Infekterad dator

[lizzy_lini]

Prövar igen då, mitt förra försvann.

[log]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:52:15, on 2008-09-10

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Npm\Bin\Zanda.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Network Associates\VirusScan\Avsynmgr.exe

C:\WINNT\System32\svchost.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program\TightVNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\Norman\Npm\bin\NJEEVES.EXE

C:\Program\Network Associates\VirusScan\VsStat.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\Program\Network Associates\VirusScan\Avconsol.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\hkcmd.exe

C:\Program\QuickTime\qttask.exe

C:\Norman\Npm\bin\ZLH.EXE

C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe

C:\WINNT\system32\mshelp.exe

C:\WINNT\system32\lphcvjfj0ec9t.exe

C:\WINNT\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\WINNT\system32\drivers\svchost.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINNT\System32\WScript.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\drwtsn32.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laget.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O1 - Hosts: 194.71.143.33 SEMAHOST # SEMA

O1 - Hosts: 192.176.6.138 SDCAPP02 # Sema virkesorder

O1 - Hosts: 192.176.6.130 SDCARKIV

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"

O4 - HKLM\..\Run: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKLM\..\Run: [lphcvjfj0ec9t] C:\WINNT\system32\lphcvjfj0ec9t.exe

O4 - HKLM\..\RunServices: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [st-olb00049] c:\Webdialer\st-olb00049.exe -m

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.pixbox.se/aurigma/iu_4.5.50.0/ImageUploader4.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://presentfixer.axiscam.net/activex/AMC.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E599CF5D-53E7-455B-B5E6-33B00F310DEC}: NameServer = 85.255.113.108,85.255.112.10

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.108 85.255.112.10

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.108 85.255.112.10

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.108 85.255.112.10

O20 - Winlogon Notify: WinNt32 - C:\WINNT\SYSTEM32\WinNt32.dll

O20 - Winlogon Notify: WinNt64 - C:\WINNT\SYSTEM32\WinNt64.dll

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program\TightVNC\WinVNC.exe

 

--

End of file - 7310 bytes

[/log]

 

[Cecilia]

Är det din dator?

 

Ladda ner FixWareout från en av dessa platser och spara t ex på Skrivbordet:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

 

Stäng alla program eftersom datorn kommer att startas om snart.

 

Dubbelklicka på den just nedladdade filen för att starta programmet FixWareout.

 

Tryck sedan Next, Install, kolla att Run fixit är förbockad och tryck Finish.

Fixen börjar köra, följ alla anvisningar. När du blir ombedd att starta om datorn så gör det. Det är normalt att omstarten tar längre tid än vanligt.

Klistra in loggfilen C:\fixwareout\report.txt som normalt öppnas automatiskt och en ny HijackThis-logg i ditt svar.

 

Om du får problem att komma ut på internet så gå till Kontrollpanelen - Nätverksanslutningar och högerklicka på anslutningen till internet och välj Egenskaper. På fliken Allmänt dubbel-klicka på Internet Protocol (TCP/IP) och ställ in enligt riktlinjerna från din internet-leverantör, oftast ska du få DNS-servrar automatiskt. Avsluta med OK - OK.

Starta om datorn.

 

[lizzy_lini]

Nä det är inte min. Det är en bekants, så jag vet inte så mycket om den. Skrev det i mitt tidigare inlägg, men det försvann.

 

[lizzy_lini]

Här kommer loggar:

[log]Username "NLSTHGR" - 2008-09-10 12:12:59 [Fixwareout edited 9/01/2007]

 

~~~~~ Prerun check

HKLM\SOFTWARE\~\Winlogon\ "System"="kddzj.exe"

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

"nameserver"="85.255.113.108 85.255.112.10" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E599CF5D-53E7-455B-B5E6-33B00F310DEC}

"nameserver"="85.255.113.108,85.255.112.10" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DE4DBC80-B709-4207-BAB7-CB6A42FD213C}

"DhcpNameServer"="85.255.113.108,85.255.112.10" <Value cleared.

 

DNS-matcharens cacheminne har rensats.

 

 

System was rebooted successfully.

 

~~~~~ Postrun check

HKLM\SOFTWARE\~\Winlogon\ "system"=""

....

....

~~~~~ Misc files.

....

~~~~~ Checking for older varients.

