Just nu i M3-nätverket
Jump to content

Blivit HIJACKAD


Santana

Recommended Posts

Hej på er alla!!!

Datorn har blivit tokseg + bytt startsida helt plötsligt

Sen har Norman AV upptäckt en trojan vid namn W32/Dloader.CN och sätter den i karantän

men den återkommer hela tiden

den ligger i C dokume temp

skickar med HJT logga

Snälla någon kan väl hjälpa mig

Bästa Hälsningar

Santana

Logfile of HijackThis v1.99.1

Scan saved at 23:52:20, on 2005-04-15

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Norman\Nvc\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Norman\bin\NJEEVES.EXE

C:\NORMAN\Nvc\BIN\nipsvc.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\init32m.exe

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\ATI-CPanel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE

C:\Program\Messenger Plus! 3\MsgPlus.exe

C:\Norman\bin\ZLH.EXE

C:\WINDOWS\System32\kernels32.exe

C:\WINDOWS\Mbr.exe

C:\WINDOWS\System32\atipatxx.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Norman\Nvc\BIN\npfmsg2.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\vxh8jkdq7.exe

C:\WINDOWS\System32\Services\{67E04BF7-D7B9-4204-8275-A24B2124F2BB}\SVCHOST.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\Program\Microsoft Office\Office10\WINWORD.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=30936

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 www.aaasexypics.com

O1 - Hosts: 127.0.0.3 www.pizdato.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 www.vesbiz.biz

O1 - Hosts: 127.0.0.3 www.newiframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 www.iframe.biz

O1 - Hosts: 127.0.0.3 www.allforadult.com

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 www.sexfiles.nu

O1 - Hosts: 127.0.0.3 www.awmdabest.com

O1 - Hosts: 127.0.0.3 www.autoescrowpay.com

O1 - Hosts: 127.0.0.3 x.full-tgp.net

O1 - Hosts: 127.0.0.3 counter.sexmaniack.com

O1 - Hosts: 127.0.0.3 autoescrowpay.com

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 www.aaasexypics.com

O1 - Hosts: 127.0.0.3 www.pizdato.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 www.vesbiz.biz

O1 - Hosts: 127.0.0.3 www.newiframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 www.iframe.biz

O1 - Hosts: 127.0.0.3 www.allforadult.com

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 www.sexfiles.nu

O1 - Hosts: 127.0.0.3 www.awmdabest.com

O1 - Hosts: 127.0.0.3 www.autoescrowpay.com

O1 - Hosts: 127.0.0.3 x.full-tgp.net

O1 - Hosts: 127.0.0.3 counter.sexmaniack.com

O1 - Hosts: 127.0.0.3 autoescrowpay.com

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 www.aaasexypics.com

O1 - Hosts: 127.0.0.3 www.pizdato.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 www.vesbiz.biz

O1 - Hosts: 127.0.0.3 www.newiframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 www.iframe.biz

O1 - Hosts: 127.0.0.3 www.allforadult.com

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 www.sexfiles.nu

O1 - Hosts: 127.0.0.3 www.awmdabest.com

O1 - Hosts: 127.0.0.3 www.autoescrowpay.com

O1 - Hosts: 127.0.0.3 x.full-tgp.net

O1 - Hosts: 127.0.0.3 counter.sexmaniack.com

O1 - Hosts: 127.0.0.3 autoescrowpay.com

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [system] C:\WINDOWS\System32\kernels32.exe

