Just nu i M3-nätverket
Jump to content

runsrv32.exe


alpolle10

Recommended Posts

När windows startar blippar en ruta upp o försvinner att program runsrv.exe inte kan starta minnet fullt.

Kör nortonantivirus 2006 men det hittar inte något.

Har sökt i datorn det finns en exefil och en dll fil med det namnet

Vad är det för skräp?

 

Link to comment
Share on other sites

här

[LOC:\Program\LEXMAR~1\ACMonitor_X84-X85.exe

C:\Program\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Program\Messenger\msmsgs.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)

O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DMXLauncher] C:\Program\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\Program\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\Program\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Certificate Mover.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {05B59594-8CDE-4887-9046-75147E3D657C} (RegistrationBrowserX Control) - http://www.room328.com/activation/RegistrationBrowserProj.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146598181968

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} (ScriptPlayerRuntime Class) - https://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2E58952A-715E-47F6-B603-CF83C50BB63B}: NameServer = 195.67.199.33,195.67.199.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{2E58952A-715E-47F6-B603-CF83C50BB63B}: NameServer = 195.67.199.33,195.67.199.34

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe

O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

 

G]

 

Link to comment
Share on other sites

 

Ladda ner SmitfraudFix på skrivbordet och unzippa den där.

 

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

 

Sen öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Search = klicka 1 och Enter

Kopiera loggen som kommer ut och skicka hit.

 

När du har klistrat in loggen så måla\markera den och klicka på LOG knappen och sen skicka.

 

Link to comment
Share on other sites

[[log]LOG]SmitFraudFix v2.100

 

Scan done at 20:59:42,68, 2006-09-28

Run from C:\Documents and Settings\Roger\Skrivbord\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

C:\WINDOWS\adware-sheriff-box.gif FOUND !

C:\WINDOWS\adware-sheriff-header.gif FOUND !

C:\WINDOWS\alexaie.dll FOUND !

C:\WINDOWS\alxie328.dll FOUND !

C:\WINDOWS\alxtb1.dll FOUND !

C:\WINDOWS\antispylab-logo.gif FOUND !

C:\WINDOWS\about_spyware_bg.gif FOUND !

C:\WINDOWS\blue-bg.gif FOUND !

C:\WINDOWS\BTGrab.dll FOUND !

C:\WINDOWS\buy-now-btn.gif FOUND !

C:\WINDOWS\close-bar.gif FOUND !

C:\WINDOWS\corner-left.gif FOUND !

C:\WINDOWS\corner-right.gif FOUND !

C:\WINDOWS\dlmax.dll FOUND !

C:\WINDOWS\facts.gif FOUND !

C:\WINDOWS\footer.giff FOUND !

C:\WINDOWS\free-scan-btn.gif FOUND !

C:\WINDOWS\h-line-gradient.gif FOUND !

C:\WINDOWS\header-bg.gif FOUND !

C:\WINDOWS\infected.gif FOUND !

C:\WINDOWS\info.gif FOUND !

C:\WINDOWS\no-icon.gif FOUND !

C:\WINDOWS\Pynix.dll FOUND !

C:\WINDOWS\reg-freeze-box.gif FOUND !

C:\WINDOWS\reg-freeze-header.gif FOUND !

C:\WINDOWS\remove-spyware-btn.gif FOUND !

C:\WINDOWS\spyware-sheriff-header.gif FOUND !

C:\WINDOWS\spyware-sheriff-box.gif FOUND !

C:\WINDOWS\star.gif FOUND !

C:\WINDOWS\star-grey.gif FOUND !

C:\WINDOWS\susp.exe FOUND !

C:\WINDOWS\true-stories.gif FOUND !

C:\WINDOWS\warning-bar-ico.gif FOUND !

C:\WINDOWS\win-sec-center-logo.gif FOUND !

C:\WINDOWS\windows-compatible.gif FOUND !

C:\WINDOWS\yes-icon.gif FOUND !

C:\WINDOWS\ZServ.dll FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\a.exe FOUND [/log]

 

Link to comment
Share on other sites

 

Starta datorn i felsäkert läge.

 

Efter det öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Clean = klicka 2 och Enter

Sen vänta tills den jobbar klart.

På frågan "Registry cleaning - Do you want to clean the registry ?"

svara Yes med att klicka Y och Enter

Om wininet.dll är infekterad får du frågan "Replace infected file ?"

svara Yes med att klicka Y och Enter.

Om inte datorn startar om automatiskt så starta den i normalläge.

