Jump to content

21 trojaner, fått bort allt??


__087

Recommended Posts

Tjena, som rubriken lyder så fick jag 21 trojaner när jag googlade fram lite information fick dom bort det mesta med Malwarebyte`s Anti-Malware men jag vill vara helt 100% säker så det vore schysst om någon ville kolla igenom min TM HJT Logga. Tack på förhand

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:26:34, on 2008-11-01

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSExplorer.exe

C:WINDOWSATK0100HControl.exe

C:WINDOWSsystem32igfxtray.exe

C:WINDOWSsystem32hkcmd.exe

C:WINDOWSsystem32igfxpers.exe

C:WINDOWSsm56hlpr.exe

C:ProgramSynapticsSynTPSynTPEnh.exe

C:WINDOWSsystem32ctfmon.exe

C:ProgramScreen Calendarscrcal.exe

C:ProgramWindows LiveMessengermsnmsgr.exe

C:ProgramBonjourmDNSResponder.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWS$NtUninstallKB931337$STUNNEL-4.11.EXE

C:WINDOWSwinvnc.exe

C:WINDOWSsystem32wscntfy.exe

C:WINDOWSATK0100ATKOSD.exe

C:ProgramWindows LiveMessengerusnsvc.exe

C:ProgramInternet Exploreriexplore.exe

C:ProgramDelade filerMicrosoft SharedWindows LiveWLLoginProxy.exe

C:ProgramTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.se/

R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=Explorer.exe

O2 - BHO: (no name) - {6077B404-615A-4B7A-AA6D-ECB1DE29F1D1} - C:WINDOWSsystem32xxyARHBr.dll (file missing)

O2 - BHO: (no name) - {7DB094B1-C3AA-487C-B75E-CB9654E1A6B4} - C:WINDOWSsystem32vtUmKCUM.dll

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:ProgramDelade filerMicrosoft SharedWindows LiveWindowsLiveLogin.dll

O4 - HKLM..Run: [HControl] C:WINDOWSATK0100HControl.exe

O4 - HKLM..Run: [igfxtray] C:WINDOWSsystem32igfxtray.exe

O4 - HKLM..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe

O4 - HKLM..Run: [igfxpers] C:WINDOWSsystem32igfxpers.exe

O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..Run: [sMSERIAL] C:WINDOWSsm56hlpr.exe

O4 - HKLM..Run: [synTPEnh] C:ProgramSynapticsSynTPSynTPEnh.exe

O4 - HKLM..Run: [LXCFCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863LXCFtime.dll,_RunDLLEntry@16

O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe

O4 - HKCU..Run: [screen Calendar] "C:ProgramScreen Calendarscrcal.exe" -m

O4 - HKCU..Run: [msnmsgr] "C:ProgramWindows LiveMessengermsnmsgr.exe" /background

O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgramMessengermsmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgramMessengermsmsgs.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O20 - AppInit_DLLs: knjoom.dll

O20 - Winlogon Notify: vtUmKCUM - C:WINDOWSSYSTEM32vtUmKCUM.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:ProgramBonjourmDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:ProgramDelade filerMacrovision SharedFLEXnet PublisherFNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:ProgramNOSbingetPlus_HelperSvc.exe

O23 - Service: lxcf_device -  - C:WINDOWSsystem32lxcfcoms.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:ProgramWinPcaprpcapd.exe

O23 - Service: stunnel - Unknown owner - C:WINDOWS$NtUninstallKB931337$STUNNEL-4.11.EXE

O23 - Service: VNC Server (WinVNC) - TightVNC Group - C:WINDOWSwinvnc.exe

--

End of file - 4535 bytes

Link to comment
Share on other sites

Avsluta STUNNEL-4.11.EXE i Aktivitetshanteraren och radera mappen C:WINDOWS$NtUninstallKB931337$.

Rensa registret.

HjT igen. ;) Bör då inte innehålla O23 - Service: stunnel - Unknown owner - C:WINDOWS$NtUninstallKB931337$STUNNEL-4.11.EXE.