O4 - HKLM\..\Run: [Cob] C:\WINDOWS\Mbr.exe

O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe

O4 - HKLM\..\Run: [Qnf] C:\WINDOWS\System32\Mfg.exe

O4 - HKLM\..\Run: [bdn] C:\WINDOWS\System32\Alp.exe

O4 - HKLM\..\Run: [Rng] C:\WINDOWS\System32\Hfg.exe

O4 - HKLM\..\Run: [Hum] C:\WINDOWS\System32\Lnb.exe

O4 - HKLM\..\Run: [ioc] C:\WINDOWS\Can.exe

O4 - HKLM\..\Run: [Ghi] C:\WINDOWS\Oiv.exe

O4 - HKLM\..\Run: [Ddf] C:\WINDOWS\Gjq.exe

O4 - HKLM\..\Run: [Gff] C:\WINDOWS\System32\Tuo.exe

O4 - HKLM\..\Run: [Qlj] C:\WINDOWS\System32\Mcf.exe

O4 - HKLM\..\Run: [Neq] C:\WINDOWS\Ifc.exe

O4 - HKLM\..\Run: [Ogh] C:\WINDOWS\Cvk.exe

O4 - HKLM\..\Run: [Cno] C:\WINDOWS\Sfp.exe

O4 - HKLM\..\Run: [Gfc] C:\WINDOWS\Oul.exe

O4 - HKLM\..\Run: [sgo] C:\WINDOWS\Eub.exe

O4 - HKLM\..\Run: [Ajo] C:\WINDOWS\Trh.exe

O4 - HKLM\..\Run: [bps] C:\WINDOWS\Lop.exe

O4 - HKLM\..\Run: [Lnr] C:\WINDOWS\System32\Cmc.exe

O4 - HKLM\..\Run: [Hsv] C:\WINDOWS\System32\Cbr.exe

O4 - HKLM\..\Run: [Tap] C:\WINDOWS\System32\Nbr.exe

O4 - HKLM\..\Run: [Vsq] C:\WINDOWS\System32\Guc.exe

O4 - HKLM\..\Run: [Otk] C:\WINDOWS\Irr.exe

O4 - HKLM\..\Run: [Tql] C:\WINDOWS\System32\Trg.exe

O4 - HKLM\..\Run: [Aep] C:\WINDOWS\System32\Fee.exe

O4 - HKLM\..\Run: [Jog] C:\WINDOWS\Enf.exe

O4 - HKLM\..\Run: [ubc] C:\WINDOWS\Igu.exe

O4 - HKLM\..\Run: [Puf] C:\WINDOWS\System32\Jii.exe

O4 - HKLM\..\Run: [Oba] C:\WINDOWS\System32\Icd.exe

O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\Dds.exe

O4 - HKLM\..\Run: [Thp] C:\WINDOWS\Jra.exe

O4 - HKLM\..\Run: [service Host] C:\WINDOWS\System32\Services\{67E04BF7-D7B9-4204-8275-A24B2124F2BB}\SVCHOST.EXE

O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe

O4 - HKLM\..\RunServices: [systemTools] C:\WINDOWS\System32\kernels32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Puf] C:\WINDOWS\System32\Jii.exe

O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe

O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\Dds.exe

O4 - HKCU\..\Run: [Thp] C:\WINDOWS\Jra.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Nvc\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

 

 

Link to comment
Share on other sites

Bocka/kryss i alla

 

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 www.aaasexypics.com

O1 - Hosts: 127.0.0.3 www.pizdato.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 www.vesbiz.biz

O1 - Hosts: 127.0.0.3 www.newiframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 www.iframe.biz

O1 - Hosts: 127.0.0.3 www.allforadult.com

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 www.sexfiles.nu

O1 - Hosts: 127.0.0.3 www.awmdabest.com

O1 - Hosts: 127.0.0.3 www.autoescrowpay.com

O1 - Hosts: 127.0.0.3 x.full-tgp.net

O1 - Hosts: 127.0.0.3 counter.sexmaniack.com

O1 - Hosts: 127.0.0.3 autoescrowpay.com

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 www.aaasexypics.com

O1 - Hosts: 127.0.0.3 www.pizdato.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 www.vesbiz.biz

O1 - Hosts: 127.0.0.3 www.newiframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 www.iframe.biz

O1 - Hosts: 127.0.0.3 www.allforadult.com

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 www.sexfiles.nu

O1 - Hosts: 127.0.0.3 www.awmdabest.com

O1 - Hosts: 127.0.0.3 www.autoescrowpay.com

O1 - Hosts: 127.0.0.3 x.full-tgp.net

O1 - Hosts: 127.0.0.3 counter.sexmaniack.com

O1 - Hosts: 127.0.0.3 autoescrowpay.com

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 www.aaasexypics.com

O1 - Hosts: 127.0.0.3 www.pizdato.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 www.vesbiz.biz

O1 - Hosts: 127.0.0.3 www.newiframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 www.iframe.biz

O1 - Hosts: 127.0.0.3 www.allforadult.com

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 www.sexfiles.nu

O1 - Hosts: 127.0.0.3 www.awmdabest.com

O1 - Hosts: 127.0.0.3 www.autoescrowpay.com

O1 - Hosts: 127.0.0.3 x.full-tgp.net

O1 - Hosts: 127.0.0.3 counter.sexmaniack.com

O1 - Hosts: 127.0.0.3 autoescrowpay.com

O1 - Hosts: 127.0.0.3 iframeprofit.com

O1 - Hosts: 127.0.0.3 www.iframeprofit.com

O1 - Hosts: 127.0.0.3 www.loadcash.biz

O1 - Hosts: 127.0.0.3 loadcash.biz

O1 - Hosts: 127.0.0.3 traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.traffic2cash.biz

O1 - Hosts: 127.0.0.3 www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 www.iframedollars.biz

O1 - Hosts: 127.0.0.3 iframedollars.biz

O1 - Hosts: 127.0.0.3 virgin-tgp.net

 

 

Jag är inte riktigt säker om du ska bocka i dessa också

 

O4 - HKLM\..\Run: [system] C:\WINDOWS\System32\kernels32.exe

och

O4 - HKLM\..\Run: [service Host] C:\WINDOWS\System32\Services\{67E04BF7-D7B9-4204-8275-A24B2124F2BB}\Svchost.exe

utan det får du Zipp och gänget avgöra då jag inte är något vidare på detta.

 

Men, bocka i alla O1 - Host och välj Fix

 

Sen scanna datorn med denna scanner

 

http://www.spywareinfo.dk/download/mwav.exe

 

Dubbelklicka på mwav.exe sen klicka Unzip och den skapar automatiskt en ny mapp C:\Kapersky

Sen öppna Kapersky mappen och dubbelklicka på kavupd.exe och leta uppdateringar.

När den är klar så tryck på nån tangent och det blir automatiskt 2 nya mappar på C:\

 

C:\Bases

C:\Downloads

 

Öppna Downloads mappen och måla alla filer och Klipp ut

Klicka på Kapersky mappen och klistra in och svara ja till alla.

Sen öppna Kapersky mappen och dubbelklicka på mwavscan.com

Bocka i Drive och Scan All Files.

Sen klicka på Scan och låt den scanna klart.(kan ta upp till 2 timmar)

Kopiera det som blir i nedre fönster.