 

Skicka sen en ny Hijack logg och C:\rapport.txt

 

 

Link to comment
Share on other sites

[log]Logfile of HijackThis v1.99.1

Scan saved at 21:15:11, on 2006-09-28

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Symantec Shared\ccProxy.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\Smartscaps.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe

C:\Program\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program\Winamp\winampa.exe

C:\Program\LEXMAR~1\ACMonitor_X84-X85.exe

C:\Program\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program\Hijackthis\HijackThis.exe[/log]

 

Link to comment
Share on other sites

[log]SmitFraudFix v2.100

 

Scan done at 21:10:28,64, 2006-09-28

Run from C:\Documents and Settings\Roger\Skrivbord\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\adware-sheriff-box.gif Deleted

C:\WINDOWS\adware-sheriff-header.gif Deleted

C:\WINDOWS\alexaie.dll Deleted

C:\WINDOWS\alxie328.dll Deleted

C:\WINDOWS\alxtb1.dll Deleted

C:\WINDOWS\antispylab-logo.gif Deleted

C:\WINDOWS\about_spyware_bg.gif Deleted

C:\WINDOWS\blue-bg.gif Deleted

C:\WINDOWS\BTGrab.dll Deleted

C:\WINDOWS\buy-now-btn.gif Deleted

C:\WINDOWS\close-bar.gif Deleted

C:\WINDOWS\corner-left.gif Deleted

C:\WINDOWS\corner-right.gif Deleted

C:\WINDOWS\dlmax.dll Deleted

C:\WINDOWS\facts.gif Deleted

C:\WINDOWS\footer.gif Deleted

C:\WINDOWS\free-scan-btn.gif Deleted

C:\WINDOWS\h-line-gradient.gif Deleted

C:\WINDOWS\header-bg.gif Deleted

C:\WINDOWS\infected.gif Deleted

C:\WINDOWS\info.gif Deleted

C:\WINDOWS\no-icon.gif Deleted

C:\WINDOWS\Pynix.dll Deleted

C:\WINDOWS\reg-freeze-box.gif Deleted

C:\WINDOWS\reg-freeze-header.gif Deleted

C:\WINDOWS\remove-spyware-btn.gif Deleted

C:\WINDOWS\spyware-sheriff-header.gif Deleted

C:\WINDOWS\spyware-sheriff-box.gif Deleted

C:\WINDOWS\star.gif Deleted

C:\WINDOWS\star-grey.gif Deleted

C:\WINDOWS\true-stories.gif Deleted

C:\WINDOWS\susp.exe Deleted

C:\WINDOWS\warning-bar-ico.gif Deleted

C:\WINDOWS\win-sec-center-logo.gif Deleted

C:\WINDOWS\windows-compatible.gif Deleted

C:\WINDOWS\yes-icon.gif Deleted

C:\WINDOWS\ZServ.dll Deleted

C:\WINDOWS\system32\a.exe Deleted

C:\WINDOWS\system32\alxres.dll Deleted

C:\WINDOWS\system32\bridge.dll Deleted

C:\WINDOWS\system32\CWS_iestart.exe Deleted

C:\WINDOWS\system32\dailytoolbar.dll Deleted

C:\WINDOWS\system32\exuc32.tmp Deleted

C:\WINDOWS\system32\jao.dll Deleted

C:\WINDOWS\system32\mirarsearch_toolbar.exe Deleted

C:\WINDOWS\system32\questmod.dll Deleted[/log]

 

Link to comment
Share on other sites

[log]SmitFraudFix v2.100

 

Scan done at 21:10:28,64, 2006-09-28

Run from C:\Documents and Settings\Roger\Skrivbord\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\adware-sheriff-box.gif Deleted

