virus/spyware problem

17 november, 2008

Hej. Försöker nu fixa syrrans dator.Nåt som heter windowsmediagateway har lagt sig i autostarten.Har vart inne i msconfig och försökt klicka bort det och raderat allt i registret om den men det funkar inte.

Datorn har också börjat öpnna program mappen vid uppstart vilket den inte gjort tidigare.Troligen bara för att detta windowsmediagateway ska ligga i program files men inte ligger där. bifogar hijack log härunder.

[log] Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:34:27, on 2008-11-17

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\AVG\AVG8\avgtray.exe

C:\WINDOWS\Nhksrv.exe

C:\Program\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\id2scaps.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/se/sve/gen/default.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR'>http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Tele2 Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://login1.telia.com;http://10.0.0.6;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program\AVG\AVG8\avgtoolbar.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program\AVG\AVG8\avgtoolbar.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\Program\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunServices: [sountskmanager] sountaskmgr

O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe

O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe

O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?39d94cfdc62b4ca9b395c8a2426fc87

O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?39d94cfdc62b4ca9b395c8a2426fc87

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/se/win/QuickTimeInstaller.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: NVDESK32.DLL,avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program\AVG\AVG8\avgwdsvc.exe

O23 - Service: iD2 Smart Card Server (id2scaps) - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 7334 bytes

[/log]

Har laddat hem combofix.

[inlägget ändrat 2008-11-17 14:47:46 av couchboy]

17 november, 2008

[log]Ladda ner ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Dra ur internetanslutningen och stäng av alla program du ser inklusive antivirusprogram, antispionprogram och brandvägg, alternativt starta om datorn i felsäkert läge.

Kör ComboFix och följ anvisningarna som visas.

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram och brandvägg är igång innan du ansluter till internet.

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix[/log]

17 november, 2008

Har laddat ner combofix på skrivbordet. vad säger hijack this loggen?

ska jag köra combofix nu eller ska jag göra nåt innan jag kör den.

17 november, 2008

Kör Combofix

17 november, 2008

Surfa hit http://www.pekspro.com/pmfix.html för att fixa till

programmappen

17 november, 2008

Har nu kört combofix.Efter körning kom spybot igång och fråga allow eller inte på massa "value deleted.tryckte allow på alla.

loggen följer här.

[log]ComboFix 08-11-16.05 - Ägaren 2008-11-17 15:16:33.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1053.18.215 [GMT 1:00]

Running from: c:\documents and settings\Ägaren\Skrivbord\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ägaren\Lokala inställningar\Temporary Internet Files\ijjistarter_verinfo.dat

c:\program\INSTALL.LOG

c:\windows\Readme.txt

c:\windows\system32\MSINET.oca

.

((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))

.

2008-11-17 14:33 . 2008-11-17 14:33 <KAT> d-------- c:\program\Trend Micro

2008-11-16 15:16 . 2008-11-16 15:16 <KAT> d-------- C:\fsaua.data

2008-11-15 17:13 . 2008-11-15 17:13 <KAT> d-------- c:\windows\SYSTEM32\sv

2008-11-15 17:13 . 2008-11-15 17:13 <KAT> d-------- c:\windows\l2schemas

2008-11-13 11:00 . 2008-10-24 12:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

2008-10-28 23:06 . 2008-10-15 17:38 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll

2008-10-19 19:51 . 2008-08-14 14:27 2,189,952 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe

2008-10-19 19:51 . 2008-08-14 14:27 2,146,304 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe

2008-10-19 19:51 . 2008-08-14 14:27 2,066,816 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe

2008-10-19 19:51 . 2008-08-14 14:27 2,024,960 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe

2008-10-19 19:51 . 2008-09-15 16:27 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys

2008-10-19 19:51 . 2008-09-08 11:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-15 20:33 --------- d-----w c:\documents and settings\Ägaren\Application Data\uTorrent

2008-11-15 16:25 --------- d-----w c:\program\Spybot - Search & Destroy

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-03 17:26 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll

2008-09-30 15:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll

2008-09-18 18:56 --------- d-----w c:\program\Support Software

2008-09-18 17:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-09-18 16:38 --------- d-----w c:\program\Delade filer\Adobe

2008-09-18 16:33 --------- d-----w c:\documents and settings\Ägaren\Application Data\AdobeUM

2008-09-15 15:27 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys

2008-09-10 01:16 1,307,648 ------w c:\windows\SYSTEM32\msxml6.dll

2008-09-10 01:16 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll

2008-09-04 17:17 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll

2008-09-04 17:17 1,106,944 ------w c:\windows\SYSTEM32\DLLCACHE\msxml3.dll

2008-08-27 09:27 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll

2008-08-26 08:27 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll

2008-08-26 08:27 826,368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll

2008-08-26 08:27 671,232 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll

2008-08-26 08:27 477,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll

2008-08-26 08:27 44,544 ----a-w c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll

2008-08-26 08:27 233,472 ------w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll

2008-08-26 08:27 193,024 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll

2008-08-26 08:27 105,984 ------w c:\windows\SYSTEM32\DLLCACHE\url.dll

2008-08-26 08:27 102,912 ------w c:\windows\SYSTEM32\DLLCACHE\occache.dll

2008-08-26 08:27 1,159,680 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll

2008-08-25 08:43 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe

2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll

2005-04-05 23:19 79,688 ----a-w c:\documents and settings\Ägaren\Application Data\GDIPFONTCACHEV1.DAT

2004-01-24 23:01 1,336,832 ----a-w c:\program\ventrilo-2.1.4-Windows-i386.exe

2003-01-07 02:24 1,878 ----a-w c:\program\eb_inact.ico

2003-01-07 02:24 1,878 ----a-w c:\program\eb_act.ico

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SpybotSD TeaTimer"="c:\program\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\program\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 170496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"sountskmanager"="sountaskmgr" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=NVDESK32.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.dvsd"= dvc.dll

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.VP31"= vp31vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Personal.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Personal.lnk

backup=c:\windows\pss\Personal.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ägaren^Start-meny^Program^Autostart^ubisoft register.lnk]

path=c:\documents and settings\Ägaren\Start-meny\Program\Autostart\ubisoft register.lnk

backup=c:\windows\pss\ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

--a------ 2001-09-04 22:31 655360 c:\program\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]

--a------ 2001-09-23 14:14 163840 c:\windows\DellMMKb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-14 17:05 1695232 c:\program\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2004-04-23 07:47 98304 c:\program\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2000-10-16 09:37 32768 c:\windows\SYSTEM32\rmctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2004-08-27 14:23 180269 c:\program\Delade filer\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TraySantaCruz]

--a------ 2001-08-29 23:17 307200 c:\windows\SYSTEM32\tbctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 01:01 110592 c:\program\Delade filer\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2003-10-06 14:16 741376 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"usnjsvc"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\ICQ\\Icq.exe"=

"c:\\Program\\messenger\\msmsgs.exe"=

"c:\\Program\\Java\\j2re1.4.2\\bin\\javaw.exe"=

"c:\\Program\\realplay.exe"=

"c:\\Program\\utorrent\\utorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program\\Skype\\Phone\\Skype.exe"=

"c:\\Program\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"c:\\ijji\\ENGLISH\\u_skid.exe"=

"c:\\Program\\DriftCity\\DriftCity.exe"=

"c:\\Program\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-27 97928]

R1 cmosa;cmosa;c:\windows\system32\DRIVERS\cmosa.sys [2001-11-22 29344]

R2 avg8wd;AVG8 WatchDog;c:\program\AVG\AVG8\avgwdsvc.exe [2008-06-27 231704]

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-01-01 28672]

R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2001-10-31 6942]

R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [1980-01-01 142336]

R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [1980-01-01 524288]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2003-10-25 238218]

