W32.Sinnaka.A@mm / iworm_attck-v122.02a

[PerM]

Hej Zipp (eller någon anna som kan hjälpa till),

 

här är HJT loggen:

 

Logfile of HijackThis v1.99.1

Scan saved at 20:46:05, on 2005-12-11

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvctrl.exe

C:\WINDOWS\system32\mssearchnet.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program\NORTON~1\navapw32.exe

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\GSICON.EXE

C:\WINDOWS\system32\dslagent.exe

C:\Program\QuickTime\qttask.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\WINDOWS\system32\rundll32.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Logitech\WINGMA~1\Lwpevntm.exe

C:\Program\Shareaza\Shareaza.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\iD2\CSP\iD2CertMover.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\id2scaps.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

C:\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/'>http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp5812.tmp

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\Program\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\Program\Logitech\WINGMA~1\Lwpevntm.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [shareaza] "C:\Program\Shareaza\Shareaza.exe" -tray

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .sgn: C:\Program\Internet Explorer\PLUGINS\npSign.dll

O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DC24A114-F3C9-4686-A337-A7225F1129BF}: Domain = FOO

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = telia.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = telia.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = telia.com

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: iD2 Smart Card Server (id2scaps) - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

 

 

 

 

 

[Zipp.]

Missa du detta:

 

" När du har klistrat in loggen så måla\markera den och klicka på LOG knappen och sen skicka."

 

 

[log]Ladda ner smitrem.exe på skrivbordet

 

http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

 

Dubbelklicka på den och klicka Start så får du smitrem mappen på skrivbordet

 

Starta sen i felsäkert läge

 

Scanna med Hijack bocka i dessa rader om dom finns och klicka Fix checked

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp5812.tmp

 

Sen öppna smitRem-mappen, dubbelklicka på RunThis.bat filen och följ anvisningarna.

Starta sen normalt och skicka smitrem logg ( C:\smitfiles.txt) och ny Hijack logg

 

" När du har klistrat in loggen så måla\markera den och klicka på LOG knappen och sen skicka."[/log]

 

[PerM]

ny log

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 23:26:45, on 2005-12-11

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvctrl.exe

C:\WINDOWS\system32\mssearchnet.exe

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program\NORTON~1\navapw32.exe

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\GSICON.EXE

C:\WINDOWS\system32\dslagent.exe

C:\Program\QuickTime\qttask.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\WINDOWS\system32\rundll32.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Logitech\WINGMA~1\Lwpevntm.exe

C:\Program\Shareaza\Shareaza.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\iD2\CSP\iD2CertMover.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\id2scaps.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

C:\Program\Internet Explorer\iexplore.exe

C:\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/'>http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204'>http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp5812.tmp

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\Program\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\Program\Logitech\WINGMA~1\Lwpevntm.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [shareaza] "C:\Program\Shareaza\Shareaza.exe" -tray

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .sgn: C:\Program\Internet Explorer\PLUGINS\npSign.dll

O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DC24A114-F3C9-4686-A337-A7225F1129BF}: Domain = FOO

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = telia.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = telia.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = telia.com

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: iD2 Smart Card Server (id2scaps) - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - [/log]C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

 

 

 

[Zipp.]

Har du gjort allt ja skrev Igår 21:25

För att iallafall ska detta rad vara borta då

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm

 

 

 

[PerM]

Hej Zipp,

 

NU har jag äntligen gjort som du beskrev 21:25 i går, men det ser ut till att problemet kvarstår - jag får fortfarande "your computer is infected" och SpyAxe trivs fortfarande.

 

Nya loggar ser ut så här:

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 19:21:37, on 2005-12-12

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\system32\id2scaps.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\Program\NORTON~1\navapw32.exe

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\WINDOWS\system32\GSICON.EXE

C:\WINDOWS\system32\dslagent.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Compaq\EASYAC~1\BttnServ.exe

C:\Program\Shareaza\Shareaza.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Logitech\WINGMA~1\Lwpevntm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\iD2\CSP\iD2CertMover.exe

C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/'>http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\Program\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\Program\Logitech\WINGMA~1\Lwpevntm.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [shareaza] "C:\Program\Shareaza\Shareaza.exe" -tray

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe

O4 - Global Startup: Kalenderpåminnelser i Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .sgn: C:\Program\Internet Explorer\PLUGINS\npSign.dll

O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DC24A114-F3C9-4686-A337-A7225F1129BF}: Domain = FOO

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = telia.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = telia.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = telia.com

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: iD2 Smart Card Server (id2scaps) - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe[/log]

 

 

 

SmitRem log =

 

[log] smitRem © log file

version 2.8

 

by noahdfear

 

 

Microsoft Windows XP [Version 5.1.2600]

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

checking for ShudderLTD key

 

ShudderLTD key not present!

 

checking for PSGuard.com key

 

 

PSGuard.com key not present!