Först måla svart sen Ctrl+C (kopiera)

Sen Ctrl+V (klista in)

 

[inlägget ändrat 2005-04-16 01:05:04 av diGitahL]

Link to comment
Share on other sites

 

en trojan... hehe, man kan ju se "några" mer än så. du kommer få en skapligt lång log på allt kaspersky scannern hitta, posta den när du scannat

 

Link to comment
Share on other sites

> Men som sagt, jag lär mig <

 

Är du mera intresserad så finns det engelska forum där dom har "skola" var man lär sej att tolka Hijack loggar med hjälp av experter.

Men visst kan man lärä sej på egen hand också.

 

 

Link to comment
Share on other sites

Hej på er alla

TACK för att ni finns !!!!!!!!!!!!!!

Här kommer Kasperksy loggan+ HJT loggan

Bästa Hälsningar

Santana

 

File C:\WINDOWS\System32\kernels32.exe infected by "Trojan-Downloader.Win32.Agent.km" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\atipatxx.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\vxh8jkdq7.exe infected by "Trojan-Downloader.Win32.Small.aqu" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\Services\{D6F45B83-31E6-4090-92EF-EBCD5C5624A7}\SVCHOST.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\Blc.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINDOWS\desktop.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINDOWS\Evg.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINDOWS\NDNuninstall5_64.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.

File C:\WINDOWS\NDNuninstall6_38.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.

File C:\WINDOWS\pludll.exe tagged as not-a-virus:AdWare.Webdir.a. No Action Taken.

File C:\WINDOWS\popup.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINDOWS\Sek.html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1627.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1628.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1629.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1630.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1631.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1633.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1634.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1635.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1636.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys1637.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys2034.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys2036.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys2037.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys2038.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys2039.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys3355.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys3356.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys3357.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys3358.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys3359.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys340.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\sys341.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\init32m.exe infected by "Trojan-Downloader.Win32.Agent.ho" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\svchost.dll infected by "Backdoor.Win32.Agent.iw" Virus. Action Taken: File Renamed.

File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: File to be deleted on reboot.

File C:\WINDOWS\System32\vxgame1.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\vxgame3.exe infected by "Trojan-Downloader.Win32.Agent.ho" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\vxh8jkdq1.exe infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\vxh8jkdq6.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\vxh8jkdq8.exe infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: File Deleted.

File C:\WINDOWS\System32\web.exe infected by "Trojan-Downloader.Win32.Agent.km" Virus. Action Taken: File Deleted.

File C:\Documents and Settings\Ewa\Lokala inställningar\Temporary Internet Files\Content.IE5\MTF8DORY\bundlelite[1].exe tagged as not-a-virus:AdWare.Sahat.m. No Action Taken.

File C:\Documents and Settings\Pappa\Lokala inställningar\Temp\II15B.tmp tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.d. No Action Taken.

File C:\Documents and Settings\Pappa\Lokala inställningar\Temp\II22.exe tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.d. No Action Taken.

File C:\HJT\backups\backup-20050104-174719-598.dll tagged as not-a-virus:AdWare.Webdir.a. No Action Taken.

File C:\Program\MSS\own.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: File Renamed.

File C:\Program Files\mIRC\backup\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.

File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0011147.dll infected by "Backdoor.Win32.Agent.iw" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0012146.dll infected by "Backdoor.Win32.Agent.iw" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0013146.dll infected by "Backdoor.Win32.Agent.iw" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0013152.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0013153.exe infected by "Trojan-Downloader.Win32.Agent.ho" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0013154.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0013156.exe infected by "Backdoor.Win32.Agent.iw" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP47\A0013157.exe infected by "Trojan-Downloader.Win32.Agent.ho" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013163.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013164.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013165.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013166.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013167.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013168.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013169.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013170.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013171.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013172.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013173.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013174.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013175.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013176.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013177.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013178.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013179.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013180.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013181.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013182.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP48\A0013183.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013299.exe infected by "Trojan-Downloader.Win32.Agent.km" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013300.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013301.exe infected by "Trojan-Downloader.Win32.Small.aqu" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013302.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013303.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013304.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013305.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013306.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013307.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013308.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013309.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013310.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013311.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013312.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013313.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013314.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013315.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013316.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013317.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013318.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013319.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013320.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013321.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013322.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013323.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013324.exe infected by "Trojan-Downloader.Win32.Agent.ho" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013325.dll infected by "Backdoor.Win32.Agent.iw" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013326.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013327.exe infected by "Trojan-Downloader.Win32.Agent.ho" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013328.exe infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013329.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013330.exe infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013331.exe infected by "Trojan-Downloader.Win32.Agent.km" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{6172E2BD-9081-4AAB-A8A4-C35A6FAA1992}\RP49\A0013332.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: File Renamed.

File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Porn-Downloader.Win32.PopCap.b. No Action Taken.

File C:\WINDOWS\NDNuninstall5_64.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.

File C:\WINDOWS\NDNuninstall6_38.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.

File C:\WINDOWS\pludll.exe tagged as not-a-virus:AdWare.Webdir.a. No Action Taken.

File C:\WINDOWS\system\svchost.exe infected by "Backdoor.Win32.Agent.iw" Virus. Action Taken: File Renamed.