S3 bvrp_pci;bvrp_pci;c:\windows\system32\drivers\bvrp_pci.sys [2001-11-27 4272]

S3 VICHW00;VICHW00;\??\c:\windows\SYSTEM32\DRIVERS\VICHW00.SYS []

S3 WinLink;WinLink;\??\c:\windows\System32\DRIVERS\WinLink.SYS [2000-03-18 23728]

S3 vtdg46xx;vtdg46xx;\??\c:\program\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2001-11-27 19232]

S4 hpt3xx;hpt3xx;c:\windows\system32\DRIVERS\hpt3xx.sys [2001-08-18 38144]

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-11-16 c:\windows\Tasks\Kontrollera uppdateringar för Windows Live Toolbar.job

- c:\program\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-11-17 c:\windows\Tasks\Symantec NetDetect.job

- c:\program\Symantec\LiveUpdate\NDETECT.EXE [2001-05-21 17:36]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Media Gateway - c:\program files\Media Gateway\MediaGateway.exe

HKLM-RunServices-Msrv32 - Msrv32.exe

HKLM-RunServices-scvhost.exe - scvhost.exe

HKLM-RunServices-File System Service - wmiprvsc.exe

MSConfigStartUp-DAEMON Tools-1033 - c:\program\D-Tools\daemon.exe

MSConfigStartUp-DownloadWare - c:\program\DownloadWare\dw.exe

MSConfigStartUp-DownloadWare Engine - c:\program\DownloadWare Engine\DWE.EXE

MSConfigStartUp-eZmmod - c:\program\ezula\mmod.exe

MSConfigStartUp-ICQ Lite - c:\program\ICQLite\ICQLite.exe

MSConfigStartUp-iTunesHelper - c:\program\iTunes\iTunesHelper.exe

MSConfigStartUp-Media Gateway - c:\program files\Media Gateway\MediaGateway.exe

MSConfigStartUp-New - c:\program\NEWDOT~1\NEWDOT~2.DLL

MSConfigStartUp-Nokia Tray Application - c:\program\Delade filer\Nokia\NCLTools\NclTray.exe

MSConfigStartUp-NvCplDaemon - c:\windows\system32\NvCpl.dll

MSConfigStartUp-PopUpKiller - c:\program\PopUp Killer\PopUpKiller.EXE

MSConfigStartUp-WinDriv32 - c:\windows\System32\WinDriv32.exe

MSConfigStartUp-File System Service - wmiprvsc.exe

MSConfigStartUp-Msrv32 - Msrv32.exe

MSConfigStartUp-windows - hkey.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Ägaren\Application Data\Mozilla\Firefox\Profiles\fax5yyti.defaultFF -: plugin - c:\program\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - c:\program\Java\j2re1.4.2\bin\NPJava11.dll

FF -: plugin - c:\program\Java\j2re1.4.2\bin\NPJava12.dll

FF -: plugin - c:\program\Java\j2re1.4.2\bin\NPJava13.dll

FF -: plugin - c:\program\Java\j2re1.4.2\bin\NPJava14.dll

FF -: plugin - c:\program\Java\j2re1.4.2\bin\NPJava32.dll

FF -: plugin - c:\program\Java\j2re1.4.2\bin\NPJPI142.dll

FF -: plugin - c:\program\Java\j2re1.4.2\bin\NPOJI610.dll

FF -: plugin - c:\program\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-17 15:20:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-11-17 15:23:10

ComboFix-quarantined-files.txt 2008-11-17 14:23:04

Pre-Run: 44 168 439 808 byte ledigt

Post-Run: 44,735,174,656 byte ledigt

214 --- E O F --- 2008-11-16 22:31:13

[/log]

17 november, 2008

Scanna och skicka en ny Hijack log

17 november, 2008

[log] Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:48:12, on 2008-11-17

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\Program\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\id2scaps.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\AVG\AVG8\avgrsx.exe

C:\Program\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program\AVG\AVG8\avgui.exe

C:\Program\Mozilla Firefox\firefox.exe