AtaPulja Posted December 5, 2008 Share Posted December 5, 2008 ********************************************* 2008-12-09: Tråden är nu låst eftersom problemet är löst Tycker du att den är felaktigt låst, var god kontakta Malou ********************************************* hej! Trojan Vundo är så j**** jobbig. Har kört att ta bort den med Vundodix, funkade inte, testade andra spyware programm funkade inte heller. Kan nån hjälpa mig att ta bort denna tråkiga viruset? Tack Link to comment Share on other sites More sharing options...
Mickilina Posted December 5, 2008 Share Posted December 5, 2008 Hej AtaPulja! Flyttade din tråd där du lättare kan få hjälp! Läs Malous instruktioner: http://www.alltomxp.se/forum/index.php?topic=13158.0 Lägg sedan här på din tråd en TrendMicro HijackThis-logga. Häls Mickilina Link to comment Share on other sites More sharing options...
AtaPulja Posted December 6, 2008 Author Share Posted December 6, 2008 Hej! Här kommer logga; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:53:37, on 2008-12-06 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:ProgramDelade filerSymantec SharedccSvcHst.exe C:WINDOWSsystem32spoolsv.exe C:WINDOWSsystem32cisvc.exe C:WINDOWSSystem32nvsvc32.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32cidaemon.exe C:ProgramDELADE~1StardockSDMCP.exe C:WINDOWSExplorer.EXE C:ProgramSUPERAntiSpywareSUPERAntiSpyware.exe C:WINDOWSsystem32ctfmon.exe C:ProgramMozilla Firefoxfirefox.exe C:ProgramTrend MicroHijackThisHijackThis.exe O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:ProgramDELADE~1SYMANT~1IDSIPSBHO.dll O2 - BHO: (no name) - {C7E7DC63-1386-407A-888D-5EAF79524DCF} - C:WINDOWSsystem32autodis.dll O2 - BHO: (no name) - {fd3fbb9a-b8a7-4b6d-926a-24d58410bb86} - C:WINDOWSsystem32hozifofe.dll O4 - HKLM..Run: [CPMf3016e4d] Rundll32.exe "c:windowssystem32fotowuta.dll",a O4 - HKLM..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe O4 - HKUSS-1-5-19..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'LOKAL TJÄNST') O4 - HKUSS-1-5-20..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: c:windowssystem32zurolehe.dll c:windowssystem32fotowuta.dll,C:WINDOWSsystem32juwufajo.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32fotowuta.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32fotowuta.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:ProgramSymantecLiveUpdateAluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:ProgramGoogleCommonGoogle UpdaterGoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:ProgramDelade filerInstallShieldDriver11Intel 32IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:ProgramSymantecLiveUpdateLuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:ProgramDELADE~1SYMANT~1CCPD-LCsymlcsvc.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:WINDOWSSystem32TuneUpDefragService.exe Link to comment Share on other sites More sharing options...
Guest Malou Posted December 6, 2008 Share Posted December 6, 2008 Hej AtaPulja! Du har inte döpt om filen som det rekommenderas i instruktionen som Mickilina hänvisade till C:ProgramTrend MicroHijackThisHijackThis.exe Vänligen Läs/Följ information/instruktioner m.m som finns att hitta på nedanstående sida: => Trend Micro HiJack This (Nerladdning/Instruktioner): Gör INGEN ny scanning med TM HJT förrän du blir ombedd att göra så. Skriv ut nedanstående eller kopiera det till ett textdokument och spara det till skrivbordet: Läs/Följ instruktionerna noga: Hämta hem Malwarebytes Anti-Malware: http://www.malwarebytes.org/index.php 1: Spara installationsfilen till skrivbordet 2: För att påbörja installationen dubbelklicka på mbam-setup.exe 3: Bocka för nedanstående Uppdatera Malwarebytes' Anti-Malware Starta Malwarebytes' Anti-Malware 4: Klicka på Slutför Om där finns uppdateringar kommer dessa att installeras. Då ovanstående är gjort gå vidare med nedanstående procedur: 1: När programmet startar så välj Utför snabb scanning 2: Klicka på knappen Scanna 3: Scanningen kommer nu att ta en stund 3: När programmet scannat klart klicka Ok och sedan Visa resultat 4: Bocka för allt och klicka på Remove Selected 5: Då borttagningen är klar kommer en textfil i Anteckningar att öppnas upp med en logg. Kopiera/klistra in den loggan hit till din tråd. 6: Gör en ny TM HJT-logga kopiera in den hit så får vi se hur den ser ut. OBS: Starta ingen ny tråd i ämnet utan fortsätt posta här i din tråd MVH/Malou Link to comment Share on other sites More sharing options...
