Just nu i M3-nätverket
Jump to content

WIN32.TROJANDOWNLOADER.ZLOB


bemz

Recommended Posts

WIN32.TROJANDOWNLOADER.ZLOB Hur ska jag få bort det??

Är inte direkt superdatakunnig och jag behöver verkligen hjälp...

pleeeeease... känner liksom ingen som kan hjälpa mig heller

 

/kass

 

Link to comment
Share on other sites

Vi kan ju se om HijackThis visar något till att börja med:

http://www.thespykiller.co.uk/files/HJTsetup.exe

Installera, kör, skanna och spara loggen (inget annat).

I ditt svar bifogar du HijackThis-loggen.

 

Ladda ner programmet SmitfraudFix (by S!Ri) till Skrivbordet:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Högerklicka och extrahera allt innehåll till Skrivbordet. En mapp SmitfraudFix kommer att skapas.

 

Öppna SmitfraudFix-mappen och dubbelklicka på smitfraudfix.cmd.

Välj alternativ #1 - Search genom att trycka på 1 och Enter.

Programmet kommer att skanna igenom datorn.

När den är klart visas resultatet och programmet har skapat loggfilen C:\rapport.txt.

 

I ditt svar bifogar du SmitfraudFix-loggen.

 

Gör inget annat med SmitfraudFix-mappen eller smitfraudfix.cmd.

 

I ditt svar bifogar du loggarna på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

Link to comment
Share on other sites

[log]Logfile of HijackThis v1.99.1

Scan saved at 12:42:17, on 2006-11-26

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\AntiVir PersonalEdition Classic\sched.exe

C:\Program\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ishost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program\SPYWAREfighter\spftray.exe

C:\WINDOWS\system32\ismini.exe

C:\Program\NETGEAR\WG311T\wlancfg5.exe

C:\Program\SPYWAREfighter\spfprc.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\uohauhnn.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1D5C5D85-B424-467D-BD6B-9378942D6CFC} - C:\WINDOWS\system32\ddcyw.dll (file missing)

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll

O2 - BHO: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [outlook] C:\Program\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvlib.dll,startup

O4 - HKLM\..\Run: [ipWins] C:\Program\ipwins\ipwins.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [spywarefighterguard] C:\Program\SPYWAREfighter\spftray.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe

O4 - HKCU\..\Run: [Absa] "C:\DOCUME~1\Jonas\APPLIC~1\SKS~1\explorer.exe" -vt yazb

O4 - HKCU\..\Run: [bidhg] C:\Program\A?pPatch\w?auboot.exe

O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program\NETGEAR\WG311T\wlancfg5.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162331674557

O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do

O17 - HKLM\System\CCS\Services\Tcpip\..\{86CCC1A6-3E1A-4AE3-9956-306FDD01B4CD}: NameServer = 80.65.194.10,213.141.64.3

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winjks32 - C:\WINDOWS\SYSTEM32\winjks32.dll

O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - (no file)

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program\SPYWAREfighter\spfprc.exe

 

[/log]

 

[log]SmitFraudFix v2.124

 

Scan done at 12:46:43,53, 2006-11-26

Run from C:\Documents and Settings\Jonas\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\fmrmhc.dll FOUND !

C:\WINDOWS\system32\ishost.exe FOUND !

C:\WINDOWS\system32\ismini.exe FOUND !

C:\WINDOWS\system32\ixt?.dll FOUND !

C:\WINDOWS\system32\ixt??.dll FOUND !

C:\WINDOWS\system32\ot.ico FOUND !

C:\WINDOWS\system32\ts.ico FOUND !

C:\WINDOWS\system32\components\flx?.dll FOUND !

C:\WINDOWS\system32\components\flx??.dll FOUND !

C:\WINDOWS\system32\components\flx???.dll FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonas

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonas\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jonas\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{0bad5052-665d-40d4-a9bd-a2891eaafb42}"="boucicault"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[/log]

 

Link to comment
Share on other sites

Starta HijackThis

Tryck på Config - Misc Tools - Delete a file on reboot

Klistra in detta filnamn:

C:\WINDOWS\SYSTEM32\.dll

Open

Svara Yes/Ja på frågan om datorn ska startas om.

 

Starta om datorn i felsäkert läge genom att trycka F8 upprepade gånger under uppstarten och välja Felsäkert i menyn.

 

Öppna SmitfraudFix-mappen och dubbelklicka på smitfraudfix.cmd för att starta programmet.

