1. Dator och IT
  2. IT-säkerhet

Ta bort oraderbara virus

Svara
  • 1
  • 2
2006-11-15, 14:02
  #1
OptikerBerglund
Medlem
OptikerBerglunds avatar
Tjena!

Nu har jag två gånger i rad (efter formatering) råkat ut för ett virus som inte går att radera. Jag tror det heter winfix tror jag, det lägger sig i tempkatalogerna och klonar sig själv och filerna går inte att scanna med mitt virusprogram eller radera. Det ger mig popups hela jävla tiden, där det står att jag nog har en trojan och bör installera deras virusskydd (ironiskt va?).

Så för att inte behöva formatera en gång till, vad kan man göra åt detta?

Jag kör norton.
Citera
2006-11-15, 14:16
  #2
Nyp
Medlem
Nyps avatar
http://www.symantec.com/security_res...151-99&tabid=3
^ Involverar registrybearbetning.

http://www.safer-networking.org/en/mirrors/index.html
^ Gratis och ska fungera.
Citera
2006-11-15, 14:46
  #3
call3
Medlem
call3s avatar
Citat:
Ursprungligen postat av OptikerBerglund
Tjena!

Nu har jag två gånger i rad (efter formatering) råkat ut för ett virus som inte går att radera. Jag tror det heter winfix tror jag, det lägger sig i tempkatalogerna och klonar sig själv och filerna går inte att scanna med mitt virusprogram eller radera. Det ger mig popups hela jävla tiden, där det står att jag nog har en trojan och bör installera deras virusskydd (ironiskt va?).

Så för att inte behöva formatera en gång till, vad kan man göra åt detta?

Jag kör norton.
1 Skit i norton! (läs BYT ANTIVIR)
2 du borde kunna köra en linux live cd med clam antivirus för att ta bort dom... t.ex
LinuxDefender Live!
Citat:
2004 - SOFTWIN [©SOFTWIN]

LinuxDefender Live! is a BitDefender re-mastered Knoppix distribution which integrates the latest BitDefender for Linux security solution into the GNU/Linux Knoppix Live CD, offering instant SMTP antivirus/antispam protection and a desktop antivirus (integrated into KDE) which is capable to scan and disinfect existing hard drives (including Windows NTFS partitions), remote Samba/Windows shares or NFS mount points. A web-based configuration interface to BitDefender solutions is also included as a Webmin module.
http://ogw.narres.it/FTP/BitDefender/

Det är lätt att andvända uppdatera och virus scanna

glhf
Citera
2006-11-15, 16:56
  #4
MannenGbg
Medlem
MannenGbgs avatar
Tanka hem Hijackthis, packa upp det till en egen mapp och byt namn på det som ex. runme.exe. Kör igång det. Välj "do a system scan and save a logfile" Posta sedan loggan här så kan man se vad som är igång
http://download.bleepingcomputer.com...HijackThis.zip
Citera
2006-11-15, 21:56
  #5
OptikerBerglund
Medlem
OptikerBerglunds avatar
Citat:
Ursprungligen postat av MannenGbg
Tanka hem Hijackthis, packa upp det till en egen mapp och byt namn på det som ex. runme.exe. Kör igång det. Välj "do a system scan and save a logfile" Posta sedan loggan här så kan man se vad som är igång
http://download.bleepingcomputer.com...HijackThis.zip

Tack för svaren ska se vad jag kan göra åt saken nu.

Och här kommer loggen


Citat:
Logfile of HijackThis v1.99.1
Scan saved at 20:42:56, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\...\HijackThis\setup.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://proxysetup.solent.ac.uk/halls.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F58A97D2-AAC2-4982-BFF4-CC18913BDA1C} - C:\WINDOWS\system32\urqno.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1163099308465
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: urqno - C:\WINDOWS\system32\urqno.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpll32 - C:\WINDOWS\SYSTEM32\winpll32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Citera
2006-11-15, 22:46
  #6
MannenGbg
Medlem
MannenGbgs avatar
Japp, nu ser man trojanen. Men vi måste köra ett speciellt program för att ta bort den. Orkar dessvärre inte översätta det till svenska

Download VundoFix.exe and save it to your desktop.
http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Place a check in the checkbox labeled Run VundoFix as a task. You will receive a message stating that VundoFix will close and re-open in a minute or less.
* When VundoFix reopens, click the OK button.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click the YES button.
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click the OK button.
* When the computer has shutdown, turn your computer back on.

Posta sen är ny Hijackthis logga
Citera
2006-11-15, 23:44
  #7
OptikerBerglund
Medlem
OptikerBerglunds avatar
Citat:
Ursprungligen postat av MannenGbg
Japp, nu ser man trojanen. Men vi måste köra ett speciellt program för att ta bort den. Orkar dessvärre inte översätta det till svenska

Download VundoFix.exe and save it to your desktop.
http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Place a check in the checkbox labeled Run VundoFix as a task. You will receive a message stating that VundoFix will close and re-open in a minute or less.
* When VundoFix reopens, click the OK button.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click the YES button.
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click the OK button.
* When the computer has shutdown, turn your computer back on.