File C:\WINDOWS\system32\drivers\etc\hosts infected by "Trojan.Win32.Qhost.av" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{00A001A8-7E1D-4046-8178-942C7039558A}\SVCHOST.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{00A001A8-7E1D-4046-8178-942C7039558A}\SVCHOST.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{00A001A8-7E1D-4046-8178-942C7039558A}\SVCHOST32.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{47661C1C-024F-4F9D-9469-44A73E4FA316}\SVCHOST.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{47661C1C-024F-4F9D-9469-44A73E4FA316}\SVCHOST.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{47661C1C-024F-4F9D-9469-44A73E4FA316}\SVCHOST32.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{67E04BF7-D7B9-4204-8275-A24B2124F2BB}\SVCHOST.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{67E04BF7-D7B9-4204-8275-A24B2124F2BB}\SVCHOST.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{67E04BF7-D7B9-4204-8275-A24B2124F2BB}\SVCHOST32.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{84581CC0-8260-4DF1-84D2-CA4102E03C93}\SVCHOST.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{84581CC0-8260-4DF1-84D2-CA4102E03C93}\SVCHOST.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{84581CC0-8260-4DF1-84D2-CA4102E03C93}\SVCHOST32.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{A7A5AE48-0B35-497E-A5A5-00B6F70D102A}\SVCHOST.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{A7A5AE48-0B35-497E-A5A5-00B6F70D102A}\SVCHOST.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{A7A5AE48-0B35-497E-A5A5-00B6F70D102A}\SVCHOST32.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{D6F45B83-31E6-4090-92EF-EBCD5C5624A7}\SVCHOST.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{D6F45B83-31E6-4090-92EF-EBCD5C5624A7}\SVCHOST32.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{DF4EF6F9-B786-4F8A-B069-407BC5A6041B}\SVCHOST.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{DF4EF6F9-B786-4F8A-B069-407BC5A6041B}\SVCHOST.EXE infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\Services\{DF4EF6F9-B786-4F8A-B069-407BC5A6041B}\SVCHOST32.DLL infected by "Trojan.Win32.WebSearch.i" Virus. Action Taken: File Deleted.

 

Logfile of HijackThis v1.99.1

Scan saved at 13:04:54, on 2005-04-16

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Norman\Nvc\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\NORMAN\Nvc\BIN\nipsvc.exe

C:\Norman\bin\NJEEVES.EXE

C:\WINDOWS\Explorer.exe

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\ATI-CPanel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE

C:\Program\Messenger Plus! 3\MsgPlus.exe

C:\Norman\bin\ZLH.EXE

C:\WINDOWS\Mbr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Norman\Nvc\bin\cclaw.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\BIN\npfmsg2.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Microsoft Office\Office10\WINWORD.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=30936

