hjälp virus

[Yas000]

fått bort virus med Nod32 ,,,men har kvar en i system32 vid namn C:\WINDOWS\system32\rqRiHyYS.dll

Hur bär jag mej åt,,har Win XP!

 

 

/Thomas

 

[Cecilia]

Vi kan se om HijackThis visar något till att börja med:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Installera, starta och välj "Do a system scan and save a logfile", kopiera loggen som kommer upp (inget annat).

 

I ditt svar bifogar du HijackThis-loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

[Yas000]

tackar Cecilia men kommer inte in där på denna sida

Anslutningen avbröts

Anslutningen till servern återställdes under hämtningen av sidan.

Nätverkslänken avbröts under anslutningsförsöket.

Försök igen.

 

[Cecilia]

Oj då, är datorn så kraftigt infekterad.

 

Då ser vi om detta går bra. Ladda ner SDFix till Skrivbordet:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Dubbelklicka på SDFix.exe och en ny mapp skapas, C:\SDFix.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Öppna den nya mappen C:\SDFix och dubbelklicka på RunThis.bat för att starta programmet.

Tryck Y för att fortsätta.

Det arbetar ett tag och när det är klart så kommer det upp en fråga om du vill starta om datorn.

Tryck på godtycklig tangent för att omstarten ska påbörjas.

Datorn kommer att ta lång tid på sig under uppstarten eftersom programmet kommer att gå igång och fixa till en massa.

När det är klart visas Finished.

Tryck på valfri tangent för att avsluta programmet.

 

Öppna mappen SDFix och öppna filen Report.txt i Anteckningar.

Klistra in innehållet i filen i ditt svar här.

Skapa en ny HijackThis-logg om det går nu och klistra in här.

 

[Yas000]

kan ej anslutas så fort det gäller program av denna sort men almänna sidor kan jag gå in på??

Adressen du gav funkar när jag provar den på grabbens dator men ej som sagt på min, synd att man inte kan överföra *L*...

Vad göra är det bara formatera kvar eller??

 

[Cecilia]

Kan du hämta mejl på datorn som har problem?

Kan du ladda ner filen på grabbens dator, mejla den till dig och hämta mejlet på problem-datorn?

Än ska vi inte ge upp!

 

[Yas000]

nää kan ju inte det, kommer ej in på min mejl! suuck! *L*

 

[Cecilia]

Inte mejl heller, hmm, försök hämta filen med SDFix härifrån:

http://skickafilen.se/download.jsp?fileid=y3ZxbzMWapvL36bd4uBk

 

 

[Yas000]

gick inte o öppna den är rederad står det,, jag klantade mig säkert prova igen?!

 

[Cecilia]

Man kan bara ladda ner en gång för varje uppladdning. Men här kommer ett nytt försök.

http://skickafilen.se/download.jsp?fileid=rUB4JL4e7AYa5CQCgDin

 

 

[Yas000]

Fantastiskt viruset verkar borta, stämmer det att detta program tar bort allt virus?

 

Du är en klippa tjejen

 

[Cecilia]

Nej, SDFix brukar inte ta bort allt, det är däremot bra på att ta bort de värsta filerna och ställa tillbaks inställningar.

 

Öppna mappen SDFix och öppna filen Report.txt i Anteckningar.

Klistra in innehållet i filen i ditt svar här.

Skapa en ny HijackThis-logg och klistra in här.

 

[Yas000]

[log]

SDFix: Version 1.219

Run by User on 2008-09-20 at 16:18

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\User\Skrivbord\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\system32\rqRiHyYS.dll - Deleted

C:\WINDOWS\EDKA.EXE - Deleted

C:\Documents and Settings\All Users\Start-meny\Program\AdvancedCleaner Free\AdvancedCleaner Support Online.lnk - Deleted

C:\Documents and Settings\All Users\Start-meny\Program\AdvancedCleaner Free\AdvancedCleaner webbsida.lnk - Deleted

C:\Documents and Settings\All Users\Start-meny\Program\AdvancedCleaner Free\AdvancedCleaner.lnk - Deleted