....

~~~~~ Other

C:\WINNT\Temp\kddzj.ren 83968 02-08-07

 

~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"

"WinVNC"="\"C:\\Program\\TightVNC\\WinVNC.exe\" -servicehelper"

"QuickTime Task"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"Norman ZANDA"="\"C:\\Norman\\Npm\\bin\\ZLH.EXE\" /LOAD /SPLASH"

"msnappau"="\"C:\\Program\\MSN Apps\\Updater\\01.03.0000.1005\\sv\\msnappau.exe\""

"Microsoft Help Process for Win32 Services"="mshelp.exe"

"lphcvjfj0ec9t"="C:\\WINNT\\system32\\lphcvjfj0ec9t.exe"

"sysrest32.exe"="C:\\WINNT\\system32\\sysrest32.exe"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="ctfmon.exe"

"st-olb00049"="c:\\Webdialer\\st-olb00049.exe -m"

"MsnMsgr"="\"C:\\Program\\MSN Messenger\\MsnMsgr.Exe\" /background"

"SVCHOST.EXE"="C:\\WINNT\\system32\\drivers\\svchost.exe"

"swg"="C:\\Program\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it...

~~~~~ End report ~~~~~

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:20:57, on 2008-09-10

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Npm\Bin\Zanda.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Network Associates\VirusScan\Avsynmgr.exe

C:\WINNT\System32\svchost.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program\TightVNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Norman\Npm\bin\NJEEVES.EXE

C:\Program\Network Associates\VirusScan\VsStat.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\Program\Network Associates\VirusScan\Avconsol.exe

C:\WINNT\System32\svchost.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINNT\System32\hkcmd.exe

C:\Program\QuickTime\qttask.exe

C:\Norman\Npm\bin\ZLH.EXE

C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe

C:\WINNT\system32\mshelp.exe

C:\WINNT\system32\lphcvjfj0ec9t.exe

C:\WINNT\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\WINNT\system32\drivers\svchost.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laget.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"

O4 - HKLM\..\Run: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKLM\..\Run: [lphcvjfj0ec9t] C:\WINNT\system32\lphcvjfj0ec9t.exe

O4 - HKLM\..\RunServices: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [st-olb00049] c:\Webdialer\st-olb00049.exe -m

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.pixbox.se/aurigma/iu_4.5.50.0/ImageUploader4.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://presentfixer.axiscam.net/activex/AMC.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing)

O20 - Winlogon Notify: WinNt64 - WinNt64.dll (file missing)

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program\TightVNC\WinVNC.exe

 

--

End of file - 6765 bytes

[/log]

 

[Cecilia]

Säg till ägaren att samtliga lösenord i datorn och på internet behöver bytas när datorn är ren, för de kan ha kommit på avvägar.

 

Ladda ner ComboFix till Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

[log]Dra ur internetanslutningen och stäng av alla program du ser inklusive antivirusprogram, antispionprogram och brandvägg, alternativt starta om datorn i felsäkert läge.

Kör ComboFix och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram och brandvägg är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.[/log]

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

 

[lizzy_lini]

När jag går till felsäkert läge så står det fel kod fast det är samma användare där. Och jag har använt samma lösenord.

Hur kommer det sig?

 

[Cecilia]

Du menar vid inloggningen? Underligt, inget bra svar tyvärr. Det var inte så att Caps Lock råkade bli intryckt?

Finns det fler användarkonton?

 

[lizzy_lini]

Jag är inte så insatt i sånt här. Men när man ska logga in så finns det

Användarnamn

Lösenord

Logga in på

 

Användarnamnet är samma, men där det står "logga in på" finns det två olika, en med (den här datorn, bakom)

 

Vet ej hur jag stänger av virusprogrammet...ehe... Är det brandvägg på windows 2000??

 

Vad händer om man kör combo fix utan att stänga av dem.

[inlägget ändrat 2008-09-10 13:41:35 av lizzy_lini]

[Cecilia]

Vet tydligen för lite om Windows 2000 när det gäller inloggning.

 

Det finns ingen brandvägg i 2000.

 

Det ser ut som två antivirusprogram i datorn enligt HijackThis-loggen.

C:\Program\Network Associates\VirusScan\Avconsol.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

 

Norman döljer sig bakom ett N vid klockan, se om du hittar något med inaktivera eller liknande. Det kan bli en del konflikter om man inte stänger av antivirusprogrammet så att ComboFix kan bli hängande i "evigheter" eller inte kan göra det den ska. Men visst kan du pröva om du inte lyckas stänga av.

 

ComboFix ska aldrig ta mer än 20 minuter totalt inklusive omstart. Om den inte blir klar så öppna Aktivitetshanteraren, fliken Processer. Leta efter processer som heter findstr, find, sed eller swreg, markera sådana processer och tryck på Avsluta process.

 

 

[lizzy_lini]

Jag fick inte av virusprogrammet. Prövade i alla fall. Fick ett felmeddelande när allt var klart. Vet ej om det har med combofix att göra.

Det stod: "Det går inte att importera creg.dat. Ett fel uppstått vid försök att komma åt registret.

 

Såg att det var fler virusprogram. Är det något av dem du rekommenderar. Eller ska man byta helt.

 

Här kommer i alla fall loggarna:

[log]

ComboFix 08-09-05.14 - NLSTHGR 2008-09-10 13:58:00.1 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1053.18.84 [GMT 2:00]

Running from: C:\Documents and Settings\NLSTHGR\Skrivbord\ComboFix.exe

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Skrivbord\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Program\Antivirus XP 2008

C:\Documents and Settings\All Users\Start-meny\Program\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Program\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Program\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Program\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start-meny\Program\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start-meny\Program\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\All Users\Start-meny\Program\DriveCleaner 2006 Free

C:\Documents and Settings\All Users\Start-meny\Program\DriveCleaner 2006 Free\Avinstallera DriveCleaner 2006.lnk

C:\Documents and Settings\All Users\Start-meny\Program\DriveCleaner 2006 Free\DriveCleaner 2006 HomePage.lnk

C:\Documents and Settings\All Users\Start-meny\Program\DriveCleaner 2006 Free\DriveCleaner 2006 Online Manual.lnk

C:\Documents and Settings\All Users\Start-meny\Program\DriveCleaner 2006 Free\DriveCleaner 2006.lnk

C:\Documents and Settings\All Users\Start-meny\Program\DriveCleaner 2006 Free\DriveCleaner Online Support.lnk

C:\Documents and Settings\NLSTHGR\~tmp1174.exe

C:\Documents and Settings\NLSTHGR\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk

C:\Documents and Settings\NLSTHGR\Application Data\rhcrjfj0ec9t

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@2o7[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@ad.adtoma[2].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@ad.yieldmanager[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@ad.yieldmanager[2].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@adtoma.expressen[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@ehg-dig.hitbox[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@hotbar[2].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@revsci[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@rubiconproject[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@server.cpmstar[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@serving-sys[1].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@specificclick[2].txt

C:\Documents and Settings\NLSTHGR\Cookies\nlsthgr@www.hedemorabildemontering[2].txt

C:\Documents and Settings\NLSTHGR\Skrivbord\DriveCleaner 2006 Free.lnk

C:\WINNT\Downloaded Program Files\setup.inf

C:\WINNT\msettings.ini

C:\WINNT\system32\blphcvjfj0ec9t.scr

C:\WINNT\system32\drivers\svchost.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\system32\lphcvjfj0ec9t.exe

C:\WINNT\system32\phcvjfj0ec9t.bmp

C:\WINNT\system32\sysrest.sys

C:\WINNT\system32\sysrest32.exe

C:\WINNT\Web\default.htt

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NSESVC

-------\Legacy_SYSREST.SYS

-------\Legacy_TCPSR

-------\Service_nsesvc

-------\Service_sysrest.sys

-------\Service_tcpsr

 

 

((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))

.

 

2008-09-10 14:09 . 54,156 C:\WINNT\QTFont.qfn

2008-09-10 14:09 . 1,409 C:\WINNT\QTFont.for

2008-09-10 12:12 . 08-09-10 12:18 <KAT> d-------- C:\fixwareout

2008-09-10 10:51 . 08-09-10 10:51 <KAT> d-------- C:\Program\Trend Micro

2008-08-27 16:25 . 08-08-31 10:51 <KAT> d-------- C:\Program\rhcrjfj0ec9t

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-26 16:24 110,080 ----a-w C:\Documents and Settings\NLSTHGR\schosst.exe

2008-07-17 12:42 --------- d-----w C:\Documents and Settings\NLSTHGR\Application Data\uTorrent

2004-12-06 08:04 19,496 ----a-w C:\Documents and Settings\NLSTHGR\Application Data\GDIPFONTCACHEV1.DAT

2004-01-07 09:15 271 ---h--w C:\Program\desktop.ini

2004-01-07 09:15 22,047 ---h--w C:\Program\folder.htt

2002-08-07 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys

.

 

------- Sigcheck -------

 

01-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.Exe" [07-09-04 23:40 6856704]

"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08-05-14 19:43 68856]

"ctfmon.exe"="ctfmon.exe" [01-02-20 14:09 8192 C:\WINNT\system32\CTFMON.EXE]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinVNC"="C:\Program\TightVNC\WinVNC.exe" [02-11-29 16:39 464384]

"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [05-05-31 07:51 77824]

"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.EXE" [08-06-02 14:46 273520]

"msnappau"="C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe" [04-08-13 18:41 86016]

"Synchronization Manager"="mobsync.exe" [02-08-07 19:00 111888 C:\WINNT\system32\mobsync.exe]

"Microsoft Help Process for Win32 Services"="mshelp.exe" [07-03-07 17:24 49152 C:\WINNT\system32\mshelp.exe]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"Microsoft Help Process for Win32 Services"="mshelp.exe" [07-03-07 17:24 49152 C:\WINNT\system32\mshelp.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [02-08-07 19:00 20752 C:\WINNT\system32\internat.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe" [02-08-07 19:00 187152]