MrO Posted December 6, 2008 Share Posted December 6, 2008 Hej Malou! Vill bara informera dig om att länken till malewarebytes inte fungerar längre/ Mvh MrO ps denna funkar http://www.malwarebytes.org/ Link to comment Share on other sites More sharing options...
AtaPulja Posted December 6, 2008 Author Share Posted December 6, 2008 Ok, här kommer ny logga; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:15:49, on 2008-12-06 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:ProgramDelade filerSymantec SharedccSvcHst.exe C:WINDOWSsystem32spoolsv.exe C:WINDOWSsystem32cisvc.exe C:WINDOWSSystem32nvsvc32.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32cidaemon.exe C:ProgramDELADE~1StardockSDMCP.exe C:WINDOWSExplorer.EXE C:ProgramSUPERAntiSpywareSUPERAntiSpyware.exe C:WINDOWSsystem32ctfmon.exe C:ProgramMozilla Firefoxfirefox.exe C:ProgramTrend MicroHijackThisAtaPulja.exe O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:ProgramDELADE~1SYMANT~1IDSIPSBHO.dll O2 - BHO: (no name) - {C7E7DC63-1386-407A-888D-5EAF79524DCF} - C:WINDOWSsystem32autodis.dll O2 - BHO: (no name) - {fd3fbb9a-b8a7-4b6d-926a-24d58410bb86} - C:WINDOWSsystem32hozifofe.dll O4 - HKLM..Run: [CPMf3016e4d] Rundll32.exe "c:windowssystem32zurolehe.dll",a O4 - HKLM..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe O4 - HKUSS-1-5-19..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'LOKAL TJÄNST') O4 - HKUSS-1-5-20..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: c:windowssystem32zurolehe.dll c:windowssystem32fotowuta.dll,C:WINDOWSsystem32juwufajo.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32zurolehe.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32zurolehe.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:ProgramSymantecLiveUpdateAluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:ProgramGoogleCommonGoogle UpdaterGoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:ProgramDelade filerInstallShieldDriver11Intel 32IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:ProgramSymantecLiveUpdateLuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:ProgramDELADE~1SYMANT~1CCPD-LCsymlcsvc.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:WINDOWSSystem32TuneUpDefragService.exe -- End of file - 3354 bytes ____________________________________________________________________________________ Här är logga efter att jag har scannat med programmet Malwarebytes Anti-Malware: Malwarebytes' Anti-Malware 1.31 Databasversion: 1456 Windows 5.1.2600 Service Pack 3 2008-12-06 19:37:45 mbam-log-2008-12-06 (19-37-45).txt Skanningstyp: Snabb skanning Antal skannade objekt: 71429 Förfluten tid: 13 minute(s), 30 second(s) Infekterade minnesprocesser: 0 Infekterade minnesmoduler: 5 Infekterade registernycklar: 16 Infekterade registervärden: 9 Infekterade registerdataposter: 7 Infekterade mappar: 2 Infekterade filer: 99 Infekterade minnesprocesser: (Inga illasinnade poster hittades) Infekterade minnesmoduler: C:WINDOWSsystem32hozifofe.dll (Trojan.Vundo.H) -> Delete on reboot. C:WINDOWSsystem32sapahore.dll (Trojan.Vundo.H) -> Delete on reboot. C:WINDOWSsystem32juwufajo.dll (Trojan.Vundo.H) -> Delete on reboot. c:WINDOWSsystem32zurolehe.dll (Trojan.Vundo.H) -> Delete on reboot. c:WINDOWSsystem32fotowuta.dll (Trojan.BHO) -> Delete on reboot. Infekterade registernycklar: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{fd3fbb9a-b8a7-4b6d-926a-24d58410bb86} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOTCLSID{fd3fbb9a-b8a7-4b6d-926a-24d58410bb86} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{fd3fbb9a-b8a7-4b6d-926a-24d58410bb86} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOTCLSID{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot. HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{54c7d1dd-4296-451e-b756-1e94f665b4ff} (Spyware.Graball) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesqlrusqsu (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesqlrusqsu (Rootkit.Agent) -> Delete on reboot. HKEY_CURRENT_USERSOFTWARETrymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftware Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINESOFTWAREMicrosoftcontim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USERSOFTWAREMicrosoftinstkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINESOFTWAREMicrosoftrdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOTCLSID{c7e7dc63-1386-407a-888d-5eaf79524dcf} (Spyware.BZub) -> Delete on reboot. HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{c7e7dc63-1386-407a-888d-5eaf79524dcf} (Spyware.BZub) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{c7e7dc63-1386-407a-888d-5eaf79524dcf} (Spyware.BZub) -> Delete on reboot. Infekterade registervärden: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRuncpmf3016e4d (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunreyoromufo (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoadssodl (Trojan.BHO) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionrhcroej0e54p (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsbf (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsbk (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsiu (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsmu (Trojan.Agent) -> Delete on reboot. Infekterade registerdataposter: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.Vundo.H) -> Data: c:windowssystem32juwufajo.dll -> Delete on reboot. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSANotification Packages (Trojan.Vundo.H) -> Data: c:windowssystem32juwufajo.dll -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.Vundo.H) -> Data: system32juwufajo.dll -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.Vundo.H) -> Data: c:windowssystem32zurolehe.dll -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.Vundo.H) -> Data: system32zurolehe.dll -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.BHO) -> Data: c:windowssystem32fotowuta.dll -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.BHO) -> Data: system32fotowuta.dll -> Delete on reboot. Infekterade mappar: C:ProgramWMVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:Documents and SettingsLocalServiceApplication Datawsnpoem (Trojan.Agent) -> Quarantined and deleted successfully. Infekterade filer: C:WINDOWSsystem32driqpvnv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32vnvpqird.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32nipavuyo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32oyuvapin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32qkkppgfu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32ufgppkkq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32ssknbxux.