Välj alternativ #2 genom att trycka 2 och Enter.

Vänta på att verktyget blir klart och diskrensningen avslutas.

Under tiden så kommer det en fråga om du vill rensa registret (clean the registry) svara ja (Yes) genom att trycka Y och Enter.

 

Om datorn inte startar om av sig själv så gör du det.

Även denna gång ska det vara felsäkert läge.

 

Kontrollpanelen - Internet-alternativ - Allmänt - Ta bort filer, kryssa i rutan - OK

Sedan på fliken Program, välj Återställ webbinställningar. Verkställ - OK

 

Kontrollpanelen - Bildskärm - Skrivbord - Anpassa skrivbordet - Webb

Om det finns något med Security info eller liknande så Ta bort det.

OK - Verkställ - OK

 

Starta om datorn i normalt läge.

 

I ditt svar så klistra in den nyss skapade C:\rapport.txt och en ny HijackThis-logg, samt skriv hur datorn uppför sig nu.

 

Link to comment
Share on other sites

Sådär nu har jag gjort det!

Än så länge fungerar datorn bra, Internet explorer funkar som det ska.

Har inte märkt något annorlunda.

Det enda som inte var som det brukar var väl att det kom ett säkerhetsmeddelande i början där det stod;

Datorn kan vara utsatt för risk.

Avira AntiVir PersonalEdition Classic är inaktiverad.

Klicka på det här meddelandet om du vill rätta till problemet.

men asså.. det var ju bara för att virusskyddet itne var på men det är ju itne svårt att ordna hehe :)

 

[log]SmitFraudFix v2.124

 

Scan done at 13:39:43,12, 2006-11-26

Run from C:\Documents and Settings\Jonas\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{0bad5052-665d-40d4-a9bd-a2891eaafb42}"="boucicault"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\system32\fmrmhc.dll Deleted

C:\WINDOWS\system32\ishost.exe Deleted

C:\WINDOWS\system32\ismini.exe Deleted

C:\WINDOWS\system32\ixt?.dll Deleted

C:\WINDOWS\system32\ot.ico Deleted

C:\WINDOWS\system32\ts.ico Deleted

C:\WINDOWS\system32\components\flx?.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[/log]

[log]Logfile of HijackThis v1.99.1

Scan saved at 13:46:00, on 2006-11-26

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\AntiVir PersonalEdition Classic\sched.exe

C:\Program\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program\SPYWAREfighter\spftray.exe

C:\Program\NETGEAR\WG311T\wlancfg5.exe

C:\Program\SPYWAREfighter\spfprc.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\uohauhnn.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1D5C5D85-B424-467D-BD6B-9378942D6CFC} - C:\WINDOWS\system32\ddcyw.dll (file missing)

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)

O2 - BHO: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [outlook] C:\Program\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\Run: [ipWins] C:\Program\ipwins\ipwins.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [spywarefighterguard] C:\Program\SPYWAREfighter\spftray.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe

O4 - HKCU\..\Run: [Absa] "C:\DOCUME~1\Jonas\APPLIC~1\SKS~1\explorer.exe" -vt yazb

O4 - HKCU\..\Run: [bidhg] C:\Program\A?pPatch\w?auboot.exe

O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program\NETGEAR\WG311T\wlancfg5.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162331674557

O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do

O17 - HKLM\System\CCS\Services\Tcpip\..\{86CCC1A6-3E1A-4AE3-9956-306FDD01B4CD}: NameServer = 80.65.194.10,213.141.64.3

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winjks32 - C:\WINDOWS\SYSTEM32\winjks32.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program\SPYWAREfighter\spfprc.exe

[/log]

 

Link to comment
Share on other sites

Det finns en del kvar i alla fall.

 

Ladda ner AVG Anti-Spyware (Ewido):

http://www.ewido.net/en/download/

Installera och uppdatera enligt anvisningarna på den här sidan:

http://rstones12.geekstogo.com/ewidosetup.htm Bara den första punktlistan, du ska inte skanna än.

 

Skapa en ny mapp på C:, C:\BFU.

Ladda ner Brute Force Uninstaller:

http://www.merijn.org/files/bfu.zip

Packa upp filen till mappen du nyss skapade, C:\BFU.

 

Spara denna fil Alcra Remover:

http://metallica.geekstogo.com/alcanshorty.bfu

i samma mapp.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Skanna datorn med Ewido på detta sätt:

Tryck på Scanner.