 

spyaxe uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Existing Pre-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system32 folder ~~~

 

 

 

~~~ Icons in System32 ~~~

 

 

 

~~~ Windows directory ~~~

 

 

 

~~~ Drive root ~~~

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 272 'explorer.exe'

Killing PID 272 'explorer.exe'

Killing PID 272 'explorer.exe'

Killing PID 272 'explorer.exe'

Killing PID 272 'explorer.exe'

 

Starting registry repairs

 

Deleting files

 

 

Remaining Post-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system32 folder ~~~

 

 

 

~~~ Icons in System32 ~~~

 

 

 

~~~ Windows directory ~~~

 

 

 

~~~ Drive root ~~~

 

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

 

 

~~~ Wininet.dll ~~~

 

CLEAN! [/log]

 

 

 

 

Har du vidare tips är jag mycket tacksam.....

 

 

 

 

 

 

[Zipp.]

Hmmm..loggar är ok.

Sök med dolda filer synliga om du hittar detta

 

svchosts.dll

 

eller en mapp som heter 1024 i system 32 mappen

 

 

[inlägget ändrat 2005-12-12 20:09:46 av Zipp.]

[PerM]

Hur söker jag med "dolda filer synliga"?

 

Jag gjorde ett sök i explorer men ingen svchosts.dll eller mapp = 1024 i system 32 mappen.

 

 

 

[Zipp.]

 

Vi prövar om man hittar nåt med detta

 

Ladda ner rkfiles.zip

 

http://skads.org/special/rkfiles.zip

 

unzippa den och sen starta i felsäkert läge och dubbelklicka på RKFiles.bat

Låt den scanna färdigt (kan ta en bra stund) och sen starta normalt och skicka loggen (c:\log.txt)

 

 

[PerM]

Rkfiles log:

 

[log]C:\rkfiles

 

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Files Found in system Folder............

------------------------

C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

 

Files Found in all users startup Folder............

------------------------

Files Found in all users windows Folder............

------------------------

Finished

bye[/log]

 

 

 

 

 

 

 

[Zipp.]

Inget i den loggen.

 

Pröva att titta här.

 

Kontrollpanelen > Utseende och teman > Bilskärm > Skrivbord > Anpassa skrivbordet > Webb

 

Ser du där Security eller nåt liknande så ta bort det.

 

[inlägget ändrat 2005-12-12 21:59:23 av Zipp.]

[PerM]

Nope,

 

där står det bara "min aktuella startsida".

 

 

I ett annat forum (forums.thatcomputerguy.us) hittade jag tidigare något kallades SpyAxeFix.exe

 

har du hört talas om detta?

 

 

 

[Zipp.]

 

Joo jag vet den fixen,men den ingår numera i smitrem.

Kanske detta är nån ny variant .

Kanske man ser nåt med detta

 

Ladda ner

 

http://www.silentrunners.org/Silent%20Runners.vbs

 

sen dubbelklicka på den och om din antivirus varnar så acceptera att skriptet körs.

När den har scannat färdigt så skicka loggen.

 

[PerM]

OK lasddade ner detta men när jag sedan dubbelklickar på den kommer följande meddelande:

 

SKRIPT: C:\silent runners.vbs

RAD: 85

TECKEN: 13

FEL: det gick inte att skapa objektet "wscript.shell"

KOD: 8007007E

KÄLLA: wscript.createobject

 

 

något jag gör fel?

 

[Zipp.]

 

Nej du gör inget fel.

Ligger SpyAxe som en ikon nedre kant av skärmen eller ploppar det upp bara en meddelande .

 

[PerM]

Jag ser inget ikon men det ploppar upp jämt och ständigt samtidigt som Microsoft Antispyware Alert meddelar att SpyAxe vill installeras.

 

 

Det fanns ett tips på ännu ett forum (sysinternals.com):

hans problem var filen "ioctrl.dll" som fanns under windows/system32 foldern.

 

den har jag också.....

 

[Zipp.]

Ok,,pröva att scanna den filen här

 

http://virusscan.jotti.org/

 

[PerM]

Hej,

 

jag får bara meddelande om att

 

server is extremely busy at the moment. Please try again later.

 

 

så jag får prova denna senare.

 

tack så långt

 

 

[Zipp.]

 

Ladda ner KillBox

 

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

 

[log]unzippa,öppna och bocka i Delete on Reboot

Sen kopiera raden nedan

 

C:\windows\system32\ioctrl.dll

 

sen i Killbox > File > Paste from Clipboard

Efter det klicka på Delete (röd med vit X på)

Svara ja på frågor och om inte datorn startar om automatiskt så starta om den.

 

Killbox gör backups hit C:\!KillBox

Gör en .zip av mappen och skicka den till mig.

 

RKroppi@hotmail.com[/log]

 

 

 

 

 

[PerM]

Hej,

 

har just skickat dig ett mail med Killbox file

 

[Zipp.]

Fick den ...tack.

Är SpyAxe borta nu.

 

Ahaa...zippen var tom ingen fil med.

 

[inlägget ändrat 2005-12-13 19:45:56 av Zipp.]

[inlägget ändrat 2005-12-13 19:59:52 av Zipp.]

[PerM]

zippen tom?

 

Sorry, är ingen höjdare på detta. Jag har gjort ett nytt försök.

 

Per

 

 

[PerM]

Hej Zipp,

 

hur såg killbox filen ut?

 

Så långt verkar det som ioctrl.dll filen var problemet, jag har inte fått några fler SpyAxe virus alert meddelanden efter killbox proceduren. Jag skall göra några fler scans med Panda eller Ewido för att kolla så all skit är borta men åker igäg ett par dagar. Låter dig veta mot slutet av veckan.

 

 

 

[Zipp.]

 

> hur såg killbox filen ut? <

 

.zip filen du skicka var fortfarande tom det va bara en tom mapp du skicka.......men du behöver inte skicka igen.