 

C:\Documents and Settings\All Users\Start-meny\Program\AutostartMicrosoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

"vidc.iv31"= C:\WINNT\system32\ir32_32.dll

"vidc.iv32"= C:\WINNT\system32\ir32_32.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Aho86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Aip31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Aip64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Emt64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fmt20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fmt64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gnu07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gnu42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gov64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gov86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hpw64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iqx07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iqx20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jqx18.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jqx75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kry42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lsa18.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lsa42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mtb86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Muc75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nvd42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ovd07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ovd86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Owe75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pxf86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxf64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ryg75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sah07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sah86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sbi31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tbi07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tbi53.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Udk75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vdk64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wel31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wel64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xfm31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xgn18.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xgn20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xgn75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yho18.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yho20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yho31.sys]

@="Driver"

 

 

*Newly Created Service* - IPNAT

*Newly Created Service* - RASAUTO

*Newly Created Service* - SHAREDACCESS

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-st-olb00049 - c:\Webdialer\st-olb00049.exe

HKLM-Run-IgfxTray - C:\WINNT\System32\igfxtray.exe

HKLM-Run-HotKeysCmds - C:\WINNT\System32\hkcmd.exe

HKLM-Run-lphcvjfj0ec9t - C:\WINNT\system32\lphcvjfj0ec9t.exe

HKLM-Run-sysrest32.exe - C:\WINNT\system32\sysrest32.exe

Notify-WinNt64 - WinNt64.dll

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.laget.se/

R0 -: HKCU-Main,Search Page = hxxp://www.google.com

R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie

R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie

R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie

O8 -: E&xportera till Microsoft Excel - C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

 

O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab

C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

 

O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab

C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

O16 -: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://presentfixer.axiscam.net/activex/AMC.cab

C:\WINNT\Downloaded Program Files\setup.inf

.

.

------- File Associations (Beta) -------

.

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-10 14:09:06

Windows 5.0.2195 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Help Process for Win32 Services = mshelp.exe?

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Microsoft Help Process for Win32 Services = mshelp.exe?

 

scanning hidden files ...

 

 

C:\WINNT\QTFont.for 1409 bytes

C:\WINNT\QTFont.qfn 54156 bytes

 

scan completed successfully

hidden files: 2

 

**************************************************************************

.

Completion time: 2008-09-10 14:27:06 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-10 12:26:15

 

Pre-Run: 16,650,530,816 byte ledigt

Post-Run: 18,298,609,664 byte ledigt

 

252 --- E O F --- 2008-05-10 07:32:24

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:46, on 2008-09-10

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Npm\Bin\Zanda.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Network Associates\VirusScan\Avsynmgr.exe

C:\WINNT\System32\svchost.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program\TightVNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\Norman\Npm\bin\NJEEVES.EXE

C:\Program\Network Associates\VirusScan\VsStat.exe

C:\Program\Network Associates\VirusScan\Avconsol.exe

C:\Program\QuickTime\qttask.exe

C:\Norman\Npm\bin\ZLH.EXE

C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe

C:\WINNT\system32\mshelp.exe

C:\WINNT\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\WINNT\explorer.exe

C:\WINNT\system32\notepad.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\WINNT\system32\wuauclt.exe

C:\Program\internet explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laget.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"

O4 - HKLM\..\Run: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKLM\..\RunServices: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.pixbox.se/aurigma/iu_4.5.50.0/ImageUploader4.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://presentfixer.axiscam.net/activex/AMC.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program\TightVNC\WinVNC.exe

 

--

End of file - 6371 bytes

[/log]

 

[Cecilia]

Vilket har din bekant betalat för?

 

Vad finns i mappen C:\Program\rhcrjfj0ec9t?

Om den är tom så ta bort den, och annars så skanna filerna på virustotal-sidan.

 

Skanna följande på virustotal:

C:\Documents and Settings\NLSTHGR\schosst.exe

C:\WINNT\system32\mshelp.exe (den filen har funnits och körts ständigt på datorn över ett år)

 

Ladda ner programmet SmitfraudFix (by S!Ri) till Skrivbordet:

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Dubbelklicka på den nedladdade filen Smitfraudfix.exe.

Först kommer en uppmaning att trycka på någon tangent så gör det.

Välj sedan alternativ 1 - Search genom att trycka på 1 och Enter.

Programmet kommer att skanna igenom datorn.

När den är klart visas resultatet och programmet har skapat loggfilen C:\rapport.txt.

 

Klistra in innehållet i loggfilen i ditt svar här.

 

Gör inget annat med SmitfraudFix.

