Hackerangreb eller hvad

Kører du RealVNC?

Ja, er det et problem???

Kør en hijackthis og smid loggen her, eller på www.spywarefri.dk forummet ;)

Der er en kritisk sikkerhedsfejl i RealVNC 4.1.1 - Du bør opgradere til 4.1.2
Du bør stadig høre hijackthis ;)

Hej igen du et sgu godt nok hurtig! Her er loggen:
Logfile of HijackThis v1.99.1
Scan saved at 23:48:27, on 21-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\FSC\Wireless Wheel Mouse\MOUSE32A.EXE
C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programmer\Multimedia Mouse\MouseDrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmer\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Pegasus Technologies\PC Notes Taker\PCNotesTaker.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\F-Secure\FSGUI\fsguiexe.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\SpeedFan\speedfan.exe
C:\Programmer\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmer\Netropa\Onscreen Display\OSD.exe
C:\Programmer\Netropa\InetKb\Inetkb.exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PNTRoute.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programmer\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\winlogon.exe
C:\Programmer\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\DOCUME~1\Jan\LOKALE~1\Temp\Midlertidig mappe 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmer\FSC\Wireless Wheel Mouse\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmer\Multimedia Mouse\MouseDrv.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programmer\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [ERScw] "C:\Programmer\Fælles filer\ErrorSafe\ERScw.exe" -c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Notes Taker] C:\Programmer\Pegasus Technologies\PC Notes Taker\PCNotesTaker.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Error Safe] C:\Programmer\Error Safe\ers.exe /min
O4 - Global Startup: HP Photosmart Premier Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: speedfan.lnk = C:\Programmer\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.diaform.dk/menu/config/version5_ny/Codebase/FormCtl.CAB
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.diaform.dk/menu/config/version5_ny/codebase/ffmail.cab
O16 - DPF: {1E69721D-9104-11D3-82D3-D06650C10000} (DafoloControl Class) - http://www.diaform.dk/menu/config/version5_ny/codebase/Dafolo.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.diaform.dk/menu/config/version5_ny/codebase/plsspeller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156449701311
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158157331468
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.kragh.lir.dk/tsweb/msrdp.cab
O16 - DPF: {92EB6641-286A-11D2-A68E-00A0C996A6DD} (Adobe Signature Object) - http://www.diaform.dk/menu/config/version5_ny/codebase/jfsignature.cab
O16 - DPF: {AD90E8D1-3B47-11D2-A696-00A0C996A6DD} (jfCryptoSignature Class) - http://www.diaform.dk/menu/config/version5_ny/codebase/jfcrypto.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.diaform.dk/menu/config/version5_ny/codebase/scriptobject.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.diaform.dk/menu/config/version5_ny/codebase/fontinstaller.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (Adobe ListBox Control) - http://www.diaform.dk/menu/config/version5_ny/codebase/listbox.cab
O16 - DPF: {FFFDF6F2-F7BC-4B90-B789-CB7BBDA13AD6} (CLaunchPrint Object) - http://eshare.hpphoto.com/Download/HPeServicesLocalPrint.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\MSGRAP~1.DLL
O20 - AppInit_DLLs: "C:\PROGRA~1\Google\Google Desktop Search\GOEC62~1.DLL" C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - SiS Corporation - (no file)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmer\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Jeg er ikke så god til dette her, men here goes :)

Download og installer AdAware, SpyBot Search & Destroy og SuperAntiSpyware, opdatér hver af dem og kør dem alle i den rækkefølge.
Det lader til at du har en trojansk hest inde (Trojan.W32.ErrorSafe) - vi satser på at én af de programmer vi installerer kan fjerne det :)

Når det er gjort, så prøv at smide en hijackthis log igen (omdøb hijackthis.exe til blahblah.exe eller lignende før du kører den).

Under alle omstændigheder er det meget galt med [Error Safe] programmet !!!
Læs her om dette 'smarte' program -> http://www.grineflip.dk/support/errorsafe

Afinstaller
* Error Safe
via
[Start][Indstillinger][Kontrolpanel][Tilføj/fjerm programmer

Genstart for at fuldføre afinstalationen...


Kør en scanning med Hijackthis,
Du får herunder nogle filer, som du skal fixe. Det, du skal gøre, er at sætte et flueben ud for disse filer. Når du har gjort det, så lukker du alle andre vinduer ned. Det er meget vigtigt at det eneste vindue, som er åbent er HijackThis vinduet. Husk også at lukke dette vindue, når du har markeret filerne. Nu må du fixe. Klik på Fix checked.

Det er denne, som skal fixes:

O4 - HKCU\..\Run: [Error Safe] C:\Programmer\Error Safe\ers.exe /min

Genstart normalt

Jeg vil bede dig om at gennemføre den fulde procedure som her beskrevet -> http://www.spywarefri.dk/forum/links/hjtanv.htm
Incl Loggen fra nævnte Ewido .

------------------------------------------------------------------------

(OK - det var vi nogenlunde enige om...)

hehe dr1, jeg håbede du ville se denne og overtage lidt :)

... bare kom an ...

Øhhhh............? Hvordan giver man point for svar?

Jeg vil bede dig om at gennemføre den fulde procedure som her beskrevet -> http://www.spywarefri.dk/forum/links/hjtanv.htm
Incl Loggen fra nævnte Ewido .

http://expfaq.1go.dk/?id=3#behandling_af_svar

Nå, men da der ikke er nogen der vil have point lukker jeg selv spørgsmålet. Men tak for hjælpen til codder og specielt dr1, jeg har fået et stabilt system igen - tak for hjælpen

Nu plejer det at være sådan, på eksperten, at spørgeren beder om et svar fra de(n) person(er) der har hjulpet, og først herefter tildeles point ;) Hvis dr1 vil have point, må du gerne give ham dem :)

øhhh, ups undskyld hvis jeg har kvajet mig, jeg giver gerne point til Jer begge

hehe det er ok :) dr1 svar! :) Jeg skal ikke have noget...

Jeg ville da gerne have set en frisk HiJackThis log for at 'godkende' ...