Gå till Scan-fliken

Tryck på Complete System Scan

När skanningen är klar så välj Apply all actions

Tryck Reports, sedan välj Save report as och spara rapporten t ex på Skrivbordet.

 

Men Utforskaren eller Den här datorn gå till mappen du skapade förut, C:\BFU, starta programmet genom att dubbelklicka på BFU.exe.

Efter "scriptline to execute" tryck på mapp-ikonen och välj alcanshorty.bfu

Tryck "execute" och låt programmet jobba på.

Vänta tills en ruta med "complete script execution" dyker upp och då trycker du OK och sedan Exit för att avsluta programmet.

 

[log]Skanna med HijackThis och bocka för dessa rader:

 

R3 - URLSearchHook: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\uohauhnn.dll

O2 - BHO: (no name) - {1D5C5D85-B424-467D-BD6B-9378942D6CFC} - C:\WINDOWS\system32\ddcyw.dll (file missing)

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)

O2 - BHO: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [outlook] C:\Program\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/Zwinky

InitialSetup1.0.0.15.cab

O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll (file missing)

 

Avsluta alla andra program.

Tryck på Fix checked.

 

Starta om i normalt läge.

 

I ditt svar så klistra in rapporten från Ewido och en ny HijackThis-logg.[/log]

 

Link to comment
Share on other sites

Gjorde som det stod men kunde inte göra allt.

Det stod att jag skulle bocka för raderna nedan men dom fanns inte så jag struntade i dom.

 

O4 - HKLM\..\Run: [outlook] C:\Program\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe

 

Skickar med en bild på dom 04-raderna som fanns.

 

[log]---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 16:35:13 2006-11-26

 

+ Scan result:

 

 

 

C:\System Volume Information\_restore{A8AE72B5-C734-4B54-8085-1F095B1A7A1F}\RP217\A0032083.dll -> Adware.PurityScan : Cleaned.

C:\System Volume Information\_restore{A8AE72B5-C734-4B54-8085-1F095B1A7A1F}\RP217\A0032076.exe -> Adware.Softomate : Cleaned.

C:\System Volume Information\_restore{A8AE72B5-C734-4B54-8085-1F095B1A7A1F}\RP217\A0032077.dll -> Adware.Softomate : Cleaned.

C:\System Volume Information\_restore{A8AE72B5-C734-4B54-8085-1F095B1A7A1F}\RP217\A0032078.exe -> Adware.Softomate : Cleaned.

C:\System Volume Information\_restore{A8AE72B5-C734-4B54-8085-1F095B1A7A1F}\RP217\A0032082.dll -> Adware.Virtumonde : Cleaned.

C:\System Volume Information\_restore{A8AE72B5-C734-4B54-8085-1F095B1A7A1F}\RP217\A0032081.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned.

:mozilla.41:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.42:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.43:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.12:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.

:mozilla.13:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.

C:\Documents and Settings\Jonas\Cookies\jonas@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.

:mozilla.20:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

C:\Documents and Settings\Jonas\Cookies\jonas@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.

C:\Documents and Settings\Jonas\Cookies\jonas@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.

C:\Documents and Settings\Jonas\Cookies\jonas@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.

:mozilla.51:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.

:mozilla.52:C:\Documents and Settings\Jonas\Application Data\Mozilla\Firefox\Profiles\3ca81vgg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.

C:\Documents and Settings\Jonas\Cookies\jonas@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.

C:\System Volume Information\_restore{A8AE72B5-C734-4B54-8085-1F095B1A7A1F}\RP217\A0032112.exe -> Trojan.Dialer.qs : Cleaned.

C:\WINDOWS\Temp\win1BD.tmp.exe -> Trojan.Dialer.qs : Cleaned.

C:\WINDOWS\system32\cool.exe -> Trojan.Dialer.qs : Cleaned.

C:\Program\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned.