 

[lizzy_lini]

Vad finns i mappen C:\Program\rhcrjfj0ec9t

Där finns det lite olika filer, bla ett textdokument med license. Det är på Antivirus XP 2008, behöver jag ändå scanna dem. För det är väl ett dåligt program?

 

Hittade ej schosst.exe

mshelp visade något, vet ej riktigt vad du behöver, men klistrar in resultaten.

 

Jag såg i norman att det har varit några trojaner tidigare, så kan mycket väl tänka mig att det funnits länge.

 

 

 

[log]

Antivirus Version Senaste Uppdatering Resultat

AntiVir - - HEUR/Malware

Authentium - - -

Avast - - Win32:SdBot-gen12

AVG - - -

BitDefender - - -

CAT-QuickHeal - - -

ClamAV - - -

DrWeb - - -

eSafe - - -

eTrust-Vet - - -

Ewido - - -

F-Prot - - -

F-Secure - - -

FileAdvisor - - -

Fortinet - - -

Ikarus - - -

Kaspersky - - -

McAfee - - -

Microsoft - - -

NOD32v2 - - -

Norman - - -

Panda - - Suspicious file

Prevx1 - - -

Sophos - - -

Sunbelt - - -

Symantec - - -

TheHacker - - -

UNA - - -

VBA32 - - -

VirusBuster - - -

Övrig information

MD5: 906b1a616c9bc6f154a99722ecd0257a

SHA1: f45d6654b69b91d88537f7defc7c3a11794bd524

SHA256: ace9bec7891bbaa029ea62190953e014331637ec185612512b989f2a7b273b16

SHA512: 451f771d63e675c4950a7696315da2249bc88775a1e1d47d43df54e60e2abc976bf8e9dd6254633e6c7efeb8f77a83501b8f6aef36428c2726d39bc00058eb2d

[/log]

[inlägget ändrat 2008-09-10 22:42:10 av lizzy_lini]

[Cecilia]

Det är på Antivirus XP 2008, behöver jag ändå scanna dem.

Nej

 

Hur ställer sig ägaren till en formatering och installation av Windows? Svårt att veta vad som hänt med den när det har varit skadliga program igång så länge.

 

[lizzy_lini]

Tja de har noll koll när det gäller datorer, så jag vet faktiskt inte. Har de inget val så gör de väl det. Men jag måste höra i så fall. Kan ju pröva och se om man får bort allt i alla fall.

 

Blev i alla fall något fel när jag skulle köra smitfraudfix. Norman stoppade det. Kan man ta bort det och pröva igen? Eller hur gör man.

 

[Cecilia]

Se om det går att ställa in Norman så att den ignorerar i stället för att ta bort (eller frågar vad som ska göras) och så pröva att ladda ner igen.

 

[lizzy_lini]

Fast hur får jag bort det jag redan har laddat ner. Det hann ju bli en mapp på skrivbordet oxå.

 

[Cecilia]

Okej, du kom så pass långt, då är det ju inte nödvändigt att ladda ner på nytt utan ta bort mappen bara.

 

[lizzy_lini]

Går ej, står att policies.exe ej går att ta bort. Källfilen används ev redan.

 

Suck!!

 

[Cecilia]

Starta om datorn.

 

[lizzy_lini]

Tack så mycket! Det kom upp ett meddelande från norman att det upptäckt ett reklamobjekt. W32/IEDefender.E

Hoppas det inte påverkat något.

Här kommer i alla fall loggen:

 

[log]

SmitFraudFix v2.348

 

Scan done at 23:23:41.50, on 2008-09-10

Run from C:\Documents and Settings\NLSTHGR\Skrivbord\SmitfraudFix

OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Npm\Bin\Zanda.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Network Associates\VirusScan\Avsynmgr.exe

C:\WINNT\System32\svchost.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program\TightVNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\Norman\Npm\bin\NJEEVES.EXE

C:\Program\Network Associates\VirusScan\VsStat.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\WINNT\Explorer.EXE

C:\Program\Network Associates\VirusScan\Avconsol.exe

C:\Program\QuickTime\qttask.exe

C:\Norman\Npm\bin\ZLH.EXE

C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe

C:\WINNT\system32\mshelp.exe

C:\WINNT\system32\MRT.exe

C:\WINNT\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\NLSTHGR\Skrivbord\SmitfraudFix\Policies.exe

C:\WINNT\system32\cmd.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\NVCOA.EXE

C:\Norman\Nvc\bin\cclaw.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

 

C:\WINNT\Tasks\At?.job FOUND !

C:\WINNT\Tasks\At??.job FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\NLSTHGR

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\NLSTHGR\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\NLSTHGR\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, following keys are not inevitably infected!!!

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, following keys are not inevitably infected!!!

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

!!!Attention, following keys are not inevitably infected!!!

