problem med virus virtumonde

[Snuffneto]

HEJ!!

 

Mitt Nod32 hittade ett virus vid namn adware.virtumonde filen system32/ddcyy.dll

 

Filen går inte att ta bort, och en ruta från Nod32 uppenbarar sig hela tiden!

 

Har kört en hijackthis log som jag bifogar nedan!

 

Tusen tack för hjälp!!!!!

 

//

 

Petter

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 17:59:10, on 2006-10-04

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Henrik\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {48FB70C5-FB2E-4DC9-AC5D-A6A58EA621D3} - C:\WINDOWS\system32\ddcyy.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\sacfgwec.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O15 - Trusted Zone: http://locator.cdn.imageservr.com

O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com

O15 - Trusted Zone: http://scanner.sysprotect.com

O15 - Trusted Zone: http://*.systemdoctor.com

O15 - Trusted Zone: http://www.winantivirus.com

O15 - Trusted Zone: http://www.winantiviruspro.com

O15 - Trusted Zone: http://download.cdn.winsoftware.com

O15 - Trusted IP range: http://202.67.220.225

O15 - Trusted IP range: http://59.148.220.121

O15 - Trusted IP range: http://62.4.84.53

O15 - Trusted IP range: http://82.98.235.58

O15 - Trusted IP range: http://85.12.25.90

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab

O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll

O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program\TuneUp Utilities 2004\WinStylerThemeSvc.exe

 

[/log]

 

[Zipp.]

 

Surfa hit och följ anvisningar på sidan

 

http://www.atribune.org/content/view/24/2/

 

skicka sen en ny Hijack logg och C:\vundofix.txt logg

 

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the

Scan for Vundo button." when VundoFix appears at reboot.

 

[Snuffneto]

Skickar med loggarna här!

 

Blev något knas med en fil som inte gick o ta bort till en början... men jag tror vundofix tog bort den efter omstart....

 

Är allt okaj????!

 

Tusen taxar för hjälpen!!

 

 

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 18:47:58, on 2006-10-04

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Henrik\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {48FB70C5-FB2E-4DC9-AC5D-A6A58EA621D3} - C:\WINDOWS\system32\ddcyy.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\sacfgwec.dll (file missing)

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O15 - Trusted Zone: http://locator.cdn.imageservr.com

O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com

O15 - Trusted Zone: http://scanner.sysprotect.com

O15 - Trusted Zone: http://*.systemdoctor.com

O15 - Trusted Zone: http://www.winantivirus.com

O15 - Trusted Zone: http://www.winantiviruspro.com

O15 - Trusted Zone: http://download.cdn.winsoftware.com

O15 - Trusted IP range: http://202.67.220.225

O15 - Trusted IP range: http://59.148.220.121

O15 - Trusted IP range: http://62.4.84.53

O15 - Trusted IP range: http://82.98.235.58

O15 - Trusted IP range: http://85.12.25.90

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab

O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program\TuneUp Utilities 2004\WinStylerThemeSvc.exe[/log]

 

 

 

 

[log]VundoFix V6.2.0

 

Checking Java version...

 

Sun Java not detected

Scan started at 18:27:26 2006-10-04

 

Listing files found while scanning....

 

C:\WINDOWS\system32\ndqapsjb.dll

C:\WINDOWS\system32\nfgbxgcv.dll

C:\WINDOWS\system32\sacfgwec.dll

C:\WINDOWS\system32\kdcdpwhv.exe

C:\WINDOWS\system32\utbwkwwf.exe

C:\WINDOWS\system32\ddcyy.dll

C:\WINDOWS\system32\yycdd.ini

C:\WINDOWS\system32\yycdd.bak1

C:\WINDOWS\system32\yycdd.bak2

C:\WINDOWS\system32\yycdd.ini2

C:\WINDOWS\system32\yycdd.tmp

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\ndqapsjb.dll

C:\WINDOWS\system32\ndqapsjb.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nfgbxgcv.dll

C:\WINDOWS\system32\nfgbxgcv.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\sacfgwec.dll

C:\WINDOWS\system32\sacfgwec.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\kdcdpwhv.exe

C:\WINDOWS\system32\kdcdpwhv.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\utbwkwwf.exe

C:\WINDOWS\system32\utbwkwwf.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\ddcyy.dll

C:\WINDOWS\system32\ddcyy.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\yycdd.ini

C:\WINDOWS\system32\yycdd.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\yycdd.bak1

C:\WINDOWS\system32\yycdd.bak1 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\yycdd.bak2

C:\WINDOWS\system32\yycdd.bak2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\yycdd.ini2

C:\WINDOWS\system32\yycdd.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\yycdd.tmp

C:\WINDOWS\system32\yycdd.tmp Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\ddcyy.dll

C:\WINDOWS\system32\ddcyy.dll Has been deleted!

 

Performing Repairs to the registry.

Done![/log]

 

 

 

 

 

 

 

[Zipp.]

 

Skapa en ny mapp på C:\ och placera HijackThis.exe dit så C:\HjT\HijackThis.exe

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och klicka Fix checked

[log]

O2 - BHO: (no name) - {48FB70C5-FB2E-4DC9-AC5D-A6A58EA621D3} - C:\WINDOWS\system32\ddcyy.dll (file missing)

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\sacfgwec.dll (file missing)

O15 - Trusted Zone: http://locator.cdn.imageservr.com

O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com

O15 - Trusted Zone: http://scanner.sysprotect.com

O15 - Trusted Zone: http://*.systemdoctor.com

O15 - Trusted Zone: http://www.winantivirus.com

O15 - Trusted Zone: http://www.winantiviruspro.com

O15 - Trusted Zone: http://download.cdn.winsoftware.com

O15 - Trusted IP range: http://202.67.220.225

O15 - Trusted IP range: http://59.148.220.121

O15 - Trusted IP range: http://62.4.84.53

O15 - Trusted IP range: http://82.98.235.58

O15 - Trusted IP range: http://85.12.25.90

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2

006FreeInstall.cab

O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)

 

starta om datorn och ny logg.[/log]