 

 

::Report end

 

[/log]

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 16:48:30, on 2006-11-26

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\AntiVir PersonalEdition Classic\sched.exe

C:\Program\AntiVir PersonalEdition Classic\avguard.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program\SPYWAREfighter\spftray.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\SPYWAREfighter\spfprc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program\NETGEAR\WG311T\wlancfg5.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [spywarefighterguard] C:\Program\SPYWAREfighter\spftray.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [Absa] "C:\DOCUME~1\Jonas\APPLIC~1\SKS~1\explorer.exe" -vt yazb

O4 - HKCU\..\Run: [bidhg] C:\Program\A?pPatch\w?auboot.exe

O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program\NETGEAR\WG311T\wlancfg5.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162331674557

O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do

O17 - HKLM\System\CCS\Services\Tcpip\..\{86CCC1A6-3E1A-4AE3-9956-306FDD01B4CD}: NameServer = 80.65.194.10,213.141.64.3

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winjks32 - C:\WINDOWS\SYSTEM32\winjks32.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program\SPYWAREfighter\spfprc.exe

 

[/log]

 

[bild bifogad 2006-11-26 16:54:53 av bemz]

 

[inlägget ändrat 2006-11-26 16:55:57 av bemz]

889678_thumb.jpg

Link to comment
Share on other sites

Bara bra att raderna var borta då hade Alcra Remover lyckats få bort dem.

 

Töm mappen C:\WINDOWS\Temp

 

Ta bort mappen C:\Program\outlook

 

Starta HijackThis

Tryck på Config - Misc Tools - Delete a file on reboot

Klistra in detta filnamn:

C:\WINDOWS\SYSTEM32\winjks32.dll

Open

Svara Yes/Ja på frågan om datorn ska startas om.

 

Nu tar vi itu med spionprogrammet PurityScan.

 

Ladda ner http://www.mvps.org/winhelp2002/hosts.zip till Skrivbordet.

Packa upp filen. En ny mapp Hosts skapas på Skrivbordet.

Dubbelklicka på mappen för att öppna den.

Dubbelklicka på filen mvps.bat för att starta programmet.

Detta program kommer att byta ut datorns Hosts-fil så att PurityScan-otrevligheten förhindras komma i kontakt med sin skapare. Det kommer också förhindra att du kan besöka sidor som är ökända för att installera otrevligheter på datorn. Du kan läsa mer om det här:

http://www.mvps.org/winhelp2002/hosts.htm

 

Kontrollpanelen - Lägg till eller ta bort program

Om något av följande finns i listan så ta bort:

Oin

Yazzle by Oin

Purityscan by Oin

Snowballwars by Oin

eller något liknande med Oin eller Outerinfo i sig.

Zolero

Tizzletalk

MediaTickets

Cowabanga

 

Ladda ner och kör avinstallationsprogrammet

http://www.outerinfo.com/OiUninstaller.exe

Om du behöver anvisningar så finns de här: http://www.outerinfo.com/howto.html

 

Starta om datorn.

 

Ladda ner ComboFix:

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

Kör den och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på Combofix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den här, samt en ny HijackThis-logg.

 

Link to comment
Share on other sites

[log]Jonas - 06-11-26 18:08:05,95 Service Pack 2

ComboFix 06.11.26 - Running from: "C:\Program\Mozilla Firefox"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\components

C:\Program\Delade filer\{1C61DB10-0959-1053-1223-02010703002e}

C:\Program\Delade filer\{3C61DB10-0959-1053-1223-02010703002e}

 

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

Folders Quarantined:

 

C:\QooBox\Purity\Documents and Settings\Jonas\Application Data\SKS~1

C:\QooBox\Purity\Documents and Settings\Jonas\Application Data\SKS~1\??sks

C:\QooBox\Purity\Program\APPATC~1

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-10-26 to 2006-11-26 ))))))))))))))))))))))))))))))))))

 

 

2006-11-26 16:38 <KAT> d-------- C:\bintheredunthat

2006-11-26 15:13 <KAT> d-------- C:\BFU

2006-11-26 15:10 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2006-11-26 15:10 <KAT> d-------- C:\Program\Grisoft

2006-11-26 12:46 53,248 --a------ C:\WINDOWS\system32\Process.exe

2006-11-26 12:46 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2006-11-26 12:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2006-11-26 12:46 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2006-11-26 12:41 <KAT> d-------- C:\Program\Hijackthis

2006-11-25 22:50 <KAT> d-------- C:\Program\Lavasoft

2006-11-23 22:13 <KAT> d-------- C:\Program\SPYWAREfighter

2006-11-23 22:13 <KAT> d-------- C:\Program\Delade filer\Application

2006-11-23 19:27 57,384 --a------ C:\WINDOWS\system32\avsda.dll

2006-11-23 19:27 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys

2006-11-23 19:27 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys

2006-11-23 19:27 <KAT> d-------- C:\Program\AntiVir PersonalEdition Classic

2006-11-23 19:27 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic

2006-11-23 19:01 8,884 --a------ C:\WINDOWS\system32\isnotify.VIR

2006-11-23 19:01 692,276 --a------ C:\WINDOWS\system32\ddcyw.VIR

2006-11-23 19:01 126,996 --a------ C:\WINDOWS\system32\glktapkt.dll

2006-11-23 19:01 110,612 --a------ C:\WINDOWS\system32\dyevycel.exe

2006-11-23 19:01 <KAT> d-------- C:\Documents and Settings\Jonas\Application Data\SearchToolbarCorp

