virus W32.Randex.gen kommer tilbage konstant +trojan

min hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 14:57:44, on 23-03-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\SYSTEM32\wong.exe
C:\WINNT\system32\svchotsqf.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fra Telenor
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\wong.exe
O4 - HKLM\..\Run: [Microsof] svchotsqf.exe
O4 - HKLM\..\Run: [configuration loader] winicfg32.exe
O4 - HKLM\..\Run: [tizzframe] tizzframe.exe
O4 - HKLM\..\Run: [MS Configuration] MSFramer.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\RunServices: [configuration loader] winicfg32.exe
O4 - HKLM\..\RunServices: [tizzframe] tizzframe.exe
O4 - HKLM\..\RunServices: [MS Configuration] MSFramer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: DLHelperEXE.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: tits.free6.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1667ba5c2bca1a4a0319/netzip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38058.2903587963
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/213/webolr/OCX/FlashAX.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx

løber den igennem

hi

Click Start, and then click Run. (The Run dialog box appears.)

Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\Run

In the right pane, delete any values that refer to the worm files, which were detected in step 4.

Exit the Registry Editor.

good luck

or

http://securityresponse.symantec.co...door.sdbot.html

here you can get more details about that virus/backdoor. you have there removal instructions, too. good luck


__________________

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\wong.exe
O4 - HKLM\..\Run: [Microsof] svchotsqf.exe
O4 - HKLM\..\Run: [configuration loader] winicfg32.exe
O4 - HKLM\..\Run: [tizzframe] tizzframe.exe
O4 - HKLM\..\Run: [MS Configuration] MSFramer.exe
O4 - HKLM\..\RunServices: [configuration loader] winicfg32.exe
O4 - HKLM\..\RunServices: [tizzframe] tizzframe.exe
O4 - HKLM\..\RunServices: [MS Configuration] MSFramer.exe

O4 - Startup: DLHelperEXE.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O15 - Trusted Zone: tits.free6.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1667ba5c2bca1a4a0319/netzip/RdxIE601.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab


Find og slet i fejlsikret(f8 ved opstart):


C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\SYSTEM32\wong.exe
C:\WINNT\system32\svchotsqf.exe

start->søg (markering i søg i skjulte filer og mapper) søg efter:
MSFramer.exe
tizzframe.exe
winicfg32.exe


Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.

hej igen og tak for den hurtige hjælp

nu har jeg gjordt som du sagde - men jeg kunne ikke søge efter:

MSFramer.exe
tizzframe.exe
winicfg32.exe
skal jeg bare markere show hidden files og så søge?

For 10 sec. siden fik jeg denne meddelse: (den blev slettet automatisk)
Kilde: C:\WINNT\system32\zxpayxz.exe
Klik her, hvis du ønsker yderligere oplysninger om denne trussel: W32.HLLW.Gaobot.RQ

Den nye log:

Logfile of HijackThis v1.97.7
Scan saved at 15:43:18, on 23-03-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fra Telenor
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38058.2903587963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/213/webolr/OCX/FlashAX.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx

MSFramer.exe
tizzframe.exe
winicfg32.exe
skal jeg bare markere show hidden files og så søge?

JA!!!!!

------------------------

Så er du ren

For at beskytte dig mod snavs har jeg lavet en sikkerhedspakke,
som du kan hente her : www.arlet.dk/pakke.htm

Men kom med en tilbagemelding om du finder noget, når du søger

Tak for hjælpen

Noget andet som bekymrer mig lidt: Jeg har kørt sikkerhedstest i norton sec.
  A detailed look at your Trojan Horse Check results.
 
The Trojan Horse Check tests whether ports commonly used by Trojan horse applications are open, closed, or stealth.
Understanding your results:  An open port responds to port probes and acknowledges the port's availability. Open ports are dangerous because they're an easy and attractive means of entry for hackers.

A closed port is visible but not open to attack. Although this is a safe state, a hacker can use closed ports to detect the existence of your computer and potentially target it for attack.

A stealth port is safest of all. Stealth means that your computer doesn't respond to port probes, and you are virtually invisible to hackers scanning the Internet for potential targets. Although this is a very safe result, a stealth port may cause performance problems for some Internet applications.


Jeg har desværre mange lukkede, mens kun 5 "stealth porte" Er det unormalt?

Hvis det er NIS 2004 du har, så har du også nortons firewall. Ved start skulle den gå ind og sætte alle porte til stealth. ellers må du ind og kigge i indstillingerne til den og finde frem til, så du kan få sat dem på stealth.

Tjek evt porte her: https://grc.com/x/ne.dll?bh0bkyd2
Tryk proceed og all service ports.

De grønne er stealth
De blå er lukkede
De røde er åbne

Hvad siger den??

GRC Port Authority Report created on UTC: 2004-03-23 at 15:07:10

Results from scan of ports: 0-1055

    3 Ports Open
1053 Ports Closed
    0 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be STEALTH.

Ports found to be OPEN were: 135, 445, 1026

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                  - NO unsolicited packets were received,
                  - A PING REPLY (ICMP Echo) WAS RECEIVED.

Hvis det er NIS 2004 du har, så har du også nortons firewall. Ved start skulle den gå ind og sætte alle porte til stealth. ellers må du ind og kigge i indstillingerne til den og finde frem til, så du kan få sat dem på stealth.

Hej igen

Jeg har NIS 2004. Min nortons firewall sætter ikke alle porte til stealth. kører som anbefelet standard firewall. Skal jeg indstille min explorer under egenskaber? Lidt mærkelig at jeg har 1053 lukkede porte!


Desværre har jeg allerede fået en ny virus: (er dog automatisk slettet)
Kilde: C:\WINNT\system32\netd32.exe
Klik her, hvis du ønsker yderligere oplysninger om denne trussel: W32.Randex.gen

Jeg håber nogen kan hjælpe mig med ovenstående problem. med alle de lukkede porte.

Du skal gå ind i firewallen og finde indstillingerne for porte. Der må du kunne stille alle sammen på stealth

nu har jeg geninstal. nis 2004 og nu kører det optimalt. Tusind tak for hjælpen!

Det var godt, jeg mente nok at de skulle være stealth ved nyinstallation

For at lukke spørgsmålet pænt igen skal du lige marker et navn i boksen til venstre og trykke accepter, så får vedkomne pointene og spørgsmålet bliver lukket.

Fortsat god dag