Posta sen är ny Hijackthis logga


Då har vi kört vundofix och den hittade en fyra-fem infekterade filer så dom tog jag bort. Och här kommer loggen. Förresten vad hetter trojan som du såg i loggan?

Citat:
Logfile of HijackThis v1.99.1
Scan saved at 22:39:49, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\...\Applications\HijackThis\setup.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://proxysetup.solent.ac.uk/halls.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F58A97D2-AAC2-4982-BFF4-CC18913BDA1C} - C:\WINDOWS\system32\urqno.dll (file missing)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1163099308465
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpll32 - C:\WINDOWS\SYSTEM32\winpll32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Citera
2006-11-16, 00:00
  #8
MannenGbg
Medlem
MannenGbgs avatar
Trojanen låg här

O2 - BHO: (no name) - {F58A97D2-AAC2-4982-BFF4-CC18913BDA1C} - C:\WINDOWS\system32\urqno.dll
O20 - Winlogon Notify: urqno - C:\WINDOWS\system32\urqno.dll

Men du har mer som ska bort så starta upp datan i felsäkert läge
Tryck F8 innan windows kommer igång och välj felsäkert läge utan nätverk

Kör sen igång Hjt

Markera dessa rader nedanför och tryck sen "fix"

O2 - BHO: (no name) - {F58A97D2-AAC2-4982-BFF4-CC18913BDA1C} - C:\WINDOWS\system32\urqno.dll (file missing)
O20 - Winlogon Notify: winpll32 - C:\WINDOWS\SYSTEM32\winpll32.dll

Starta sen om datan och sök igenom den med Panda. Posta loggen här om du hittar något
http://www.pandasoftware.com/products/activescan.htm
Citera
2006-11-16, 00:01
  #9
MannenGbg
Medlem
MannenGbgs avatar
Trojanen låg här

O2 - BHO: (no name) - {F58A97D2-AAC2-4982-BFF4-CC18913BDA1C} - C:\WINDOWS\system32\urqno.dll
O20 - Winlogon Notify: urqno - C:\WINDOWS\system32\urqno.dll

Men du har mer som ska bort så starta upp datan i felsäkert läge
Tryck F8 innan windows kommer igång och välj felsäkert läge utan nätverk

Kör sen igång Hjt

Markera dessa rader nedanför och tryck sen "fix"

O2 - BHO: (no name) - {F58A97D2-AAC2-4982-BFF4-CC18913BDA1C} - C:\WINDOWS\system32\urqno.dll (file missing)
O20 - Winlogon Notify: winpll32 - C:\WINDOWS\SYSTEM32\winpll32.dll

Starta sen om datan och sök igenom den med Panda. Posta loggen här om du hittar något
http://www.pandasoftware.com/products/activescan.htm
Citera
2006-11-16, 00:02
  #10
slippy
Medlem
slippys avatar
Sen kan man ju fråga sig: varför får du den här trojanen?

Är den mergad med något piratkopierat(eller köpt) program du installerar efter formateringen eller är den rent utav mergad med din XP-skiva? Har du datorn kopplad mot internet innan brandväggen är aktiverad?

Istället för att krångla med virusskydd hit och spywareskydd dit, försök att kom på vad det är som gör att du får trojanen/trojaner från första början.

Enligt min mening kan man klara sig helt utan antivirus och spywareskydd. Vad du behöver är en brandvägg och ett fullt uppdaterat OS.
Citera
2006-11-16, 00:49
  #11
Mozaka
Medlem
Mozakas avatar
Det går inte att ta bort oraderbara virus.
Citera
2006-11-16, 02:13
  #12
OptikerBerglund
Medlem
OptikerBerglunds avatar
Ja, tjenare. Jag körde en scan med panda som länkade till och jag hade 1 virus, 35 spyware, 1 hacking tool, och 4 suspicious filer. Det verkar som Norton inte biter så bra.

Jag lyckades dock ta bort filerna du sa via hjt.

Vilket antivirusprogram anser du vara bäst, panda?

Här kommer loggen från panda:

Citat:
Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.fastclick.net/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.research-int.se/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.tradedoubler.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.adtech.de/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.questionmarket.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.hotlog.ru/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.com.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.casalemedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\izlcilnu.default\coo kies.txt[.overture.com/]
Spyware:Cookie/Mediaplex Not disinfected
Citera
Svara
  • 1
  • 2

Skapa ett konto eller logga in för att kommentera

Du måste vara medlem för att kunna kommentera

Skapa ett konto

Det är enkelt att registrera ett nytt konto

Bli medlem

Logga in

Har du redan ett konto? Logga in här

Logga in