Sidder på en vens PC og har et problem. problemet er en inficeret svchost.exe fil (W32.Spybot.Worm) efter sletning af filen og en genstart så windows fil beskyttelse opretter en ny svchost.exe fil, er den nyoprettede fil også inficeret.. kan nogen eventuelt udlede noget af denne hijackfil? Logfile of HijackThis v1.97.7 Scan saved at 23:41:58, on 03-11-2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:WINNTSystem32smss.exe C:WINNTsystem32winlogon.exe C:WINNTsystem32services.exe C:WINNTsystem32lsass.exe C:WINNTsystem32 vsvc32.exe C:PROGRA~1NeoWatchNWSERVICE.exe C:WINNTsystem32svchost.exe C:WINNTSystem32svchost.exe C:WINNTSystem32WBEMWinMgmt.exe C:WINNTExplorer.EXE C:WINNTsystem32devldr32.exe C:ProgrammerD-Toolsdaemon.exe C:ProgrammerCreativeSBLiveAudioHQAHQTB.EXE C:ProgrammerQuickTimeqttask.exe C:ProgrammerNeoWatchNeoWatchTray.exe C:Documents and SettingsHenrik HansenLokale indstillingerTemporary Internet FilesContent.IE5CXMV0XQVHijackThis[1].exe R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.tv2.dk[...] R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Hyperlinks R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:ProgrammerAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTsystem32msdxm.ocx O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM..Run: [DAEMON Tools-1033] "C:ProgrammerD-Toolsdaemon.exe" -lang 1033 O4 - HKLM..Run: [AudioHQ] C:ProgrammerCreativeSBLiveAudioHQAHQTB.EXE O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINNTsystem32NvCpl.dll,NvStartup O4 - HKLM..Run: [nwiz] nwiz.exe /install O4 - HKLM..Run: [QuickTime Task] "C:ProgrammerQuickTimeqttask.exe" -atboottime O4 - HKLM..Run: [Mirabilis ICQ] C:PROGRA~1ICQICQNet.exe O4 - Global Startup: Microsoft Office.lnk = C:ProgrammerMicrosoft OfficeOfficeOSA9.EXE O4 - Global Startup: NeoWatch Startup.lnk = C:ProgrammerNeoWatchNeoWatchTray.exe O8 - Extra context menu item: &NeoTrace It! - C:PROGRA~1NeoWatchNTXcontext.htm O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: NeoTrace It! (HKCU) O12 - Plugin for .spop: C:ProgrammerInternet ExplorerPluginsNPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com[...] O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com[...] O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com[...] O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com[...] O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com[...]
--

"640K ought to be enough for anybody." Bill Gates, 1981

#1
Kim In Chul
Maxi Supporter
05-11-2004 16:00

Rapporter til Admin

Hvor ligger den svchost.exe fil som er inficeret? Prøv at download denne viruscanner og post resultatet i næste indlæg: http://www.mwti.net[...] Videre til din log, start med at deaktivere systemgendannelsen, kør en ny hijackthis og sæt flueben ud for: R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O4 - HKLM..Run: [QuickTime Task] "C:ProgrammerQuickTimeqttask.exe" -atboottime O4 - Global Startup: Microsoft Office.lnk = C:ProgrammerMicrosoft OfficeOfficeOSA9.EXE Luk derefter alle browservinduer og klik på "fix checked" start derefter op normalt og kom med en ny log, samt resultatet af viruscanneren.... //Kim In Chul
--
Så læs dem da for helvede: http://www.hol.dk[...] MSN: [email protected]