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [Cob] C:\WINDOWS\Mbr.exe

O4 - HKLM\..\Run: [Qnf] C:\WINDOWS\System32\Mfg.exe

O4 - HKLM\..\Run: [bdn] C:\WINDOWS\System32\Alp.exe

O4 - HKLM\..\Run: [Rng] C:\WINDOWS\System32\Hfg.exe

O4 - HKLM\..\Run: [Hum] C:\WINDOWS\System32\Lnb.exe

O4 - HKLM\..\Run: [ioc] C:\WINDOWS\Can.exe

O4 - HKLM\..\Run: [Ghi] C:\WINDOWS\Oiv.exe

O4 - HKLM\..\Run: [Ddf] C:\WINDOWS\Gjq.exe

O4 - HKLM\..\Run: [Gff] C:\WINDOWS\System32\Tuo.exe

O4 - HKLM\..\Run: [Qlj] C:\WINDOWS\System32\Mcf.exe

O4 - HKLM\..\Run: [Neq] C:\WINDOWS\Ifc.exe

O4 - HKLM\..\Run: [Ogh] C:\WINDOWS\Cvk.exe

O4 - HKLM\..\Run: [Cno] C:\WINDOWS\Sfp.exe

O4 - HKLM\..\Run: [Gfc] C:\WINDOWS\Oul.exe

O4 - HKLM\..\Run: [sgo] C:\WINDOWS\Eub.exe

O4 - HKLM\..\Run: [Ajo] C:\WINDOWS\Trh.exe

O4 - HKLM\..\Run: [bps] C:\WINDOWS\Lop.exe

O4 - HKLM\..\Run: [Lnr] C:\WINDOWS\System32\Cmc.exe

O4 - HKLM\..\Run: [Hsv] C:\WINDOWS\System32\Cbr.exe

O4 - HKLM\..\Run: [Tap] C:\WINDOWS\System32\Nbr.exe

O4 - HKLM\..\Run: [Vsq] C:\WINDOWS\System32\Guc.exe

O4 - HKLM\..\Run: [Otk] C:\WINDOWS\Irr.exe

O4 - HKLM\..\Run: [Tql] C:\WINDOWS\System32\Trg.exe

O4 - HKLM\..\Run: [Aep] C:\WINDOWS\System32\Fee.exe

O4 - HKLM\..\Run: [Jog] C:\WINDOWS\Enf.exe

O4 - HKLM\..\Run: [ubc] C:\WINDOWS\Igu.exe

O4 - HKLM\..\Run: [Puf] C:\WINDOWS\System32\Jii.exe

O4 - HKLM\..\Run: [Oba] C:\WINDOWS\System32\Icd.exe

O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\Dds.exe

O4 - HKLM\..\Run: [Thp] C:\WINDOWS\Jra.exe

O4 - HKLM\..\Run: [sqg] C:\WINDOWS\Gcm.exe

O4 - HKLM\..\Run: [Nao] C:\WINDOWS\Npi.exe

O4 - HKLM\..\Run: [Gmj] C:\WINDOWS\Iic.exe

O4 - HKLM\..\Run: [Hqp] C:\WINDOWS\System32\Hgs.exe

O4 - HKLM\..\Run: [Gck] C:\WINDOWS\Mkn.exe

O4 - HKLM\..\Run: [bth] C:\WINDOWS\Smi.exe

O4 - HKLM\..\Run: [iob] C:\WINDOWS\Lrt.exe

O4 - HKLM\..\Run: [Krm] C:\WINDOWS\Dig.exe

O4 - HKLM\..\Run: [bhr] C:\WINDOWS\System32\Rkn.exe

O4 - HKLM\..\Run: [Dtu] C:\WINDOWS\System32\Flj.exe

O4 - HKLM\..\Run: [Atb] C:\WINDOWS\System32\Jin.exe

O4 - HKLM\..\Run: [Riu] C:\WINDOWS\System32\Inm.exe

O4 - HKLM\..\Run: [blo] C:\WINDOWS\Tov.exe

O4 - HKLM\..\Run: [Pfq] C:\WINDOWS\Our.exe

O4 - HKLM\..\Run: [sus] C:\WINDOWS\Idj.exe

O4 - HKLM\..\Run: [sbu] C:\WINDOWS\System32\Cfi.exe

O4 - HKLM\..\Run: [Kku] C:\WINDOWS\Bpa.exe

O4 - HKLM\..\Run: [Ngc] C:\WINDOWS\System32\Ebl.exe

O4 - HKLM\..\RunServices: [systemTools] C:\WINDOWS\System32\kernels32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Puf] C:\WINDOWS\System32\Jii.exe

O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\Dds.exe

O4 - HKCU\..\Run: [Thp] C:\WINDOWS\Jra.exe

O4 - HKCU\..\Run: [sqg] C:\WINDOWS\Gcm.exe

O4 - HKCU\..\Run: [Nao] C:\WINDOWS\Npi.exe

O4 - HKCU\..\Run: [Gmj] C:\WINDOWS\Iic.exe

O4 - HKCU\..\Run: [Hqp] C:\WINDOWS\System32\Hgs.exe

O4 - HKCU\..\Run: [Krm] C:\WINDOWS\Dig.exe

O4 - HKCU\..\Run: [bhr] C:\WINDOWS\System32\Rkn.exe

O4 - HKCU\..\Run: [Dtu] C:\WINDOWS\System32\Flj.exe

O4 - HKCU\..\Run: [Atb] C:\WINDOWS\System32\Jin.exe

O4 - HKCU\..\Run: [Riu] C:\WINDOWS\System32\Inm.exe

O4 - HKCU\..\Run: [blo] C:\WINDOWS\Tov.exe

O4 - HKCU\..\Run: [Pfq] C:\WINDOWS\Our.exe

O4 - HKCU\..\Run: [sus] C:\WINDOWS\Idj.exe

O4 - HKCU\..\Run: [sbu] C:\WINDOWS\System32\Cfi.exe

O4 - HKCU\..\Run: [Kku] C:\WINDOWS\Bpa.exe

O4 - HKCU\..\Run: [Ngc] C:\WINDOWS\System32\Ebl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Nvc\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

 

 

 

 

Link to comment
Share on other sites

Få se om fixen funkar

 

Ladda ner spywadfix.exe på skrivbordet

 

http://www.thespykiller.co.uk/files/spywadfix.exe

 

Sen dubbelklicka på den och svara ja.

Om du får en varning av Norman så acceptera att scriptet körs.

Den skapar automatiskt en ny mapp här = C:\spywad

och öppnar ett litet fönster.

Sen kopiera och klistra in denna rad i fönstret

 

C:\WINDOWS\Mbr.exe

 

och klicka Ok

 

Låt den jobba klart och sen skicka en ny Hijack logg och spywadfix.exe loggen.

C:\spywad > Spywad.txt

 

 

Link to comment
Share on other sites

Hej Zipp och tack för att du hjälper mig

Jag får ett fel meddelande när jag laddade hem fixen:ActiveX-komponenten kan inte skapa objekt i `Scripting FilesystemObject´

Och hur ser det lilla fönstret ut?

TACK ännu en gång för att du hjälper mig Du är The Greatest

Bästa Hälsningar

Santana

 

 

 

Link to comment
Share on other sites

Ladda ner Microsofts AntiSpyware beta härifrån:

http://www.microsoft.com/athome/security/spyware/software/default.mspx

 

Update spyware databasen genom att klicka "Spyware Definitions"

Ladda ner updaten och starta om programet, låt den scanna och ta bort allt sketen den hittar.

 

Stäng sedan alla IE fönster, bocka i:

 

