINDOWS\system32\ghahekg.dll

O2 - BHO: (no name) - {CEA4CE06-2BEE-7443-9D84-0022558A7CC8} - C:\WINDOWS\system32\mfse.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ClamWin] "C:\Programfiler\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe

O4 - HKLM\..\Run: [!ewido] "C:\Programfiler\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [LogonStudio] "C:\Programfiler\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programfiler\HDD Thermometer\HDD Thermometer.exe

O4 - HKCU\..\Run: [Mmm] "C:\Programfiler\HACE\Mmm\Mmm.exe"

O4 - HKCU\..\Run: [steam] "e:\spill\steam\steam.exe" -silent

O4 - HKCU\..\Run: [Eurn] "C:\PROGRA~1\SCURIT~1\msiexec.exe" -vt ndrv

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [85190b72.exe] C:\Documents and Settings\Gunnar Gulbrandsen\Lokale innstillinger\Programdata\85190b72.exe

O4 - HKCU\..\Run: [Nnbiit] C:\Programfiler\?dobe\?hkntfs.exe

O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE