Søg
Avatar billede timeglas1 Nybegynder
15. august 2006 - 16:02 Der er 12 kommentarer og
1 løsning

Trojansk hest?

Hej er blevet henvist af Kandu.dk-brugere så prøver lige at stille spørgsmålet her:

Min AVG virus skanner melder at den har fanget en trojansk backdoor hest. Den hedder C:\WINNT\system32\kernel32.ime
Jeg har både kørt AVG i sikkermode og normal og den bliver ved med at poppe op med advarsel om denne trojanske hest. Nu har jeg så været på google og søgt på den og det sted jeg fandt, stod der beskrevet at det var en trojansk hest : www.greatis.com men efter at have downloaded TrojanHunter så finder den ikke noget. Er der nogen der ved noget om denne Kernel32.ime?

Fandt også lige dette på internettet, men tør ikke gøre det hvis det er fake:

kernel32.ime
Jun. 14, 2006

Worm, part of SDBot family.
kernel32.ime is a DLL.
kernel32.ime is dropped by remote.exe and injected into the system process, svchost.exe.

remote.exe, svchost.exe and wmi.vbe are part of kernel32.ime family.
wmi.vbe attacks PC with the user account to which the password is not set.

ftp server spreading this worm is ftpd.3322.org. See wmi.vbe.
ftpd.3322.org is resolved to 218.202.44.69 at 14 Jun 2006 09:30:00 PM +900 JST.

kernel32.ime attempts to connect to 218.202.44.69 (ftpd.3322.org) and download test.exe.
test.exe on the server is the same file as svchost.exe.
lol.exe (See wmi.vbe) on the server is the same file as remote.exe.

kernel32.ime attempts to connect to SunnyDoll.3322.org too. I don't know why.
Following host names appear in other versions of kernel32.ime:
b0tz.3322.org

File
file path: %windir%\system32\kernel32.ime
file size: 16,127
md5: fd9b45930e32880c70fa7bab62761d92

Removal
1. Remove the service "Remote Procedure Call (RPC) Remote" (RpcRemote).
NOTE: Not "Remote Procedure Call (RPC)" (RpcSs), not "Remote Procedure Call (RPC) Locator" (RpcLocator).
2. Remove the file %windir%\system32\remote.exe.
3. Restart the computer.
4. Remove following files:
%windir%\system32\kernel32.ime
%windir%\system32\wins\svchost.exe
%windir%\system32\wins\wmi.vbe

Har lavet en HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 16:01:53, on 15-08-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Programmer\Norton Utilities\NPROTECT.EXE
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\MSTask.exe
C:\Programmer\Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\TrojanHunter 4.5\THGuard.exe
D:\PROGRA~1\Office\OUTLOOK.EXE
C:\Documents and Settings\none\Skrivebord\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tdconline.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Programmer\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Programmer\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menusearch.html?p=CPXXXXXX59
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\programmer\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://homepc.novonordisk.com/citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37940.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/10025/defaults/activex/ImageUploader3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://www.selvet.dk/common/streaming/tv/ampx_en_dl.cab
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmer\Norton Utilities\NPROTECT.EXE
O23 - Service: P1ug and P1ay (P1ugP1ay) - Unknown owner - C:\WINNT\system\services.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programmer\Speed Disk\nopdb.exe



Mvh og på forhånd tak fra Timeglas1
Avatar billede Computer Hjælp (Gratis) Mester
16. august 2006 - 08:08 #1
Rul denne procedure ->
http://www.eksperten.dk/artikler/755

(Ikke nødvendigvis mig der følger op...)
Avatar billede timeglas1 Nybegynder
16. august 2006 - 12:04 #2
Hej igen.

Og tusinde tak for linket. linkene i selve artikel 755 er desværre ikke opdateret, men fandt selv drweb og ewido.

Her er servicelog:

Drweb:

services.exe    C:\WINNT\system    BackDoor.Pigeon.363    Deleted.
remote.exe    C:\WINNT\system32    BackDoor.IRC.Noxy    Deleted.
kernel32.ime    C:\WINNT\system32    BackDoor.IRC.Noxy    Deleted.

Ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:    11:50:51 16-08-2006

+ Scan result:   



C:\Programmer\TopText\CHCON.dll.tcf -> Adware.EZula : No action taken.
C:\Programmer\TopText\CHPON.dll.tcf -> Adware.EZula : No action taken.
C:\Programmer\TopText\sepng.dll -> Not-A-Virus.PSWTool.Win32.EZula.bf : No action taken.
C:\Documents and Settings\none\Cookies\none@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\none\Cookies\none@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:47, on 16-08-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Programmer\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\none\Skrivebord\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tdconline.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Programmer\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Programmer\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Programmer\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menusearch.html?p=CPXXXXXX59
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\programmer\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://homepc.novonordisk.com/citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37940.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/10025/defaults/activex/ImageUploader3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmer\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmer\Norton Utilities\NPROTECT.EXE
O23 - Service: P1ug and P1ay (P1ugP1ay) - Unknown owner - C:\WINNT\system\services.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programmer\Speed Disk\nopdb.exe

Og endnu engang tusinde tak for hjælpen. Tror at Drweb fik dræbt den. Det var ihvertfald lige netop de filer som jeg havde mistænkt :-)

mvh timeglas
Avatar billede Computer Hjælp (Gratis) Mester
16. august 2006 - 18:13 #3
... bare lige lidt oprydning:

Fix disse i HiJackThis:

O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menusearch.html?p=CPXXXXXX59  (Eller kender du den?)
O10 - Broken Internet access because of LSP provider 'c:\programmer\newdotnet\newdotnet6_38.dll' missing

(Evt. ny HiJackThis log derefter...)
Avatar billede timeglas1 Nybegynder
16. august 2006 - 22:13 #4
Hej igen

Så blev der ryddet godt op. Den dersens LSP var svær at få bugt med. Fik den væk med Spybot.

Hermed en ny HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:05:04, on 16-08-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Programmer\Norton Utilities\NPROTECT.EXE
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\MSTask.exe
C:\Programmer\Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\PROGRA~1\Office\OUTLOOK.EXE
C:\Documents and Settings\none\Skrivebord\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tdconline.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Programmer\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Programmer\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) -
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37940.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) -
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/10025/defaults/activex/ImageUploader3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmer\Norton Utilities\NPROTECT.EXE
O23 - Service: P1ug and P1ay (P1ugP1ay) - Unknown owner - C:\WINNT\system\services.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programmer\Speed Disk\nopdb.exe

Så er der bare et problem med Remote Procedure Call. HJT siger at det er en parasit og at den kan være svær at fjerne. HJT kan ikke fjerne den. Regner med at det stadig er noget fra den trojanske hest (kernel32.ime). Nogen forslag til hvordan jeg kommer af med linien?

Og på forhånd tak fra timeglas
Avatar billede timeglas1 Nybegynder
16. august 2006 - 22:20 #5
Glemte at skrive at p1ug and p1ay services.exe også er af samme kaliber. Men skal de slettes og hvordan.

mvh timeglas
Avatar billede Computer Hjælp (Gratis) Mester
16. august 2006 - 22:21 #6
StandBy ...
Avatar billede Computer Hjælp (Gratis) Mester
16. august 2006 - 22:37 #7
Jeg har lige fået et tips - som jeg havde 'mistanke' til...

Denne underlige:
O23 - Service: P1ug and P1ay (P1ugP1ay) - Unknown owner - C:\WINNT\system\services.exe (file missing)
skal slettes/stoppes vha:
http://spywareinfo.dk/#/tip-og-tricks/stoppe_deaktivere_service.htm
Find [services.exe] processen og 'Deaktiver' den ...

Genstart og bedøm reslutat...
(Mere kan følge...)
Avatar billede Computer Hjælp (Gratis) Mester
16. august 2006 - 23:27 #8
For en go' ordens skyld... den skulle gerne hedde noget i retning af "Service: P1ug and P1ay (P1ugP1ay) - Unknown owner" ...

PS: Har du engang haft noget Symantec/Norton på systemet ? Der er bare nogle 'rester' som lige som godt ka' komme af vejen... på samme vis med
http://spywareinfo.dk/#/tip-og-tricks/stoppe_deaktivere_service.htm
"Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -"
Avatar billede timeglas1 Nybegynder
16. august 2006 - 23:51 #9
så er den i vinkel tror jeg:

Logfile of HijackThis v1.99.1
Scan saved at 23:48:28, on 16-08-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINNT\system32\MSTask.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programmer\Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Documents and Settings\none\Skrivebord\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tdconline.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Programmer\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Programmer\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) -
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37940.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) -
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/10025/defaults/activex/ImageUploader3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programmer\Speed Disk\nopdb.exe

tusinde tak. Har flere gange set dette "gå ind i service" man har aldrig fattet hvor det var. Nu har jeg lært dette. Ligger programmet så stadig i dvale, kan det ikke slettes i "services" eller er det lige meget?
Avatar billede Computer Hjælp (Gratis) Mester
17. august 2006 - 09:45 #10
... der er ikke mere at gi' af her...

Hvordan ruller putter nu ?
Avatar billede timeglas1 Nybegynder
17. august 2006 - 10:01 #11
den kører perfekt. og tusinde tak for hjælpen. lukker spørgsmål nu.

mvh timeglas
Avatar billede Computer Hjælp (Gratis) Mester
17. august 2006 - 10:48 #12
Ping...

(Det var et [svar]...)

Du ka' lige rulle denne: http://www.spywareinfo.dk/download/cleantempxp2k.bat for at slutoprydde blandt TEMP filer osv.

Ka' også anbefale: Ccleaner + vejledning http://www.spywarefri.dk/manualer/ccleaner-manual.htm
Avatar billede timeglas1 Nybegynder
17. august 2006 - 11:35 #13
tak for svar
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus 22 26/11/202510:42 23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus 8 31/08/202519:08 01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus 10 03/02/202514:20 04/02/202511:05
mulig ukendt virus Af jackie18 i Virus 3 18/01/202514:07 18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus 13 18/01/202511:40 20/01/202517:53
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
I dag 08:32 Office pakke LTSC vs Retail? Af Don G i Office & Kontorpakker
I går 21:19 Lydindstilling Prosonic TV Af TageArent i Fjernsyn & projektorer
I går 15:37 Sort skærm Af mort1 i Windows
09/0412:32 iPadOS 26.4.1 kan ikke opdatere Af claes57 i Apps til iOS
08/0410:38 Indholdsfortegnelse ændrer sig, når jeg gemmer som PDF Af Jan K i Word
White papers
Flere white papers »