O4 - HKLM\..\Run: [Cob] C:\WINDOWS\Mbr.exe

O4 - HKLM\..\Run: [Qnf] C:\WINDOWS\System32\Mfg.exe

O4 - HKLM\..\Run: [bdn] C:\WINDOWS\System32\Alp.exe

O4 - HKLM\..\Run: [Rng] C:\WINDOWS\System32\Hfg.exe

O4 - HKLM\..\Run: [Hum] C:\WINDOWS\System32\Lnb.exe

O4 - HKLM\..\Run: [ioc] C:\WINDOWS\Can.exe

O4 - HKLM\..\Run: [Ghi] C:\WINDOWS\Oiv.exe

O4 - HKLM\..\Run: [Ddf] C:\WINDOWS\Gjq.exe

O4 - HKLM\..\Run: [Gff] C:\WINDOWS\System32\Tuo.exe

O4 - HKLM\..\Run: [Qlj] C:\WINDOWS\System32\Mcf.exe

O4 - HKLM\..\Run: [Neq] C:\WINDOWS\Ifc.exe

O4 - HKLM\..\Run: [Ogh] C:\WINDOWS\Cvk.exe

O4 - HKLM\..\Run: [Cno] C:\WINDOWS\Sfp.exe

O4 - HKLM\..\Run: [Gfc] C:\WINDOWS\Oul.exe

O4 - HKLM\..\Run: [sgo] C:\WINDOWS\Eub.exe

O4 - HKLM\..\Run: [Ajo] C:\WINDOWS\Trh.exe

O4 - HKLM\..\Run: [bps] C:\WINDOWS\Lop.exe

O4 - HKLM\..\Run: [Lnr] C:\WINDOWS\System32\Cmc.exe

O4 - HKLM\..\Run: [Hsv] C:\WINDOWS\System32\Cbr.exe

O4 - HKLM\..\Run: [Tap] C:\WINDOWS\System32\Nbr.exe

O4 - HKLM\..\Run: [Vsq] C:\WINDOWS\System32\Guc.exe

O4 - HKLM\..\Run: [Otk] C:\WINDOWS\Irr.exe

O4 - HKLM\..\Run: [Tql] C:\WINDOWS\System32\Trg.exe

O4 - HKLM\..\Run: [Aep] C:\WINDOWS\System32\Fee.exe

O4 - HKLM\..\Run: [Jog] C:\WINDOWS\Enf.exe

O4 - HKLM\..\Run: [ubc] C:\WINDOWS\Igu.exe

O4 - HKLM\..\Run: [Puf] C:\WINDOWS\System32\Jii.exe

O4 - HKLM\..\Run: [Oba] C:\WINDOWS\System32\Icd.exe

O4 - HKLM\..\Run: [Lqm] C:\WINDOWS\Dds.exe

O4 - HKLM\..\Run: [Thp] C:\WINDOWS\Jra.exe

O4 - HKLM\..\Run: [sqg] C:\WINDOWS\Gcm.exe

O4 - HKLM\..\Run: [Nao] C:\WINDOWS\Npi.exe

O4 - HKLM\..\Run: [Gmj] C:\WINDOWS\Iic.exe

O4 - HKLM\..\Run: [Hqp] C:\WINDOWS\System32\Hgs.exe

O4 - HKLM\..\Run: [Gck] C:\WINDOWS\Mkn.exe

O4 - HKLM\..\Run: [bth] C:\WINDOWS\Smi.exe

O4 - HKLM\..\Run: [iob] C:\WINDOWS\Lrt.exe

O4 - HKLM\..\Run: [Krm] C:\WINDOWS\Dig.exe

O4 - HKLM\..\Run: [bhr] C:\WINDOWS\System32\Rkn.exe

O4 - HKLM\..\Run: [Dtu] C:\WINDOWS\System32\Flj.exe

O4 - HKLM\..\Run: [Atb] C:\WINDOWS\System32\Jin.exe

O4 - HKLM\..\Run: [Riu] C:\WINDOWS\System32\Inm.exe

O4 - HKLM\..\Run: [blo] C:\WINDOWS\Tov.exe

O4 - HKLM\..\Run: [Pfq] C:\WINDOWS\Our.exe

O4 - HKLM\..\Run: [sus] C:\WINDOWS\Idj.exe

O4 - HKLM\..\Run: [sbu] C:\WINDOWS\System32\Cfi.exe

O4 - HKLM\..\Run: [Kku] C:\WINDOWS\Bpa.exe

O4 - HKLM\..\Run: [Ngc] C:\WINDOWS\System32\Ebl.exe

O4 - HKCU\..\Run: [Puf] C:\WINDOWS\System32\Jii.exe

O4 - HKCU\..\Run: [Lqm] C:\WINDOWS\Dds.exe

O4 - HKCU\..\Run: [Thp] C:\WINDOWS\Jra.exe

O4 - HKCU\..\Run: [sqg] C:\WINDOWS\Gcm.exe

O4 - HKCU\..\Run: [Nao] C:\WINDOWS\Npi.exe

O4 - HKCU\..\Run: [Gmj] C:\WINDOWS\Iic.exe

O4 - HKCU\..\Run: [Hqp] C:\WINDOWS\System32\Hgs.exe

O4 - HKCU\..\Run: [Krm] C:\WINDOWS\Dig.exe

O4 - HKCU\..\Run: [bhr] C:\WINDOWS\System32\Rkn.exe

O4 - HKCU\..\Run: [Dtu] C:\WINDOWS\System32\Flj.exe

O4 - HKCU\..\Run: [Atb] C:\WINDOWS\System32\Jin.exe

O4 - HKCU\..\Run: [Riu] C:\WINDOWS\System32\Inm.exe

O4 - HKCU\..\Run: [blo] C:\WINDOWS\Tov.exe

O4 - HKCU\..\Run: [Pfq] C:\WINDOWS\Our.exe

O4 - HKCU\..\Run: [sus] C:\WINDOWS\Idj.exe

O4 - HKCU\..\Run: [sbu] C:\WINDOWS\System32\Cfi.exe

O4 - HKCU\..\Run: [Kku] C:\WINDOWS\Bpa.exe

O4 - HKCU\..\Run: [Ngc] C:\WINDOWS\System32\Ebl.exe

 

 

Och välj fix, starta om och skicka ny HJT logg

 

 

[inlägget ändrat 2005-04-16 16:29:42 av diGitahL]

Link to comment
Share on other sites

Tjenare diGitahL!!