2006-11-23 18:56 2 --a------ C:\WINDOWS\system32\wnscpsv.exe

2006-11-19 12:04 <KAT> d-------- C:\Program\iPod

2006-11-19 12:03 <KAT> d-------- C:\Program\iTunes

2006-11-19 12:02 <KAT> d-------- C:\Program\Apple Software Update

2006-11-11 21:16 <KAT> d-------- C:\Program\Macromedia

2006-11-11 21:16 <KAT> d-------- C:\Program\Delade filer\Macromedia

2006-11-11 21:16 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Macromedia

2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll

2006-11-01 14:42 <KAT> d-------- C:\Program\MSXML 4.0

2006-11-01 14:34 <KAT> d-------- C:\WINDOWS\Prefetch

2006-11-01 07:56 127,720 --a------ C:\WINDOWS\system32\mucltui.dll

2006-10-31 23:09 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2006-10-31 23:08 <KAT> d-------- C:\WINDOWS\provisioning

2006-10-31 23:08 <KAT> d-------- C:\WINDOWS\peernet

2006-10-31 23:06 <KAT> d-------- C:\WINDOWS\ServicePackFiles

2006-10-31 23:03 <KAT> d-------- C:\WINDOWS\system32\ReinstallBackups

2006-10-31 23:00 <KAT> d-------- C:\WINDOWS\EHome

2006-10-31 20:24 <KAT> d-a------ C:\Program\MyWebSearch

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-11-26 18:08 -------- d-------- C:\Program\Delade filer

2006-11-26 18:07 -------- d-------- C:\Program\Mozilla Firefox

2006-11-26 17:50 -------- d-------- C:\Program\Outlook Express

2006-11-26 13:59 -------- d-------- C:\Program\Delade filer\Adobe

2006-11-26 13:59 -------- d-------- C:\Program\Adobe

2006-11-26 13:58 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Adobe

2006-11-25 22:50 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Lavasoft

2006-11-22 22:02 -------- d-------- C:\Documents and Settings\Jonas\Application Data\uTorrent

2006-11-22 19:59 -------- d-------- C:\Program\Delade filer\Ahead

2006-11-22 19:56 -------- d-------- C:\Program\Sony Ericsson

2006-11-22 19:56 -------- d-------- C:\Program\Delade filer\Teleca Shared

2006-11-22 18:42 -------- d-------- C:\Documents and Settings\Jonas\Application Data\LimeWire

2006-11-19 12:03 -------- d-------- C:\Program\QuickTime

2006-11-19 03:00 -------- d-------- C:\Program\Internet Explorer

2006-11-11 21:20 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Macromedia

2006-11-06 01:25 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Skype

2006-11-01 15:27 -------- d-------- C:\Program\MSN Messenger

2006-11-01 14:44 -------- d-------- C:\Program\Messenger

2006-11-01 14:43 -------- d-------- C:\Program\Delade filer\System

2006-10-31 23:08 -------- d-------- C:\Program\Windows Media Player

2006-10-31 23:08 -------- d-------- C:\Program\Movie Maker

2006-10-31 23:06 -------- d-------- C:\Program\Windows NT

2006-10-31 23:06 -------- d-------- C:\Program\NetMeeting

2006-10-25 21:21 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Sun

2006-10-25 11:18 -------- d-------- C:\Program\Corel

2006-10-25 11:17 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Corel

2006-10-23 22:40 2672 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2006-10-23 22:39 88 -r-hs---- C:\WINDOWS\system32\DBE124B0E2.sys

2006-10-21 12:45 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Apple Computer

2006-10-15 13:13 75776 --ah----- C:\Documents and Settings\Jonas\Application Data\rbqt450.DLL

2006-10-15 13:13 64512 --ah----- C:\Documents and Settings\Jonas\Application Data\rbap450.dll

2006-10-15 13:13 54272 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSQTImporterPlugin1635.dll

2006-10-15 13:13 53760 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSPicturePlugin1635.dll

