Virtumundo

[JörgenÖ]

Hej

 

Jag verkar ha drabbats av Virtumundo och har utan större framgång testat en del städ-program, t.ex. Norman Malware Cleaner och VirtomundoBeGone.

Jag har även haft Vundo-varningar men de försvann efter VundoFix.

 

Installerad nyss HiJackThis och klistrar in loggfilen.

 

Tacksam för hjälp.

 

// Jörgen

 

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:45:03, on 2008-10-29

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Norman\Npm\bin\ELOGSVC.EXE

C:\Program\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

D:\Program\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Marratech\MarratechManager3.5\bin\MarratechManager.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\Analog Devices\SoundMAX\Smax4.exe

C:\Program\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program\Norman\Npm\bin\ZLH.EXE

C:\Program\QuickTime\QTTask.exe

C:\Program\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\Program\Bredbandsbolaget\Servicecenter\Bredbandsbolaget.exe

D:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\OpenOffice.org 2.1\program\soffice.exe

C:\Program\OpenOffice.org 2.1\program\soffice.BIN

C:\Program\Norman\Npm\bin\NJEEVES.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Norman\nse\bin\NSESVC.EXE

C:\WINDOWS\System32\alg.exe

C:\Program\Norman\Nvc\BIN\NIP.EXE

C:\Program\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O1 - Hosts: 217.68.40.65 www.bioraffinaderi.se

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AVFX Engine] C:\Program\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program\Essentials Codec Pack\update.exe -silent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [bredbandsbolaget Servicecenter] "C:\Program\Bredbandsbolaget\Servicecenter\Bredbandsbolaget.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [e8381a83] rundll32.exe "C:\WINDOWS\system32\kjwebpww.dll",b

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: OpenOffice.org 2.1.lnk = C:\Program\OpenOffice.org 2.1\program\quickstart.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: OpenOffice.org 2.1.lnk = C:\Program\OpenOffice.org 2.1\program\quickstart.exe (User 'Default user')

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Free WebSite Tools.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.adobe.com

O15 - Trusted Zone: http://demo10.designtech.se

O15 - Trusted Zone: http://www.designtech.se

O15 - Trusted Zone: http://www.film2home.se

O15 - Trusted Zone: http://www.java.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174981152343

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224863466937

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://62.16.100.201/activex/AxisCamControl.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://snabbt.bredband.com/check/fscax.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: udzqof.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program\Delade filer\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: Marratech Manager 3.5 8fc899e (Marratech #8fc899e) - Unknown owner - C:\Program\Marratech\MarratechManager3.5\bin\MarratechManager.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Program\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 10384 bytes[/log]

 

[Cecilia]

Ladda ner Malwarebytes Anti-Malware (MBAM) från en av dessa länkar:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

http://projects.securitywonks.net/projects/details.php?file=158

Dubbelklicka på mbam-setup för att installera programmet.

 

[log]Se till i slutet av installationen att det är bockar för:

Uppdatera Malwarebytes' Anti-Malware

Starta Malwarebytes' Anti-Malware

Tryck på Slutför

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj "Utför snabb skanning" och tryck på Skanna.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan "Visa resultat".

Bocka för allt och tryck sedan Ta bort markerade.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på fliken Loggar i MBAM.

Kopiera loggen och klistra in den i ditt svar tillsammans med en ny HijackThis-logg.[/log]

 

[JörgenÖ]

Det var snabbt svarat...

 

MBAM-logg

 

[log]Malwarebytes' Anti-Malware 1.30

Databasversion: 1335

Windows 5.1.2600 Service Pack 2

 

2008-10-29 11:24:55

mbam-log-2008-10-29 (11-24-55).txt

 

Skanningstyp: Snabb skanning

Antal skannade objekt: 64186

Förfluten tid: 5 minute(s), 25 second(s)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 4

Infekterade registernycklar: 16

Infekterade registervärden: 2

Infekterade registerdataposter: 2

Infekterade mappar: 0

Infekterade filer: 31

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

C:\WINDOWS\system32\jkkIAQJb.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\udzqof.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\baydrtke.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\bxqmqn.dll (Trojan.Vundo.H) -> Delete on reboot.