C:\WINDOWS\adware-sheriff-header.gif Deleted

C:\WINDOWS\alexaie.dll Deleted

C:\WINDOWS\alxie328.dll Deleted

C:\WINDOWS\alxtb1.dll Deleted

C:\WINDOWS\antispylab-logo.gif Deleted

C:\WINDOWS\about_spyware_bg.gif Deleted

C:\WINDOWS\blue-bg.gif Deleted

C:\WINDOWS\BTGrab.dll Deleted

C:\WINDOWS\buy-now-btn.gif Deleted

C:\WINDOWS\close-bar.gif Deleted

C:\WINDOWS\corner-left.gif Deleted

C:\WINDOWS\corner-right.gif Deleted

C:\WINDOWS\dlmax.dll Deleted

C:\WINDOWS\facts.gif Deleted

C:\WINDOWS\footer.gif Deleted

C:\WINDOWS\free-scan-btn.gif Deleted

C:\WINDOWS\h-line-gradient.gif Deleted

C:\WINDOWS\header-bg.gif Deleted

C:\WINDOWS\infected.gif Deleted

C:\WINDOWS\info.gif Deleted

C:\WINDOWS\no-icon.gif Deleted

C:\WINDOWS\Pynix.dll Deleted

C:\WINDOWS\reg-freeze-box.gif Deleted

C:\WINDOWS\reg-freeze-header.gif Deleted

C:\WINDOWS\remove-spyware-btn.gif Deleted

C:\WINDOWS\spyware-sheriff-header.gif Deleted

C:\WINDOWS\spyware-sheriff-box.gif Deleted

C:\WINDOWS\star.gif Deleted

C:\WINDOWS\star-grey.gif Deleted

C:\WINDOWS\true-stories.gif Deleted

C:\WINDOWS\susp.exe Deleted

C:\WINDOWS\warning-bar-ico.gif Deleted

C:\WINDOWS\win-sec-center-logo.gif Deleted

C:\WINDOWS\windows-compatible.gif Deleted

C:\WINDOWS\yes-icon.gif Deleted

C:\WINDOWS\ZServ.dll Deleted

C:\WINDOWS\system32\a.exe Deleted

C:\WINDOWS\system32\alxres.dll Deleted

C:\WINDOWS\system32\bridge.dll Deleted

C:\WINDOWS\system32\CWS_iestart.exe Deleted

C:\WINDOWS\system32\dailytoolbar.dll Deleted

C:\WINDOWS\system32\exuc32.tmp Deleted

C:\WINDOWS\system32\jao.dll Deleted

C:\WINDOWS\system32\mirarsearch_toolbar.exe Deleted

C:\WINDOWS\system32\questmod.dll Deleted

C:\WINDOWS\system32\runsrv32.dll Deleted

C:\WINDOWS\system32\runsrv32.exe Deleted

C:\WINDOWS\system32\shellgui32.dll Deleted

C:\WINDOWS\system32\tcpservice2.exe Deleted

C:\WINDOWS\system32\txfdb32.dll Deleted

C:\WINDOWS\system32\udpmod.dll Deleted

C:\WINDOWS\system32\wstart.dll Deleted

C:\WINDOWS\system32\zlbw.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files[/log]

 

Link to comment
Share on other sites

[log]Logfile of HijackThis v1.99.1

Scan saved at 21:25:13, on 2006-09-28

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Symantec Shared\ccProxy.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\Smartscaps.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program\Winamp\winampa.exe

C:\Program\LEXMAR~1\ACMonitor_X84-X85.exe

C:\Program\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DMXLauncher] C:\Program\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\Program\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\Program\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Certificate Mover.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {05B59594-8CDE-4887-9046-75147E3D657C} (RegistrationBrowserX Control) - http://www.room328.com/activation/RegistrationBrowserProj.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146598181968

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} (ScriptPlayerRuntime Class) - https://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2E58952A-715E-47F6-B603-CF83C50BB63B}: NameServer = 195.67.199.33,195.67.199.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{2E58952A-715E-47F6-B603-CF83C50BB63B}: NameServer = 195.67.199.33,195.67.199.34

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe

O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe[/log]

 

Link to comment
Share on other sites

  • 2 weeks later...
gruesome_badger

Hej!

 

Jag har också problem med runsrv32.exe. Kommandotolken ploppar upp när jag startar upp Windows. Jag tror det står "felaktigt kommando eller filnamn" på tre rader, det tar bara ett ögonblick sedan stängs prompten.

 

Ska jag köra HiJackThis och SmitfraudFix direkt, eller kan det vara något annat i mitt fall?

 

Hoppas att någon har tid...