2006-10-15 13:13 52224 --ah----- C:\WINDOWS\system32\EHZComp.dll

2006-10-15 13:13 51712 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSWinPlugin1635.dll

2006-10-15 13:13 49664 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSQuickTimePlugin1636.dll

2006-10-15 13:13 48128 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSResPlugin1635.dll

2006-10-15 13:13 41984 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSMainPlugin1635.dll

2006-10-15 13:13 41472 --ah----- C:\Documents and Settings\Jonas\Application Data\RBShell400.dll

2006-10-15 13:13 37376 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSPictureMacPlugin1635.dll

2006-10-15 13:13 36352 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSRegistryPlugin1636.dll

2006-10-15 13:13 36352 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSFolderitemsCreatePlugin1635.dll

2006-10-15 13:13 33280 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSEncryptPlugin1636.dll

2006-10-15 13:13 32256 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSProcessPlugin1636.dll

2006-10-15 13:13 32256 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSIconPlugin1635.dll

2006-10-15 13:13 29184 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSRectPlugin1635.dll

2006-10-15 13:13 29184 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSMemoryPlugin1635.dll

2006-10-15 13:13 28672 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSMacOSXPlugin1635.dll

2006-10-15 13:13 26624 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSUsernamePlugin1635.dll

2006-10-15 13:13 26112 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSResStreamPlugin1635.dll

2006-10-15 13:13 26112 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSRegistrationPlugin1636.dll

2006-10-15 13:13 25088 --ah----- C:\Documents and Settings\Jonas\Application Data\MBSPluginVersionPlugin1635.dll

2006-10-15 13:13 19968 --ah----- C:\Documents and Settings\Jonas\Application Data\EHMD5.dll

2006-10-15 13:13 18432 --ah----- C:\Documents and Settings\Jonas\Application Data\EHEncrypt.dll

2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-10-03 15:02 -------- d-------- C:\Documents and Settings\Jonas\Application Data\SiteAdvisor

2006-10-03 14:55 -------- d-------- C:\Program\McAfee

2006-10-01 20:21 -------- d-------- C:\Documents and Settings\Jonas\Application Data\Teleca

2006-10-01 16:07 -------- d---s---- C:\Documents and Settings\Jonas\Application Data\Microsoft

2006-09-30 23:59 -------- d-------- C:\Documents and Settings\Jonas\Application Data\vlc

2006-09-30 23:52 -------- d-------- C:\Program\DivX

2006-09-30 23:48 -------- d-------- C:\Program\Combined Community Codec Pack

2006-09-19 15:43 109360 --a------ C:\WINDOWS\system32\GEARAspi.dll

2006-09-18 19:11 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2006-09-18 19:11 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll

2006-09-18 19:11 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll

2006-09-18 19:11 620180 --a------ C:\WINDOWS\system32\DivX.dll

2006-09-13 06:10 1110528 --a------ C:\WINDOWS\system32\msxml3.dll

2006-09-11 17:32 356352 --a------ C:\WINDOWS\eSellerateEngine.dll

2006-08-18 19:20 62 --ahs---- C:\Documents and Settings\Jonas\Application Data\desktop.ini

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Absa"="\"C:\\DOCUME~1\\Jonas\\APPLIC~1\\SKS~1\\explorer.exe\" -vt yazb"

"Bidhg"="C:\\Program\\A?pPatch\\w?auboot.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"nwiz"="nwiz.exe /install"

"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"

"SoundMan"="SOUNDMAN.EXE"

"QuickTime Task"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program\\iTunes\\iTunesHelper.exe\""

"avgnt"="\"C:\\Program\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

"spywarefighterguard"="C:\\Program\\SPYWAREfighter\\spftray.exe"

@=""

"!AVG Anti-Spyware"="\"C:\\Program\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start-meny\\Program\\Autostart\\Adobe Reader Speed Launch.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jonas^Start-meny^Program^Autostart^Adobe Gamma.lnk]

"path"="C:\\Documents and Settings\\Jonas\\Start-meny\\Program\\Autostart\\Adobe Gamma.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"

"location"="Startup"

"command"="C:\\Program\\DELADE~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "

"item"="Adobe Gamma"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0063251159883719mcinstcleanup]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="cleanup"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\TEMP\\006325~1.EXE C:\\Program\\DELADE~1\\McAfee\\INSTAL~1\\cleanup.ini -cleanup -nolog"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="apdproxy"

"hkey"="HKLM"

"command"="\"C:\\Program\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NMBgMonitor"

"hkey"="HKCU"