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

!!!Attention, following keys are not inevitably infected!!!

 

AntiXPVSTFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINNT\\system32\\userinit.exe,"

"system"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» RK

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Intel® PRO/1000 MT Network Connection

DNS Server Search Order: 192.168.1.1

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E599CF5D-53E7-455B-B5E6-33B00F310DEC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{E599CF5D-53E7-455B-B5E6-33B00F310DEC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{E599CF5D-53E7-455B-B5E6-33B00F310DEC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[/log]

 

Vet ej om du behöver hjt logg, så jag skickar den oxå.

 

[log]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:28:18, on 2008-09-10

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Npm\Bin\Zanda.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Network Associates\VirusScan\Avsynmgr.exe

C:\WINNT\System32\svchost.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program\TightVNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\Norman\Npm\bin\NJEEVES.EXE

C:\Program\Network Associates\VirusScan\VsStat.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\WINNT\Explorer.EXE

C:\Program\Network Associates\VirusScan\Avconsol.exe

C:\Program\QuickTime\qttask.exe

C:\Norman\Npm\bin\ZLH.EXE

C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe

C:\WINNT\system32\mshelp.exe

C:\WINNT\system32\MRT.exe

C:\WINNT\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\NLSTHGR\Skrivbord\SmitfraudFix\Policies.exe

C:\WINNT\system32\cmd.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\WINNT\NOTEPAD.EXE

C:\Program\internet explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laget.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"

O4 - HKLM\..\Run: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKLM\..\RunServices: [Microsoft Help Process for Win32 Services] mshelp.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.pixbox.se/aurigma/iu_4.5.50.0/ImageUploader4.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://presentfixer.axiscam.net/activex/AMC.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program\TightVNC\WinVNC.exe

 

--

End of file - 6524 bytes

[/log]

 

[Cecilia]

Norman upptäckte någon av de skadliga filerna.

Starta om datorn i felsäkert läge genom att trycka F8 upprepade gånger under uppstarten och välja Felsäkert i menyn.

 

Dubbelklicka på smitfraudfix.exe för att starta programmet.

Välj alternativ 2 genom att trycka 2 och Enter.

Vänta på att verktyget blir klart och diskrensningen avslutas.

Under tiden så kommer det en fråga om du vill rensa registret (clean the registry) svara ja (Yes) genom att trycka Y och Enter.

 

Om datorn inte startar om av sig själv så gör du det.

Även denna gång ska det vara felsäkert läge.

 

Kontrollpanelen - Internet-alternativ - Allmänt - Ta bort filer, kryssa i rutan - OK

 

Starta om datorn i normalt läge.

 

I ditt svar så klistra in den nyss skapade C:\rapport.txt och en ny ComboFix-logg.

 

[lizzy_lini]

Det var det som inte gick tidigare. Jag saknade något lösenord. Verkar vara olika domäner.

Måste det köras i felsäkert? I så fall måste jag kolla upp det och hoppas att de har det.

 

 

[Cecilia]

Förlåt, se om du kan ta bort de här filerna själv:

C:\WINNT\Tasks\At?.job

C:\WINNT\Tasks\At??.job

där ? står för en godtycklig bokstav.

 

Ladda ner Malwarebytes Anti-Malware från en av dessa länkar:

http://www.malwaresupport.com/mbam/program/mbam-setup.exe

http://www.brothersoft.com/download-malwarebytes.-anti-malware-71406.html

Dubbelklicka på mbam-setup.exe för att installera programmet.

 

[log]Bocka för:

Update Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware

Tryck på Finish

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj Perform Quick Scan och tryck på Scan.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan Show Results.

Bocka för allt och tryck sedan Remove Selected.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på Logs-fliken i MBAM.

Kopiera loggen och klistra in den i ditt svar tillsammans med en ny ComboFix-logg.[/log]

 

[lizzy_lini]

Förlåt, se om du kan ta bort de här filerna själv:

Det var inga problem

 

Loggar:

 

[log]

 

Malwarebytes' Anti-Malware 1.28

Databasversion: 1137

Windows 5.0.2195 Service Pack 3

 

2008-09-11 07:04:00

mbam-log-2008-09-11 (07-04-00).txt

 

Skanningstyp: Snabb skanning

Antal skannade objekt: 48628

Förfluten tid: 5 minute(s), 42 second(s)

 

Infekterade minnesprocesser: 1

Infekterade minnesmoduler: 0

Infekterade registernycklar: 3

Infekterade registervärden: 5

Infekterade registerdataposter: 0

Infekterade mappar: 3

Infekterade filer: 112

 

Infekterade minnesprocesser:

C:\WINNT\system32\mshelp.exe (Trojan.Downloader) -> Unloaded process successfully.