 

Link to comment
Share on other sites

gruesome_badger

[log]Logfile of HijackThis v1.99.1

Scan saved at 15:28:07, on 2006-10-11

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\SPOOLSV.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program\Vanliga filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRAM\MSN MESSENGER\MSNMSGR.EXE

C:\Program\Messenger\msmsgs.exe

C:\Program\Creative\MediaSource\Detector\CTDetect.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\WgaTray.exe

C:\PROGRAM\MOZILLA FIREFOX\FIREFOX.EXE

C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM\CANON\EASY-WEBPRINT\TOOLBAND.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Vanliga filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Program\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D3CE497-B7CB-48C0-B2FC-EE64637C617A}: NameServer = 195.67.199.24 195.67.199.25

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\tmproxy.exe

[/log]

 

 

 

Jag körde även en online scan på kaspersky.com och fick besked om att jag har två trojaner i SYSTEM32\... Något som mitt PC-cillin Internet Security 14 inte lyckats hitta. Jag uppdaterar alltid så fort det kommer en ny, och scannar systemet dagligen men det hjälpte visst inte. Dags att byta till Kaspersky kanske...

 

Link to comment
Share on other sites

gruesome_badger

Här kommer den:

 

 

SmitFraudFix v2.109

 

Scan done at 16:07:53,63, 2006-10-11

Run from C:\Documents and Settings\Graak Wendtbj„lfs\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

C:\WINDOWS\adware-sheriff-box.gif FOUND !

C:\WINDOWS\adware-sheriff-header.gif FOUND !

C:\WINDOWS\alexaie.dll FOUND !

C:\WINDOWS\alxie328.dll FOUND !

C:\WINDOWS\alxtb1.dll FOUND !

C:\WINDOWS\antispylab-logo.gif FOUND !

C:\WINDOWS\blue-bg.gif FOUND !

C:\WINDOWS\BTGrab.dll FOUND !

C:\WINDOWS\buy-now-btn.gif FOUND !

C:\WINDOWS\close-bar.gif FOUND !

C:\WINDOWS\corner-left.gif FOUND !

C:\WINDOWS\corner-right.gif FOUND !

C:\WINDOWS\facts.gif FOUND !

C:\WINDOWS\footer.giff FOUND !

C:\WINDOWS\free-scan-btn.gif FOUND !

C:\WINDOWS\h-line-gradient.gif FOUND !

C:\WINDOWS\header-bg.gif FOUND !

C:\WINDOWS\infected.gif FOUND !

C:\WINDOWS\info.gif FOUND !

C:\WINDOWS\no-icon.gif FOUND !

C:\WINDOWS\Pynix.dll FOUND !

C:\WINDOWS\reg-freeze-box.gif FOUND !

C:\WINDOWS\reg-freeze-header.gif FOUND !

C:\WINDOWS\remove-spyware-btn.gif FOUND !

C:\WINDOWS\spyware-sheriff-header.gif FOUND !

C:\WINDOWS\spyware-sheriff-box.gif FOUND !

C:\WINDOWS\star.gif FOUND !

C:\WINDOWS\star-grey.gif FOUND !

C:\WINDOWS\susp.exe FOUND !

C:\WINDOWS\true-stories.gif FOUND !

C:\WINDOWS\warning-bar-ico.gif FOUND !

C:\WINDOWS\win-sec-center-logo.gif FOUND !

C:\WINDOWS\windows-compatible.gif FOUND !

C:\WINDOWS\yes-icon.gif FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\a.exe FOUND !

C:\WINDOWS\system32\alxres.dll FOUND !

C:\WINDOWS\system32\bridge.dll FOUND !

C:\WINDOWS\system32\dailytoolbar.dll FOUND !

C:\WINDOWS\system32\jao.dll FOUND !

C:\WINDOWS\system32\migicons.exe FOUND !

C:\WINDOWS\system32\parad.raw.exe FOUND !

C:\WINDOWS\system32\questmod.dll FOUND !

C:\WINDOWS\system32\runsrv32.dll FOUND !

C:\WINDOWS\system32\runsrv32.exe FOUND !

C:\WINDOWS\system32\tcpservice2.exe FOUND !

C:\WINDOWS\system32\txfdb32.dll FOUND !

C:\WINDOWS\system32\udpmod.dll FOUND !

C:\WINDOWS\system32\wstart.dll FOUND !

C:\WINDOWS\system32\zlbw.dll FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Graak Wendtbj„lfs

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Graak Wendtbj„lfs\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GRAAKW~1\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

Såg ju ganska mastigt ut... formateringsläge?

[inlägget ändrat 2006-10-11 16:09:49 av gruesome_badger]

Link to comment
Share on other sites

 

> Såg ju ganska mastigt ut... formateringsläge? <

 

Nej,fixen tar bort allt den hitta

 

Starta datorn i felsäkert läge.

 

Efter det öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Clean = klicka 2 och Enter

Sen vänta tills den jobbar klart.