C:\Documents and Settings\All Users\Start-meny\Program\AdvancedCleaner Free\Avinstallera AdvancedCleaner.lnk - Deleted

C:\Documents and Settings\All Users\Start-meny\Program\AdvancedCleaner Free\Manual AdvancedCleaner.lnk - Deleted

C:\Documents and Settings\User\Lokala inst„llningar\Temp\utt218C.tmp.exe - Deleted

C:\Documents and Settings\User\Application Data\TmpRecentIcons\AdvancedCleaner Free.lnk - Deleted

C:\Documents and Settings\User\Favoriter\Error Cleaner.url - Deleted

C:\Documents and Settings\User\Skrivbord\Error Cleaner.url - Deleted

C:\Documents and Settings\User\Favoriter\Privacy Protector.url - Deleted

C:\Documents and Settings\User\Skrivbord\Privacy Protector.url - Deleted

C:\Documents and Settings\User\Favoriter\Spyware&Malware Protection.url - Deleted

C:\Documents and Settings\User\Skrivbord\Spyware&Malware Protection.url - Deleted

C:\Program\AdvancedCleaner Free\acu.dat - Deleted

C:\Program\AdvancedCleaner Free\appAct.dat - Deleted

C:\Program\AdvancedCleaner Free\appv.dat - Deleted

C:\Program\AdvancedCleaner Free\atl71.dll - Deleted

C:\Program\AdvancedCleaner Free\InstStat.exe - Deleted

C:\Program\AdvancedCleaner Free\lapv.dat - Deleted

C:\Program\AdvancedCleaner Free\license.rtf - Deleted

C:\Program\AdvancedCleaner Free\manual.url - Deleted

C:\Program\AdvancedCleaner Free\mfc71.dll - Deleted

C:\Program\AdvancedCleaner Free\msvcp71.dll - Deleted

C:\Program\AdvancedCleaner Free\msvcr71.dll - Deleted

C:\Program\AdvancedCleaner Free\naglinks.dat - Deleted

C:\Program\AdvancedCleaner Free\readme.rtf - Deleted

C:\Program\AdvancedCleaner Free\req.dat - Deleted

C:\Program\AdvancedCleaner Free\request.dat - Deleted

C:\Program\AdvancedCleaner Free\support.url - Deleted

C:\Program\AdvancedCleaner Free\transformer.dat - Deleted

C:\Program\AdvancedCleaner Free\UADC.xml - Deleted

C:\Program\AdvancedCleaner Free\UADCSE.url - Deleted

C:\Program\AdvancedCleaner Free\unins000.dat - Deleted

C:\Program\AdvancedCleaner Free\unins000.exe - Deleted

C:\Program\AdvancedCleaner Free\uninstall.ico - Deleted

C:\Program\AdvancedCleaner Free\upser.dat - Deleted

C:\Program\AdvancedCleaner Free\AppDB\AppBase.xml - Deleted

C:\Program\AdvancedCleaner Free\AppDB\profiles.dat - Deleted

C:\Program\AdvancedCleaner Free\AppDB\prowords.dat - Deleted

C:\DOCUME~1\User\LOKALA~1\Temp\lwpwer.exe.bat - Deleted

C:\DOCUME~1\User\LOKALA~1\Temp\smchk.exe.bat - Deleted

C:\DOCUME~1\User\LOKALA~1\Temp\windfr.exe.bat - Deleted

C:\WINDOWS\system32\msliksurcredo.dll - Deleted

C:\WINDOWS\system32\msliksurdns.dll - Deleted

C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted

C:\WINDOWS\system32\tdssinit.dll - Deleted

C:\WINDOWS\system32\tdssl.dll - Deleted

C:\WINDOWS\system32\tdsslog.dll - Deleted

C:\WINDOWS\system32\tdssmain.dll - Deleted

C:\WINDOWS\system32\tdssservers.dat - Deleted

 

 

 

Folder C:\Documents and Settings\User\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed

Folder C:\Documents and Settings\All Users\Start-meny\Program\AdvancedCleaner Free - Removed

Folder C:\Program\AdvancedCleaner Free - Removed

Folder C:\Program\Helper - Removed

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-20 16:30:39

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv]

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv]