Link to comment
Share on other sites

okej nu är det fixat, hittade även WINVNC som oxå följer med denna "hack" jag testade. Ska jag ta bort det oxå i HJT?? här är nya HJT loggan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:48:25, on 2008-11-01

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSExplorer.exe

C:WINDOWSATK0100HControl.exe

C:WINDOWSsystem32igfxtray.exe

C:WINDOWSsystem32hkcmd.exe

C:WINDOWSsystem32igfxpers.exe

C:WINDOWSsm56hlpr.exe

C:ProgramSynapticsSynTPSynTPEnh.exe

C:WINDOWSsystem32ctfmon.exe

C:ProgramScreen Calendarscrcal.exe

C:ProgramBonjourmDNSResponder.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSwinvnc.exe

C:WINDOWSsystem32wscntfy.exe

C:WINDOWSATK0100ATKOSD.exe

C:ProgramWindows LiveMessengerusnsvc.exe

C:ProgramInternet Exploreriexplore.exe

C:ProgramDelade filerMicrosoft SharedWindows LiveWLLoginProxy.exe

C:ProgramDelade filerAdobeInstallersfaf656ef605427ee2f42989c3ad31b8Setup.exe

C:ProgramWindows LiveMessengermsnmsgr.exe

C:WINDOWSsystem32rundll32.exe

C:WINDOWSsystem32msiexec.exe

C:WINDOWSsystem32MsiExec.exe

C:ProgramTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.se/

R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=Explorer.exe

O4 - HKLM..Run: [HControl] C:WINDOWSATK0100HControl.exe

O4 - HKLM..Run: [igfxtray] C:WINDOWSsystem32igfxtray.exe

O4 - HKLM..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe

O4 - HKLM..Run: [igfxpers] C:WINDOWSsystem32igfxpers.exe

O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..Run: [sMSERIAL] C:WINDOWSsm56hlpr.exe

O4 - HKLM..Run: [synTPEnh] C:ProgramSynapticsSynTPSynTPEnh.exe

O4 - HKLM..Run: [LXCFCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863LXCFtime.dll,_RunDLLEntry@16

O4 - HKLM..Run: [AdobeCS4ServiceManager] "C:ProgramDelade filerAdobeCS4ServiceManagerCS4ServiceManager.exe" -launchedbylogin

O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe

O4 - HKCU..Run: [screen Calendar] "C:ProgramScreen Calendarscrcal.exe" -m

O4 - HKCU..Run: [msnmsgr] "C:ProgramWindows LiveMessengermsnmsgr.exe" /background

O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgramMessengermsmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgramMessengermsmsgs.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O20 - AppInit_DLLs: knjoom.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:ProgramBonjourmDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:ProgramDelade filerMacrovision SharedFLEXnet PublisherFNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:ProgramNOSbingetPlus_HelperSvc.exe

O23 - Service: lxcf_device -  - C:WINDOWSsystem32lxcfcoms.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:ProgramWinPcaprpcapd.exe

O23 - Service: VNC Server (WinVNC) - TightVNC Group - C:WINDOWSwinvnc.exe

--

End of file - 4269 bytes

Link to comment
Share on other sites

Åtminstone C:WINDOWS$NtUninstallKB931337$STUNNEL-4.11.EXE och O23 - Service: stunnel - Unknown owner - C:WINDOWS$NtUninstallKB931337$STUNNEL-4.11.EXE är borta. :)

Skall titta mer på det senare, även om jag inte är säker på att jag kan uträtta så mycket. ;)

Link to comment
Share on other sites

Har nu tittat litet mer på din lista. Så vitt jag kan se, är det inget otyg där, men det är förstås ingen garanti. ;) Däremot har du en del onödiga saker igång, saker som jag har för mig att vi stängde av för inte länge sedan. ::)

Ett frågetecken dock: O20 - AppInit_DLLs: knjoom.dll. Inte en enda Google-träff på knjoom.dll! :o Vet du själv vad det är? Var i datorn finns den? Kan du få fram egenskaper för den? Företag, t.ex.

Ser inget antivirusprogram i listan! :o Har du stängt av/avisntallerat, eller har skräpet kvaddat AVG?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...