 

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

 

Infekterade registernycklar:

HKEY_CLASSES_ROOT\CLSID\{22024dc7-d190-44ec-9d49-aee5f244a466} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7ec618f2-c506-4221-9f56-792b92bf762e} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c4c4786c-9861-46d2-bb63-ac782ab07046} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

C:\Program\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Infekterade filer:

C:\7F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Activate.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\bnlink.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\lapv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\license.rtf (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\manual.url (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\pv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\readme.rtf (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\sr.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\support.url (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\UDC2006.xml (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\UDC6.url (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\UDCPChk.dll (Rogue.DriveCleaner) -> Delete on reboot.

C:\Program\DriveCleaner 2006 Free\UDCShell.dll (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\unins000.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\unins000.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\uninstall.ico (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\updater.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\vbpv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\AE_CD_Cr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\AReadr4.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\AReadr5.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\ASDSEEpv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\ASPack.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\Babylon.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\BDelphi5.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\CatchUp.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\CBuildr5.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\CCGA.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\CManager.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\CuteFTP4.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\CuteHTML.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\DAcceler.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\DiscJug.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\ECDCreat4.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\Far.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\FFTsks.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\FlashFXP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\FrntPage.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\FrontPEx.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\FtpEXP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\FtpVoya.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\GetRight.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\GoZilla.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\GravMRU.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\HomeSite.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\HotDogPr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\H_TxtPad.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\IconExtr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\iMesh.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\ImgReady3.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\InsShExp.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\JASC_P_P.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\KaZaA.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\LView.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MacDir.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MacDrWea.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MicAng.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MicDes.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MMUnDisk.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MM_CON.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\Morpheus.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MPaint.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MPicPub.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MPImaGal.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MSExplorer.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MSoffice.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MSRegEdit.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MSWMP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\MSWordPad.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\Nero.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\NetShow.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\NTBackup.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\pfilelst.xda (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\PhotShel.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\PHPCoder.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\PowerZIP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\RapidBr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\RealAuPl.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\RealDown.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\SecurCRT.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\SL_BlWin.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\SmartClr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\Sonique.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\StuffIt.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\TelepPro.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\UGifAnim.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\UltraEd.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\UMedStud.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\UPhImpV.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\UPhotoEx.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\UVidStud.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\VNC.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\WebFeret.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\WebReap.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\WinACE.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\WinGate.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\WinRAR.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\WinZIP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\WiseInst.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\wordslst.xda (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\YahooPl.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\DriveCleaner 2006 Free\Appbase\ZipMagic.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program\rhcrjfj0ec9t\rhcrjfj0ec9t.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINNT\system32\mshelp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINNT\system32\sqla.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

 

 

ComboFix 08-09-05.14 - NLSTHGR 2008-09-11 7:17:57.2 - NTFSx86

Running from: C:\Documents and Settings\NLSTHGR\Skrivbord\ComboFix.exe

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NSESVC

-------\Service_nsesvc

 

 

((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))

.

 

2008-09-11 07:27 . 54,156 C:\WINNT\QTFont.qfn

2008-09-11 07:27 . 1,409 C:\WINNT\QTFont.for

2008-09-10 23:53 . 08-09-10 23:53 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware

2008-09-10 23:53 . 08-09-10 23:53 <KAT> d-------- C:\Documents and Settings\NLSTHGR\Application Data\Malwarebytes

2008-09-10 23:53 . 08-09-10 23:53 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-10 23:53 . 08-09-10 00:04 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys

2008-09-10 23:53 . 08-09-10 00:03 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys

2008-09-10 23:24 . 08-09-10 23:24 1,876 --a------ C:\WINNT\system32\tmp.reg

2008-09-10 23:22 . 07-09-06 00:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe

2008-09-10 23:22 . 06-04-27 17:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe

2008-09-10 23:22 . 08-09-08 23:38 88,576 --a------ C:\WINNT\system32\AntiXPVSTFix.exe

2008-09-10 23:22 . 08-09-02 16:51 86,528 --a------ C:\WINNT\system32\VACFix.exe

2008-09-10 23:22 . 08-05-18 21:40 82,944 --a------ C:\WINNT\system32\IEDFix.exe

2008-09-10 23:22 . 08-08-28 22:36 82,432 --a------ C:\WINNT\system32\IEDFix.C.exe

2008-09-10 23:22 . 03-06-05 21:13 53,248 --a------ C:\WINNT\system32\Process.exe

2008-09-10 23:22 . 04-07-31 18:50 51,200 --a------ C:\WINNT\system32\dumphive.exe

2008-09-10 23:22 . 07-10-04 00:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe

2008-09-10 21:22 . 08-09-10 21:22 127 --a------ C:\WINNT\system32\MRT.INI

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\NLSTHGR\Lokala inställningar

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\NLSRUGU\Lokala inställningar