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{948ce65c-a459-4726-b2be-c593c9f7eaff} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{948ce65c-a459-4726-b2be-c593c9f7eaff} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab226254-1468-4c92-91d7-238c289c287c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ab226254-1468-4c92-91d7-238c289c287c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ab226254-1468-4c92-91d7-238c289c287c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{948ce65c-a459-4726-b2be-c593c9f7eaff} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e9349597-6e81-47f3-b05d-469763764fb7} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e9349597-6e81-47f3-b05d-469763764fb7} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Infekterade registerdataposter:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkiaqjb -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkiaqjb -> Delete on reboot.

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

C:\WINDOWS\system32\bxqmqn.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\jkkIAQJb.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\bJQAIkkj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bJQAIkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\udzqof.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\baydrtke.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\wlan32.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cpmwywji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ipywiwye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nnnoNeDt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qoMeDWMe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rrqxqi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vtUomkii.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\awtrRLeE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\awtuvSjI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gvtgdabx.exe (Trojan.LowZones) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gxlbab.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\urqNDUki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kjwebpww.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sogjkpax.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\briynqhu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pmnmlkHy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddcCVmki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddcYqono.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iifddcaa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\webconf32.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\wlan32.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\LSASS.EX_ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.[/log]

 

HijackThis-logg

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:31:54, on 2008-10-29

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Norman\Npm\bin\ELOGSVC.EXE

C:\Program\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

D:\Program\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\Analog Devices\SoundMAX\Smax4.exe

C:\Program\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Marratech\MarratechManager3.5\bin\MarratechManager.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program\Norman\Npm\bin\ZLH.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program\QuickTime\QTTask.exe

C:\Program\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\Bredbandsbolaget\Servicecenter\Bredbandsbolaget.exe

D:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program\OpenOffice.org 2.1\program\soffice.exe

C:\Program\OpenOffice.org 2.1\program\soffice.BIN

C:\Program\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\Program\Norman\Npm\bin\NJEEVES.EXE

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program\Norman\nse\bin\NSESVC.EXE

C:\WINDOWS\System32\alg.exe

C:\Program\Norman\Nvc\bin\nvcoas.exe

C:\Program\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Program\Norman\Nvc\BIN\NIP.EXE

C:\Program\Norman\Nvc\bin\cclaw.exe

C:\Program\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O1 - Hosts: 217.68.40.65 www.bioraffinaderi.se

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AVFX Engine] C:\Program\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program\Essentials Codec Pack\update.exe -silent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [bredbandsbolaget Servicecenter] "C:\Program\Bredbandsbolaget\Servicecenter\Bredbandsbolaget.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: OpenOffice.org 2.1.lnk = C:\Program\OpenOffice.org 2.1\program\quickstart.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: OpenOffice.org 2.1.lnk = C:\Program\OpenOffice.org 2.1\program\quickstart.exe (User 'Default user')

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Free WebSite Tools.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.adobe.com

O15 - Trusted Zone: http://demo10.designtech.se

O15 - Trusted Zone: http://www.designtech.se

O15 - Trusted Zone: http://www.film2home.se

O15 - Trusted Zone: http://www.java.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174981152343

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224863466937

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://62.16.100.201/activex/AxisCamControl.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://snabbt.bredband.com/check/fscax.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: bxqmqn.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program\Delade filer\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: Marratech Manager 3.5 8fc899e (Marratech #8fc899e) - Unknown owner - C:\Program\Marratech\MarratechManager3.5\bin\MarratechManager.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Program\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 10947 bytes[/log]

 

[Cecilia]

Skanna med HijackThis och bocka för:

 

O20 - AppInit_DLLs: bxqmqn.dll

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn och kontrollera själv att ovanstående rad är borta ur en ny HijackThis-logg.

Hur fungerar datorn nu?

 

[JörgenÖ]

Raden "O20 - AppInit_DLLs: bxqmqn.dll" är borta.

 

Automatiska uppdateringar som varit omöjligt att få igång fungerar nu. Antivirusprogrammet är än så länge tyst, och inga pop-up-ads har hittills dykt upp.

 

En klar förbättring.

 

[Cecilia]

Här kan du läsa mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

http://ceblstockholm.googlepages.com/home

 

 

[JörgenÖ]

Tusen tack för hjälpen och tipsen.