Här kommer den nya loggen

det verkade som MS Antispyware fixade alla 04:orna så jag behövde inte köra fix checked på dom

Är du den nya arvtagaren till våran hjälte Zipp månntro

Bästa Hälsningar

Santana

 

Logfile of HijackThis v1.99.1

Scan saved at 16:58:36, on 2005-04-16

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Norman\Nvc\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\NORMAN\Nvc\BIN\nipsvc.exe

C:\Norman\bin\NJEEVES.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.exe

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\ATI-CPanel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE

C:\Program\Messenger Plus! 3\MsgPlus.exe

C:\Norman\bin\ZLH.EXE

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Norman\Nvc\BIN\npfmsg2.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\Program\Microsoft Office\Office10\WINWORD.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Euf] C:\WINDOWS\Tkv.exe

O4 - HKLM\..\RunServices: [systemTools] C:\WINDOWS\System32\kernels32.exe

O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Euf] C:\WINDOWS\Tkv.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Nvc\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

 

 

 

Link to comment
Share on other sites

Vad händer om du dubbelklickar på den?

Eller kan du inte ladda ner den?

 

> Och hur ser det lilla fönstret ut? <

 

Öppna C:\spywad mappen och klicka på

 

Remove Spywad.vbs

 

så öppnas fönstret

 

 

 

 

 

Link to comment
Share on other sites

Hej Zipp

Jag kan inte öppna något i den mappen

Jag får felmeddelande när jag försöker

på alla 3 ikonerna

Bästa Hälsningar

Santana

 

 

Link to comment
Share on other sites

Tack tack, gör mitt bästa :)

Arvtagare vet jag inte, men kanske partner? ;)

 

En O4 verkarde vara kvar, bocka och fixa i denna

 

O4 - HKCU\..\Run: [Euf] C:\WINDOWS\Tkv.exe

 

Annars ser loggen alright ut

 

MVH Marco

 

[inlägget ändrat 2005-04-16 17:26:53 av diGitahL]

Link to comment
Share on other sites

TACK diGitahL och ZIPP för all hjälp

Jag måste även nämna 927 som jag roade med att jag skrev att jag bara hade en Trojan det var närmare bestämt 139 st

men vad gör man inte för att roa dig 927

Ha en underbar kväll

Santana

 

 

Link to comment
Share on other sites

 

Bocka i och Fix:sa denna rad

 

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe

 

Sen ta bort i felsäkert läge

 

C:\WINDOWS\System32\kernels32.exe

 

 

 

 

Link to comment
Share on other sites

 

du har några filer som heter NDNuninstall... ta bort dom för de är spyware.

du har även lite skit i temp mappen, töm den

 

bocka för dessa oxå annars kan du få upp ett felmeddelande när datorn startar

 

O4 - HKLM\..\Run: [Euf] C:\WINDOWS\Tkv.exe

O4 - HKLM\..\RunServices: [systemTools] C:\WINDOWS\System32\kernels32.exe

 

 

Link to comment
Share on other sites

 

Hej 927 och Zipp

Har bockat i och fixat allt men hittar inte C:\WINDOWS\System32\kernels32.exe

i felsäkert läge

och var ligger NDNuninstall någonstans?

har även tömt tempmappen

Skickar med en ny HJT logga

Bästa Hälsningar

Santana

 

Logfile of HijackThis v1.99.1

Scan saved at 01:05:28, on 2005-04-17

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Norman\Nvc\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Norman\bin\NJEEVES.EXE

C:\NORMAN\Nvc\BIN\nipsvc.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\WINDOWS\Explorer.EXE

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\ATI-CPanel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe

C:\Program\Messenger Plus! 3\MsgPlus.exe

C:\Norman\bin\ZLH.EXE

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\Trh.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Norman\Nvc\BIN\npfmsg2.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program\Microsoft Office\Office10\WINWORD.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/'>http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ibt] C:\WINDOWS\System32\Trh.exe

O4 - HKCU\..\Run: [Mml] C:\WINDOWS\Lnv.exe

O4 - HKCU\..\Run: [Qrn] C:\WINDOWS\System32\Nqu.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Nvc\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

 

 

 

Link to comment
Share on other sites

Den är fortfarande kvar.

 

Dolda filer synliga tita här hur man gör

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O4 - HKCU\..\Run: [ibt] C:\WINDOWS\System32\Trh.exe

O4 - HKCU\..\Run: [Mml] C:\WINDOWS\Lnv.exe

O4 - HKCU\..\Run: [Qrn] C:\WINDOWS\System32\Nqu.exe

 

Starta sen i felsäkert läge och ta bort

 

C:\WINDOWS\System32\Trh.exe

C:\WINDOWS\Lnv.exe

C:\WINDOWS\System32\Nqu.exe

C:\WINDOWS\NDNuninstall5_64.exe

C:\WINDOWS\NDNuninstall6_38.exe

C:\WINDOWS\pludll.exe

 

Sen måste du gå igenom dessa mappar

 

C:\WINDOWS\System32\mappen

C:\WINDOWS\ mappen

 

Leta efter filer typ ovan

 

Trh.exe

Lnv.exe

Nqu.exe

 

Alltså filer kan heta vad som helst men dom börjar alla med en stor bokstav,tre bokstav och .exe

Men du måste titta nogrannt före du tar bort filer för att det kan finnas filer som är ok.