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe"="C:\\Program\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"

"C:\\Program\\World of Warcraft\\Repair.exe"="C:\\Program\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"

"C:\\Program\\World of Warcraft\\Launcher.exe"="C:\\Program\\World of Warcraft\\Launcher.exe:*:Enabled:World of Warcraft"

"C:\\Program\\uTorrent\\uTorrent.exe"="C:\\Program\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"

"C:\\Program\\Microsoft Games\\Age of Mythology\\aomx.exe"="C:\\Program\\Microsoft Games\\Age of Mythology\\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion"

"C:\\Program\\Dassault Systemes\\B16\\intel_a\\code\\bin\\orbixd.exe"="C:\\Program\\Dassault Systemes\\B16\\intel_a\\code\\bin\\orbixd.exe:*:Enabled:orbixd"

"C:\\Program\\Dassault Systemes\\B16\\intel_a\\code\\bin\\CNEXT.exe"="C:\\Program\\Dassault Systemes\\B16\\intel_a\\code\\bin\\CNEXT.exe:*:Enabled:CATIA"

"C:\\Program\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"

"C:\\Program\\Warcraft III\\Warcraft III.exe"="C:\\Program\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"

"C:\\Program\\Warcraft III\\War3.exe"="C:\\Program\\Warcraft III\\War3.exe:*:Enabled:Warcraft III"

"C:\\Documents and Settings\\User\\Skrivbord\\LieroX_v0.56_Pack_1.9\\LieroX v0.56 Pack 1.9\\LieroX.exe"="C:\\Documents and Settings\\User\\Skrivbord\\LieroX_v0.56_Pack_1.9\\LieroX v0.56 Pack 1.9\\LieroX.exe:*:Enabled:LieroX"

"C:\\Soldat\\Soldat.exe"="C:\\Soldat\\Soldat.exe:*:Enabled:Soldat"

"C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\counter-strike\\hl.exe"="C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\condition zero deleted scenes\\hl.exe"="C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\condition zero deleted scenes\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\day of defeat\\hl.exe"="C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\condition zero\\hl.exe"="C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program\\Skype\\Phone\\Skype.exe"="C:\\Program\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program\\Valve\\Steam\\Steam.exe"="C:\\Program\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"

"C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\ricochet\\hl.exe"="C:\\Program\\Valve\\Steam\\SteamApps\\thom931\\ricochet\\hl.exe:*:Disabled:Half-Life Launcher"

"C:\\Program\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"

"C:\\Documents and Settings\\User\\Skrivbord\\fun_maze_cbble\\steamapps\\thom931\\condition zero\\hl.exe"="C:\\Documents and Settings\\User\\Skrivbord\\fun_maze_cbble\\steamapps\\thom931\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\Program\\Steam\\steamapps\\thom931\\counter-strike\\hl.exe"="F:\\Program\\Steam\\steamapps\\thom931\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\Program\\Steam\\steamapps\\thom931\\condition zero deleted scenes\\hl.exe"="F:\\Program\\Steam\\steamapps\\thom931\\condition zero deleted scenes\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\Program\\Steam\\steamapps\\thom931\\condition zero\\hl.exe"="F:\\Program\\Steam\\steamapps\\thom931\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program\\Mozilla Firefox\\firefox.exe"="C:\\Program\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"

"F:\\Program\\Steam\\steamapps\\azzhole1\\condition zero\\hl.exe"="F:\\Program\\Steam\\steamapps\\azzhole1\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\Program\\Steam\\steamapps\\azzhole1\\counter-strike\\hl.exe"="F:\\Program\\Steam\\steamapps\\azzhole1\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\Program\\Steam\\steamapps\\alleg_sweden\\condition zero\\hl.exe"="F:\\Program\\Steam\\steamapps\\alleg_sweden\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program\\Bonjour\\mDNSResponder.exe"="C:\\Program\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\\Program\\iTunes\\iTunes.exe"="C:\\Program\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

 

Remaining Files :

 

 

File Backups: - C:\DOCUME~1\User\SKRIVB~1\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program\Autodesk\Autodesk DWF Viewer\Setup.exe"

Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

Fri 30 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\User\Application Data\U3\temp\Launchpad Removal.exe"

 

Finished!