På frågan "Registry cleaning - Do you want to clean the registry ?"

svara Yes med att klicka Y och Enter

Om wininet.dll är infekterad får du frågan "Replace infected file ?"

svara Yes med att klicka Y och Enter.

Om inte datorn startar om automatiskt så starta den i normalläge.

 

Skicka sen en ny Hijack logg och C:\rapport.txt

 

 

Link to comment
Share on other sites

gruesome_badger

Ok, här kommer de nya loggarna:

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 00:28:09, on 2006-10-12

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\SPOOLSV.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program\Vanliga filer\Real\Update_OB\realsched.exe

C:\Program\Trend Micro\Internet Security 14\pccguide.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRAM\MSN MESSENGER\MSNMSGR.EXE

C:\Program\Messenger\msmsgs.exe

C:\Program\Creative\MediaSource\Detector\CTDetect.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\PROGRAM\TRENDM~1\INTERN~1\PCCTLCOM.EXE

C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\Program\TRENDM~1\INTERN~1\TmPfw.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM\MOZILLA FIREFOX\FIREFOX.EXE

C:\Program\TRENDM~1\INTERN~1\tmproxy.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM\CANON\EASY-WEBPRINT\TOOLBAND.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Vanliga filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Program\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D3CE497-B7CB-48C0-B2FC-EE64637C617A}: NameServer = 195.67.199.24 195.67.199.25

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\tmproxy.exe

[/log]

 

 

och

 

 

 

SmitFraudFix v2.109

 

Scan done at 0:15:37,23, 2006-10-12

Run from C:\Documents and Settings\Graak Wendtbj„lfs\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\adware-sheriff-box.gif Deleted

C:\WINDOWS\adware-sheriff-header.gif Deleted

C:\WINDOWS\alexaie.dll Deleted

C:\WINDOWS\alxie328.dll Deleted

C:\WINDOWS\alxtb1.dll Deleted

C:\WINDOWS\antispylab-logo.gif Deleted

C:\WINDOWS\blue-bg.gif Deleted

C:\WINDOWS\BTGrab.dll Deleted

C:\WINDOWS\buy-now-btn.gif Deleted

C:\WINDOWS\close-bar.gif Deleted

C:\WINDOWS\corner-left.gif Deleted

C:\WINDOWS\corner-right.gif Deleted

C:\WINDOWS\facts.gif Deleted

C:\WINDOWS\footer.gif Deleted

C:\WINDOWS\free-scan-btn.gif Deleted

C:\WINDOWS\h-line-gradient.gif Deleted

C:\WINDOWS\header-bg.gif Deleted

C:\WINDOWS\infected.gif Deleted

C:\WINDOWS\info.gif Deleted

C:\WINDOWS\no-icon.gif Deleted

C:\WINDOWS\Pynix.dll Deleted

C:\WINDOWS\reg-freeze-box.gif Deleted

C:\WINDOWS\reg-freeze-header.gif Deleted

C:\WINDOWS\remove-spyware-btn.gif Deleted

C:\WINDOWS\spyware-sheriff-header.gif Deleted

C:\WINDOWS\spyware-sheriff-box.gif Deleted

C:\WINDOWS\star.gif Deleted

C:\WINDOWS\star-grey.gif Deleted

C:\WINDOWS\true-stories.gif Deleted

C:\WINDOWS\susp.exe Deleted

C:\WINDOWS\warning-bar-ico.gif Deleted

C:\WINDOWS\win-sec-center-logo.gif Deleted

C:\WINDOWS\windows-compatible.gif Deleted

C:\WINDOWS\yes-icon.gif Deleted

C:\WINDOWS\system32\a.exe Deleted

C:\WINDOWS\system32\alxres.dll Deleted

C:\WINDOWS\system32\bridge.dll Deleted

C:\WINDOWS\system32\dailytoolbar.dll Deleted

C:\WINDOWS\system32\jao.dll Deleted

C:\WINDOWS\system32\migicons.exe Deleted

C:\WINDOWS\system32\parad.raw.exe Deleted

C:\WINDOWS\system32\questmod.dll Deleted

C:\WINDOWS\system32\runsrv32.dll Deleted

C:\WINDOWS\system32\runsrv32.exe Deleted

C:\WINDOWS\system32\tcpservice2.exe Deleted

C:\WINDOWS\system32\txfdb32.dll Deleted

C:\WINDOWS\system32\udpmod.dll Deleted

C:\WINDOWS\system32\wstart.dll Deleted

C:\WINDOWS\system32\zlbw.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...