"command"="\"C:\\Program\\Delade filer\\Ahead\\Lib\\NMBgMonitor.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"C:\\Program\\D-Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iTunesHelper"

"hkey"="HKLM"

"command"="\"C:\\Program\\iTunes\\iTunesHelper.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MsnMsgr"

"hkey"="HKCU"

"command"="\"C:\\Program\\MSN Messenger\\MsnMsgr.Exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NeroCheck"

"hkey"="HKLM"

"command"="C:\\Program\\Delade filer\\Ahead\\Lib\\NeroCheck.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Application Launcher"

"hkey"="HKLM"

"command"="\"C:\\Program\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winamp Agent]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="winampa"

"hkey"="HKLM"

"command"="C:\\Program\\Winamp\\winampa.exe"

"inimapping"="0"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjks32

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20061126-164627-861

O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll (file missing)

backup-20061126-164627-188

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab

backup-20061126-164627-417

O2 - BHO: (no name) - {1D5C5D85-B424-467D-BD6B-9378942D6CFC} - C:\WINDOWS\system32\ddcyw.dll (file missing)

backup-20061126-164627-519

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

backup-20061126-164627-582

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\uohauhnn.dll

backup-20061126-164627-320

O2 - BHO: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

backup-20061126-164627-231

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)

backup-20061126-164627-885

R3 - URLSearchHook: (no name) - {85643C46-FAFB-800D-DEA6-D228910664BB} - C:\WINDOWS\system32\moyqevt.dll (file missing)

backup-20061126-164627-802

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

 

Completion time: 06-11-26 18:09:13.37

C:\ComboFix.txt ... 06-11-26 18:09

[/log]

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 18:09:56, on 2006-11-26

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\AntiVir PersonalEdition Classic\sched.exe

C:\Program\AntiVir PersonalEdition Classic\avguard.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program\SPYWAREfighter\spftray.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program\SPYWAREfighter\spfprc.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\NETGEAR\WG311T\wlancfg5.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [spywarefighterguard] C:\Program\SPYWAREfighter\spftray.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [Absa] "C:\DOCUME~1\Jonas\APPLIC~1\SKS~1\explorer.exe" -vt yazb

O4 - HKCU\..\Run: [bidhg] C:\Program\A?pPatch\w?auboot.exe

O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program\NETGEAR\WG311T\wlancfg5.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162331674557

O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do

O17 - HKLM\System\CCS\Services\Tcpip\..\{86CCC1A6-3E1A-4AE3-9956-306FDD01B4CD}: NameServer = 80.65.194.10,213.141.64.3

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program\SPYWAREfighter\spfprc.exe

 

[/log]

 

Link to comment
Share on other sites

Vet du vad det här är för mapp?

2006-11-26 16:38 <KAT> d-------- C:\bintheredunthat

 

De här två filerna kan du ta bort, det är nog AntiVir som har bytt namn på dem:

2006-11-23 19:01 8,884 --a------ C:\WINDOWS\system32\isnotify.VIR

2006-11-23 19:01 692,276 --a------ C:\WINDOWS\system32\ddcyw.VIR

 

Gå till http://www.virustotal.com/ klistra in ett av följande filnamn i rutan, tryck på Send och vänta tills resultatet är klart (Status blir Finished). Klistra in resultatet (inkl. filstorlek) här. Upprepa med nästa filnamn.

C:\WINDOWS\system32\glktapkt.dll

C:\WINDOWS\system32\dyevycel.exe

 

Kontrollpanelen - Lägg till eller ta bort program

Ta bort om det finns något där som liknar SearchToolbar och som du inte är säker på vad det är.

 

Skanna med HijackThis och bocka för:

 

O4 - HKCU\..\Run: [Absa] "C:\DOCUME~1\Jonas\APPLIC~1\SKS~1\explorer.exe" -vt yazb

O4 - HKCU\..\Run: [bidhg] C:\Program\A?pPatch\w?auboot.exe

O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Ta bort mapparna (om de finns kvar):

C:\Documents and Settings\Jonas\Application Data\SKS~1

där ~1 står för ett antal godtyckliga tecken

C:\Program\A?pPatch

där ? står för ett godtyckligt tecken.

C:\Documents and Settings\Jonas\Application Data\SearchToolbarCorp

 

Starta om i normalt läge och så en ny HijackThis-logg.

 

Link to comment
Share on other sites

"Vet du vad det här är för mapp?