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32xuxbnkss.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32vilwookq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32qkoowliv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32zujawaro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:WINDOWSsystem32orawajuz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. c:WINDOWSsystem32zurolehe.dll (Trojan.Vundo.H) -> Delete on reboot. C:WINDOWSsystem32sapahore.dll (Trojan.Vundo.H) -> Delete on reboot. C:WINDOWSsystem32hozifofe.dll (Trojan.Vundo.H) -> Delete on reboot. C:WINDOWSsystem32juwufajo.dll (Trojan.Vundo.H) -> Delete on reboot. c:WINDOWSsystem32fotowuta.dll (Trojan.BHO) -> Delete on reboot. C:WINDOWSsystem32ikwosllc.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:WINDOWSsystem32Driversirldalwz.dat (Rootkit.Agent) -> Delete on reboot. C:WINDOWSTempTMP1F5.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemppmnnkJby.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00021999 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000232ae (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000239b3 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00024915 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00024db8 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00025980 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00027bfc (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00027d06 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00028330 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0002865c (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00029783 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0002a30c (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0002b0c8 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0002c133 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0002c51b (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00033096 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000344ab (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00039c02 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0003b3b1 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0003be21 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0003c871 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0003da05 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0003e0bc (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0003ea51 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000404a0 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00040f8d (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0002140b (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000421fb (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTempbyXNdDTJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTempbyXNdDww.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTempddcYSKdc.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTempfccBTlkk.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00043332 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00044ce4 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00048374 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTempxxyyaXPH.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000108e4 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000109ce (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00010bd2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00010ceb (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00011335 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000114ea (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00011519 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000115d5 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00011690 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000117f7 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00011a59 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00011bd0 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00011e8f (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00011fd7 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00012296 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0001266f (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000129da (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0001311d (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0001391c (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00013c29 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000157a0 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00015d9c (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp000177ea (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp00019574 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0001e922 (Trojan.Vundo) -> Quarantined and deleted successfully. C:Documents and SettingsMirsad PuljicLokala inställningarTemptmp0001fd47 (Trojan.Vundo) -> Quarantined and deleted successfully. C:ProgramWMVideoPlugin80_25.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:Documents and SettingsLocalServiceApplication Datawsnpoemaudio.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:WINDOWSsystem32mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. C:WINDOWSsystem32TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:WINDOWSsystem32delself.bat (Malware.Trace) -> Quarantined and deleted successfully. C:WINDOWSsystem32winsoft.nls (Malware.Trace) -> Quarantined and deleted successfully. C:WINDOWSsystem32dllcachebeep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully. C:WINDOWSsystem32msiconf.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:WINDOWSsystem32yatool.dll (Spyware.Passwords) -> Quarantined and deleted successfully. C:WINDOWSBMf3016e4d.xml (Trojan.Vundo) -> Quarantined and deleted successfully. C:WINDOWSBMf3016e4d.txt (Trojan.Vundo) -> Quarantined and deleted successfully. C:WINDOWSsystem32mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:WINDOWSsystem32autodis.dll (Spyware.BZub) -> Delete on reboot. C:WINDOWSsystem32ws37678.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:WINDOWSsystem32wini10801.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:WINDOWSsystem32TDSSnmxh.log (Trojan.TDSS) -> Quarantined and deleted successfully. ________________________________________________________________________________ Strax ska jag göra ny logg med Trend Micro HijackThis.. Link to comment Share on other sites More sharing options...