 

 

Link to comment
Share on other sites

Tack ännu en gång Zipp för att du hjälper mig!!!!!!!!!!!!!

Jag har gjort allt vad du föreslog

men jag har hittat följande exe filer

vågar jag ta bort dessa

C:\WINDOWS\System32\mappen= Ipq.exe, Ipr.exe, Naq.exe, Pma.exe,Sgv.exe

 

C:\WINDOWS\ mappen= Tkv.exe, Ptb.exe,Upc.exe

Skall fortsätta i felsäkert läge när jag tar bort dessa och visa dolda filer synliga

Bästa Hälsningar

Santana

 

 

 

Link to comment
Share on other sites

> Skall fortsätta i felsäkert läge när jag tar bort dessa och visa dolda filer synliga <

 

Ja

 

Ta bort dom här

 

Tkv.exe

Ipq.exe

Naq.exe

 

Före du tar bort filer ovan så titta hur stora dom är och när dom är skapad.

 

Sen jämför med filer nedan och ta bort dom som är lika stora .

 

Ipr.exe

Sgv.exe

Ptb.exe

Upc.exe

Pma.exe

 

 

 

Link to comment
Share on other sites

 

 

Hej Zipp !!!

Har nu tagit bort alla de här filerna + några till som hade samma struktur alla hade gemensamt att dom var på 950KB

skickar med en ny HJT logga

Men de verkar ju vara kvar ändå Shit

Vad göra ?????

Bästa Hälsningar

Santana

 

Logfile of HijackThis v1.99.1

Scan saved at 12:53:04, on 2005-04-17

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Norman\Nvc\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Norman\bin\NJEEVES.EXE

C:\NORMAN\Nvc\BIN\nipsvc.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\ATI-CPanel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE

C:\Program\Messenger Plus! 3\MsgPlus.exe

C:\Norman\bin\ZLH.EXE

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Norman\Nvc\BIN\npfmsg2.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Microsoft Office\Office10\WINWORD.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/'>http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Qro] C:\WINDOWS\System32\Naq.exe

O4 - HKCU\..\Run: [Mjo] C:\WINDOWS\System32\Pma.exe

O4 - HKCU\..\Run: [Vmf] C:\WINDOWS\System32\Sgv.exe

O4 - HKCU\..\Run: [Gtu] C:\WINDOWS\Upl.exe

O4 - HKCU\..\Run: [Vfs] C:\WINDOWS\Ptb.exe

O4 - HKCU\..\Run: [Ojs] C:\WINDOWS\Moo.exe

O4 - HKCU\..\Run: [Jba] C:\WINDOWS\System32\Dqd.exe

O4 - HKCU\..\Run: [srd] C:\WINDOWS\System32\Nvq.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Nvc\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

 

 

 

 

Link to comment
Share on other sites

Hahaa...visst är han seg eller.

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O4 - HKCU\..\Run: [Qro] C:\WINDOWS\System32\Naq.exe

O4 - HKCU\..\Run: [Mjo] C:\WINDOWS\System32\Pma.exe

O4 - HKCU\..\Run: [Vmf] C:\WINDOWS\System32\Sgv.exe

O4 - HKCU\..\Run: [Gtu] C:\WINDOWS\Upl.exe

O4 - HKCU\..\Run: [Vfs] C:\WINDOWS\Ptb.exe

O4 - HKCU\..\Run: [Ojs] C:\WINDOWS\Moo.exe

O4 - HKCU\..\Run: [Jba] C:\WINDOWS\System32\Dqd.exe

O4 - HKCU\..\Run: [srd] C:\WINDOWS\System32\Nvq.exe

 

Starta sen i felsäkert läge och ta bort filer ovan om hittas.

Skriv sen i Kör fältet cleanmgr och Ok

Bocka i dom här och putsa bort dom

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

Starta sen normalt och funkar inte detta så får vi hitta på nåt annat.

 

 

 

Link to comment
Share on other sites

Hej Zipp

Gött att jag kan roa dig oxå

Visst vad det en seg rackare

Nu är allt utfört enligt dina mycket BRA instruktioner

Log as usual

Var kommer dom här elakingarna ifrån

Har 2 tonåringar hemma så man har ju inte alltid koll var dom surfar

Kan det ha något med DC++ eller piratebay att göra

Bästa Hälsningar

Santana

ogfile of HijackThis v1.99.1

Scan saved at 15:33:59, on 2005-04-17

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Norman\Nvc\BIN\NPFSVICE.EXE

C:\Norman\Bin\Zanda.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Norman\Nvc\BIN\NVCSCHED.EXE

C:\NORMAN\Nvc\BIN\nipsvc.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\bin\NJEEVES.EXE

C:\WINDOWS\Explorer.EXE

C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

C:\ATI-CPanel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE

C:\Program\Messenger Plus! 3\MsgPlus.exe

C:\Norman\bin\ZLH.EXE

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Norman\Nvc\BIN\NIP.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Norman\Nvc\BIN\npfmsg2.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/'>http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe

O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE

O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Nvc\BIN\NPFSVICE.EXE

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

 

 

Link to comment
Share on other sites

Nu är loggen ok.

 

> Gött att jag kan roa dig oxå <

 

Jep..ibland är det roligt med alla dessa ödlor.

 

> Kan det ha något med DC++ eller piratebay att göra <

 

Det är svårt att säga varifån den har hoppat in.

 

 

 

[inlägget ändrat 2005-04-17 16:15:53 av Zipp]

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...