2006-11-26 16:38 <KAT> d-------- C:\bintheredunthat"

 

nej ingen aning. Kikade på den och den innehöll ingenting, inget synligt iaf.

 

[log]

C:\WINDOWS\system32\glktapkt.dll

AntiVir 7.2.0.46 11.26.2006 TR/Vundo.Gen

Authentium 4.93.8 11.24.2006 W32/Zlob.ZO

Avast 4.7.892.0 11.23.2006 no virus found

AVG 386 11.26.2006 PSW.Generic2.RFG

BitDefender 7.2 11.26.2006 Trojan.Spy.VBStat.H

CAT-QuickHeal 8.00 11.25.2006 TrojanSpy.VBStat.h

ClamAV devel-20060426 11.25.2006 no virus found

DrWeb 4.33 11.26.2006 no virus found

eSafe 7.0.14.0 11.26.2006 no virus found

eTrust-InoculateIT 23.73.67 11.25.2006 no virus found

eTrust-Vet 30.3.3211 11.24.2006 no virus found

Ewido 4.0 11.26.2006 no virus found

Fortinet 2.82.0.0 11.26.2006 suspicious

F-Prot 3.16f 11.24.2006 security risk named W32/Zlob.ZO

F-Prot4 4.2.1.29 11.24.2006 W32/Zlob.ZO

Ikarus 0.2.65.0 11.24.2006 no virus found

Kaspersky 4.0.2.24 11.26.2006 Trojan-Spy.Win32.VBStat.h

McAfee 4904 11.24.2006 Vundo

Microsoft 1.1804 11.26.2006 no virus found

NOD32v2 1882 11.24.2006 Win32/Spy.VBStat.H

Norman 5.80.02 11.24.2006 W32/Vundo.gen1

Panda 9.0.0.4 11.26.2006 Spyware/Virtumonde

Prevx1 V2 11.26.2006 no virus found

Sophos 4.11.0 11.16.2006 no virus found

TheHacker 6.0.3.123 11.23.2006 Trojan/Spy.VBStat.h

UNA 1.83 11.24.2006 Trojan.Spy.Win32.VBStat.5A0D

VBA32 3.11.1 11.25.2006 no virus found

VirusBuster 4.3.15:9 11.26.2006 no virus found

 

File size: 126996 bytes

 

 

 

C:\WINDOWS\system32\dyevycel.exe

AntiVir 7.2.0.46 11.26.2006 ADSPY/VSAddinDLL.A

Authentium 4.93.8 11.24.2006 no virus found

Avast 4.7.892.0 11.23.2006 no virus found

AVG 386 11.26.2006 Adware Generic.RUQ

 

File size: 110612 bytes

[/log]

 

 

 

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 19:32:31, on 2006-11-26

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\AntiVir PersonalEdition Classic\sched.exe

C:\Program\AntiVir PersonalEdition Classic\avguard.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\QuickTime\qttask.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program\SPYWAREfighter\spftray.exe

C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\NETGEAR\WG311T\wlancfg5.exe

C:\Program\SPYWAREfighter\spfprc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [spywarefighterguard] C:\Program\SPYWAREfighter\spftray.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program\NETGEAR\WG311T\wlancfg5.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162331674557

O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do

O17 - HKLM\System\CCS\Services\Tcpip\..\{86CCC1A6-3E1A-4AE3-9956-306FDD01B4CD}: NameServer = 80.65.194.10,213.141.64.3

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program\SPYWAREfighter\spfprc.exe

 

[/log]

 

Link to comment
Share on other sites

När jag söker runt lite så verkar det som att C:\bintheredunthat är en mapp som Alcra Remover skapar, så när det här är klart så kan du ta bort den.

 

Ta bort filerna:

C:\WINDOWS\system32\glktapkt.dll

C:\WINDOWS\system32\dyevycel.exe

Kontrollera att de är borta efter att datorn startats om.

 

Jag ser inget otrevligt i loggen längre. Verkar datorn uppföra sig bra nu?

 

Link to comment
Share on other sites

Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), SUPERAntiSpyware, Spybot S&D och/eller Ad-aware regelbundet.

http://www.ewido.net/en/

http://www.superantispyware.com/

http://www.safer-networking.org/en/download/index.html

http://www.lavasoft.com

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Använd en brandvägg (bättre än den inbyggda i XP), finns gratis från t ex ZoneLabs.

http://www.zonelabs.com/store/content/home.jsp

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

http://www.spywarewarrior.com/uiuc/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.org

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...