Guest Malou Posted December 6, 2008 Share Posted December 6, 2008 Hej Malou! Vill bara informera dig om att länken till malewarebytes inte fungerar längre/ Mvh MrOps denna funkar http://www.malwarebytes.org/ Tack så mycket för att du uppmärksammade detta Skall genast redigera MVH/Malou Link to comment Share on other sites More sharing options...
Guest Malou Posted December 6, 2008 Share Posted December 6, 2008 Hej AtaPulja! Ser att Malwarebytes' Anti-Malware har hittat en hel del samt åtgärdat en del. För att förhoppningsvis kunna åtgärda resterande gå vidare med nedanstående procedur. 1: Starta om datorn 2: Uppdatera Malwarebytes' Anti-Malware 3: Starta programmet => välj Utför snabb scanning 4: Klicka på knappen Scanna 5: Scanningen kommer nu att ta en stund 6: När programmet scannat klart klicka Ok och sedan Visa resultat 7: Bocka för allt och klicka på Remove Selected 8: Då borttagningen är klar kommer en textfil i Anteckningar att öppnas upp med en logg. Kopiera/klistra in den loggan hit till din tråd. 9: Gör en ny TM HJT-logga kopiera in den hit så får vi se hur den ser ut. MVH/Malou Link to comment Share on other sites More sharing options...
AtaPulja Posted December 6, 2008 Author Share Posted December 6, 2008 Här kommer loggen efter jag har scannat med programmet och startat om data; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:51:39, on 2008-12-06 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:ProgramDelade filerSymantec SharedccSvcHst.exe C:WINDOWSsystem32spoolsv.exe C:ProgramSymantecLiveUpdateAluSchedulerSvc.exe C:ProgramDELADE~1StardockSDMCP.exe C:WINDOWSExplorer.EXE C:WINDOWSsystem32cisvc.exe C:WINDOWSSystem32nvsvc32.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32ctfmon.exe C:WINDOWSsystem32cidaemon.exe C:ProgramMozilla Firefoxfirefox.exe C:ProgramTrend MicroHijackThisAtaPulja.exe O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:ProgramDELADE~1SYMANT~1IDSIPSBHO.dll O2 - BHO: (no name) - {C7E7DC63-1386-407A-888D-5EAF79524DCF} - C:WINDOWSsystem32autodis.dll O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe O4 - HKUSS-1-5-19..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'LOKAL TJÄNST') O4 - HKUSS-1-5-20..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: , O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:ProgramSymantecLiveUpdateAluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:ProgramGoogleCommonGoogle UpdaterGoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:ProgramDelade filerInstallShieldDriver11Intel 32IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:ProgramSymantecLiveUpdateLuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:ProgramDELADE~1SYMANT~1CCPD-LCsymlcsvc.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:WINDOWSSystem32TuneUpDefragService.exe -- End of file - 2882 bytes Link to comment Share on other sites More sharing options...
AtaPulja Posted December 6, 2008 Author Share Posted December 6, 2008 Så, nu har jag gjort allt som du skrev. Vad återstår nu? Är Vundo borta nu eller? Link to comment Share on other sites More sharing options...
Guest Malou Posted December 6, 2008 Share Posted December 6, 2008 Hej AtaPulja! Så, nu har jag gjort allt som du skrev.Vad återstår nu? Är Vundo borta nu eller? Gjorde du den sista instruktionen jag postade här ovan så snabbt? Jag postade mitt inlägg kl: 19:52 och din sista TM HJT-logga är scannad kl: 19:51:39 och som du då postade kl: 19:53 Min sista instruktionsinlägg postat kl: 19:52 http://www.alltomxp.se/forum/index.php?top...g99549#msg99549 MVH/Malou Link to comment Share on other sites More sharing options...
AtaPulja Posted December 6, 2008 Author Share Posted December 6, 2008 Håller på med den instruktionsinlägg just nu, scanning pågår.... Link to comment Share on other sites More sharing options...