[/log]

 

[Cecilia]

Ladda ner Malwarebytes Anti-Malware från en av dessa länkar:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

http://projects.securitywonks.net/projects/details.php?file=158

Dubbelklicka på mbam-setup.exe för att installera programmet.

 

[log]Bocka för:

Update Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware

Tryck på Finish

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj Perform Quick Scan och tryck på Scan.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan Show Results.

Bocka för allt och tryck sedan Remove Selected.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på Logs-fliken i MBAM.

Kopiera loggen och klistra in den i ditt svar tillsammans med en ny HijackThis-logg.[/log]

 

[Yas000]

Du är grymt grym Cecilia det försvann allting vad jag kan se!

Tackar tusen gånger om /Thomas

 

[Cecilia]

För en sista koll så klistra in en ny HijackThis-logg.

 

Tack för alla poäng! :)

 

Här kan du läsa mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

http://ceblstockholm.googlepages.com/home

 

 

[Yas000]

Du menar att göra om proceduren med att starta i felsäkert läge o köra programet SDFix för o få ny rapport.txt i anteckningar?

 

[Cecilia]

Nej, HijackThis som jag skrev om i inlägget 17 september 2008 09:25.

 

[Yas000]

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:18:40, on 2008-09-27

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\Creative\Shared Files\CAMTRAY.EXE

C:\Program\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program\iTunes\iTunesHelper.exe

C:\Program\Delade filer\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program\Windows Desktop Search\WindowsSearch.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Program\SolidWorks (2)\SolidWorks\swScheduler\swBOEngine.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\WgaTray.exe

C:\DOCUME~1\User\LOKALA~1\Temp\SolidWorksLicTemp.0001

C:\Program\Delade filer\SolidWorks Shared\Service\SolidWorksLicensing.exe

C:\Program\Windows Live\Messenger\usnsvc.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR'>http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR'>http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: {b595b425-9f1e-768a-b0b4-a88462af01c0} - {0c10fa26-488a-4b0b-a867-e1f9524b595b} - (no file)

O2 - BHO: (no name) - {474303C3-0884-48D4-8991-E5F150AB85E1} - C:\WINDOWS\system32\pmnmjIXr.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program\Creative\Shared Files\CAMTRAY.EXE

O4 - HKLM\..\Run: [egui] "C:\Program\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\Program\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL,UPF

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [solidWorks_CheckForUpdates] "C:\Program\Delade filer\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [steam] "F:\Program\Steam\Steam.exe" -silent

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program\SolidWorks (2)\SolidWorks\swScheduler\swBOEngine.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program\Delade filer\Autodesk Shared\acstart16.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195216767625

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.0.0.1

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 10.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.0.0.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: xlxjkg.dll gafsoa.dll

O22 - SharedTaskScheduler: didact - {747e1fbe-b70f-441d-bbca-6e536c04924a} - (no file)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program\CDBurnerXP\NMSAccessU.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program\Delade filer\SolidWorks Shared\Service\SolidWorksLicensing.exe

 

--

End of file - 10115 bytes[/log]

 

[Cecilia]

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Läs om den raden på

http://www.bleepingcomputer.com/startups/alcmtr-240.html

 

Skanna med HijackThis och bocka för:

 

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: {b595b425-9f1e-768a-b0b4-a88462af01c0} - {0c10fa26-488a-4b0b-a867-e1f9524b595b} - (no file)

O2 - BHO: (no name) - {474303C3-0884-48D4-8991-E5F150AB85E1} - C:\WINDOWS\system32\pmnmjIXr.dll (file missing)

O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\Program\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL,UPF

O20 - AppInit_DLLs: xlxjkg.dll gafsoa.dll

O22 - SharedTaskScheduler: didact - {747e1fbe-b70f-441d-bbca-6e536c04924a} - (no file)

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn och kontrollera själv att ovanstående rader är borta ur en ny HijackThis-logg.

 

 

[Yas000]

japp detta gick bra o dom är borta allesammans återigen tack!

 

[Cecilia]

Tack själv för poängen!

Var nu rädd om datorn!