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\NLSROHA\Lokala inställningar

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\NLSMAOB\Lokala inställningar

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\NLSCHWA\Lokala inställningar

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\Default User\Lokala inställningar

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\Administrator\Lokala inställningar

2008-09-10 14:27 . 08-09-10 14:27 <KAT> d-------- C:\Documents and Settings\Administratör

2008-09-10 14:27 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar

2008-09-10 14:27 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar

2008-09-10 12:12 . 08-09-10 12:18 <KAT> d-------- C:\fixwareout

2008-09-10 10:51 . 08-09-10 10:51 <KAT> d-------- C:\Program\Trend Micro

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-17 12:42 --------- d-----w C:\Documents and Settings\NLSTHGR\Application Data\uTorrent

2004-12-06 08:04 19,496 ----a-w C:\Documents and Settings\NLSTHGR\Application Data\GDIPFONTCACHEV1.DAT

2004-01-07 09:15 271 ---h--w C:\Program\desktop.ini

2004-01-07 09:15 22,047 ---h--w C:\Program\folder.htt

2002-08-07 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys

.

 

------- Sigcheck -------

 

01-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE

.

((((((((((((((((((((((((((((( snapshot@on 2008-09-10_14.23.00.56 )))))))))))))))))))))))))))))))))))))))))

.

- 2003-01-13 13:57:58 589,881 -c--a-w C:\WINNT\system32\dllcache\jscript.dll

+ 2003-01-13 12:57:58 589,881 -c--a-w C:\WINNT\system32\dllcache\jscript.dll

- 2003-01-13 13:57:58 589,881 ----a-w C:\WINNT\system32\jscript.dll

+ 2003-01-13 12:57:58 589,881 ----a-w C:\WINNT\system32\jscript.dll

- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINNT\system32\MRT.exe

+ 2008-08-26 11:28:14 16,208,504 ----a-w C:\WINNT\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.Exe" [07-09-04 23:40 6856704]

"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08-05-14 19:43 68856]

"ctfmon.exe"="ctfmon.exe" [01-02-20 14:09 8192 C:\WINNT\system32\CTFMON.EXE]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinVNC"="C:\Program\TightVNC\WinVNC.exe" [02-11-29 16:39 464384]

"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [05-05-31 07:51 77824]

"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.EXE" [08-06-02 14:46 273520]

"msnappau"="C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe" [04-08-13 18:41 86016]

"Synchronization Manager"="mobsync.exe" [02-08-07 19:00 111888 C:\WINNT\system32\mobsync.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [02-08-07 19:00 20752 C:\WINNT\system32\internat.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe" [02-08-07 19:00 187152]

 

C:\Documents and Settings\All Users\Start-meny\Program\AutostartMicrosoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

"vidc.iv31"= C:\WINNT\system32\ir32_32.dll

"vidc.iv32"= C:\WINNT\system32\ir32_32.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Aip31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Aip64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fmt20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gnu07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gnu42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gov86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hpw64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iqx07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iqx20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jqx75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lsa42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mtb86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nvd42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ovd07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ovd86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pxf86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sah07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sbi31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tbi07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xfm31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xgn18.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yho18.sys]

@="Driver"

 

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-Microsoft Help Process for Win32 Services - mshelp.exe

HKLM-RunServices-Microsoft Help Process for Win32 Services - mshelp.exe

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.laget.se/

R0 -: HKCU-Main,Search Page = hxxp://www.google.com

R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie

R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie

R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie

O8 -: E&xportera till Microsoft Excel - C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

 

O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab

C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

 

O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab

C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

O16 -: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://presentfixer.axiscam.net/activex/AMC.cab

C:\WINNT\Downloaded Program Files\setup.inf

.

.

------- File Associations (Beta) -------

.

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-11 07:27:36

Windows 5.0.2195 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Microsoft Help Process for Win32 Services = mshelp.exe?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-09-11 7:37:20 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-11 05:36:54

ComboFix2.txt 2008-09-10 12:27:08

 

Pre-Run: 18,580,037,632 byte ledigt

Post-Run: 18,678,104,064 byte ledigt

 

182 --- E O F --- 2008-09-10 19:23:23

[/log]

 

[Cecilia]

Finns de här filerna i datorn? De ska i så fall finnas under C:\WINNT någonstans. Det första filnamnet är alltså Aip31.sys.

[log][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Aip31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Aip64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Fmt20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Gnu07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Gnu42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Gov86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Hpw64.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Iqx07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Iqx20.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Jqx75.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Lsa42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Mtb86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Nvd42.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Ovd07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Ovd86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Pxf86.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Sah07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Sbi31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Tbi07.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Xfm31.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Xgn18.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoo

t\Minimal\Yho18.sys]

@="Driver"

[/log]