AtaPulja Posted December 6, 2008 Author Share Posted December 6, 2008 1. Nya loggen: Malwarebytes' Anti-Malware 1.31 Databasversion: 1456 Windows 5.1.2600 Service Pack 3 2008-12-06 20:15:14 mbam-log-2008-12-06 (20-15-14).txt Skanningstyp: Snabb skanning Antal skannade objekt: 71035 Förfluten tid: 18 minute(s), 47 second(s) Infekterade minnesprocesser: 0 Infekterade minnesmoduler: 0 Infekterade registernycklar: 4 Infekterade registervärden: 4 Infekterade registerdataposter: 0 Infekterade mappar: 0 Infekterade filer: 2 Infekterade minnesprocesser: (Inga illasinnade poster hittades) Infekterade minnesmoduler: (Inga illasinnade poster hittades) Infekterade registernycklar: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{c7e7dc63-1386-407a-888d-5eaf79524dcf} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOTCLSID{c7e7dc63-1386-407a-888d-5eaf79524dcf} (Trojan.BHO.H) -> Delete on reboot. HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesqlrusqsu (Rootkit.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesqlrusqsu (Rootkit.Agent) -> Delete on reboot. Infekterade registervärden: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsbf (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsbk (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsiu (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Settingsmu (Trojan.Agent) -> Delete on reboot. Infekterade registerdataposter: (Inga illasinnade poster hittades) Infekterade mappar: (Inga illasinnade poster hittades) Infekterade filer: C:WINDOWSsystem32autodis.dll (Trojan.BHO.H) -> Delete on reboot. C:WINDOWSsystem32Driversirldalwz.dat (Rootkit.Agent) -> Delete on reboot. Strax kommer andra loggen.. Link to comment Share on other sites More sharing options...
MrO Posted December 6, 2008 Share Posted December 6, 2008 Du glömde uppdatera malewarebytes,aktuell data basversion är 1467 / Mvh MrO Link to comment Share on other sites More sharing options...
AtaPulja Posted December 6, 2008 Author Share Posted December 6, 2008 Här kommer andra loggen; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:22:45, on 2008-12-06 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:ProgramDelade filerSymantec SharedccSvcHst.exe C:WINDOWSsystem32spoolsv.exe C:ProgramSymantecLiveUpdateAluSchedulerSvc.exe C:WINDOWSsystem32cisvc.exe C:WINDOWSSystem32nvsvc32.exe C:WINDOWSSystem32svchost.exe C:ProgramDELADE~1StardockSDMCP.exe C:WINDOWSExplorer.EXE C:WINDOWSsystem32ctfmon.exe C:ProgramMozilla Firefoxfirefox.exe C:ProgramTrend MicroHijackThisAtaPulja.exe O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:ProgramDELADE~1SYMANT~1IDSIPSBHO.dll O2 - BHO: (no name) - {C7E7DC63-1386-407A-888D-5EAF79524DCF} - C:WINDOWSsystem32autodis.dll O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe O4 - HKUSS-1-5-19..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'LOKAL TJÄNST') O4 - HKUSS-1-5-20..Run: [reyoromufo] Rundll32.exe "C:WINDOWSsystem32sapahore.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: , O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:ProgramSymantecLiveUpdateAluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:ProgramGoogleCommonGoogle UpdaterGoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:ProgramDelade filerInstallShieldDriver11Intel 32IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:ProgramSymantecLiveUpdateLuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:ProgramDelade filerSymantec SharedccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:ProgramDELADE~1SYMANT~1CCPD-LCsymlcsvc.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:WINDOWSSystem32TuneUpDefragService.exe -- End of file - 2848 bytes Vundo är borta faktiskt. Min Mozzila fungerar utmärkt, spyware programmet hittade första gången 107 olika virus, men andra gången bara 6. Jättebra! Link to comment Share on other sites More sharing options...
Guest Malou Posted December 6, 2008 Share Posted December 6, 2008 Hej AtaPulja! Som MrO säger "Uppdatera Malwarebytes' Anti-Malware". Ser att den hittar en massa otrevligheter och för att den skall kunna åtgärda måste du starta om datorn och göra om scanningen. 1: Starta om datorn 2: Uppdatera Malwarebytes' Anti-Malware 3: Starta programmet => välj Utför snabb scanning 4: Klicka på knappen Scanna 5: Scanningen kommer nu att ta en stund 6: När programmet scannat klart klicka Ok och sedan Visa resultat 7: Bocka för allt och klicka på Remove Selected 8: Då borttagningen är klar kommer en textfil i Anteckningar att öppnas upp med en logg. Kopiera/klistra in den loggan hit till din tråd. 9: Gör en ny TM HJT-logga kopiera in den hit så får vi se hur den ser ut. MVH/Malou Link to comment Share on other sites More sharing options...
lbl Posted December 7, 2008 Share Posted December 7, 2008 Symantec har ju ett prg för att fixa bort VUNDO, som jag har kört, och den tog bort skiten på 2-3 re-boots, så jag hänger på det programmet för download här. Snabbt och enkelt, men jag hämtade det kanske nån gång i början av året, så det är ju möjligt det finns andra VUNDO det inte rår på. /LbL! Link to comment Share on other sites More sharing options...
Recommended Posts