gzmrotate.dll

[Börje Nordberg]

Hej!

Min dator hittar inte denna file 'gzmrotate.dll' var söker jag den.

Börje

 

[Cecilia]

Eftersom den troligen är en del av ett spionprogram så är det väl bra att den är borta.

Men det finns kanske mer kvar i datorn.

Vi kan ju se om HijackThis visar något till att börja med:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Installera, kör, skanna och spara loggen (inget annat).

Klistra in loggen i ditt svar här.

 

[Börje Nordberg]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:02:10, on 2007-11-10

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\Windows Defender\MSASCui.exe

C:\Program\Unlocker\UnlockerAssistant.exe

C:\Program\SPAMfighter\SFAgent.exe

C:\Program\PowerISO\PWRISOVM.EXE

C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Skype\Phone\Skype.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\Windows Live\Messenger\MsnMsgr.Exe

C:\Program\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program\Vista Start Menu\VistaStartMenu.exe

C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe

C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program\LaCie\Backup Software\LaCieBackup.exe

C:\Program\Yod'm 3D\Yodm3D.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Windows Live\Messenger\usnsvc.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR'>http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/webhp?sourceid=navclient&amphl=sv&ampie=UTF-8

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: &ampGoogle - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll

O3 - Toolbar: &ampRoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll

O3 - Toolbar: Adssite Toolbar - {41C29B07-6F91-4966-91BE-2E2841643C83} - C:\Program\Adssite Advanced Toolbar\toolbar.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows Defender] 'C:\Program\Windows Defender\MSASCui.exe' -hide

O4 - HKLM\..\Run: [unlockerAssistant] 'C:\Program\Unlocker\UnlockerAssistant.exe'

O4 - HKLM\..\Run: [sPAMfighter Agent] 'C:\Program\SPAMfighter\SFAgent.exe' update delay 60

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] 'C:\Program\Delade filer\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe' -Embedding -boot

O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe 'C:\WINDOWS\system32\gzmrotate.dll' DllVerify

O4 - HKLM\..\Run: [Adobe Photo Downloader] 'C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe'

O4 - HKLM\..\Run: [iSUSPM Startup] c:\program\DELADE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [skype] 'C:\Program\Skype\Phone\Skype.exe' /nosplash /minimized

O4 - HKCU\..\Run: [MsnMsgr] 'C:\Program\Windows Live\Messenger\MsnMsgr.Exe' /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [RoboForm] 'C:\Program\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe'

O4 - HKCU\..\Run: [VistaStartMenu] 'C:\Program\Vista Start Menu\VistaStartMenu.exe'

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [LaCie Backup] C:\Program\LaCie\Backup Software\\LaCieBackup.exe /background

O4 - HKCU\..\Run: [Yodm3D] C:\Program\Yod'm 3D\Yodm3D.exe

O4 - HKCU\..\Run: [RocketDock] 'C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe'

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-861567501-796845957-682003330-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-861567501-796845957-682003330-1005\..\Run: [MSMSGS] 'C:\Program\Messenger\msmsgs.exe' /background (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

O4 - Startup: Spray.lnk = ?

O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &ampWindows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Anpassa meny - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&ampxportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Fyll i formulär - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Open using &ampAdvanced JPEG Compressor - C:\Program\Advanced JPEG Compressor\ajcieex.htm

O8 - Extra context menu item: RF verktygsfält - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Spara formulär - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O8 - Extra context menu item: Sök i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeSearch.html

O8 - Extra context menu item: Översätt i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeTranslate.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Ski&ampcka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Fyll i formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fyll i formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Spara - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Spara formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RF verktygsfält - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184087375250

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab

O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{EE5CE44B-F0FE-4E4D-9B13-35C18D221696}: NameServer = 195.58.103.130 213.150.135.210

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MICROS~4\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

 

--

End of file - 12720 bytes

 

 

 

[Cecilia]

Kontrollpanelen - Lägg till eller ta bort program

Ta bort följande om de finns där, ta sedan bort mappen C:\Program\Adssite Advanced Toolbar

Adssite

AdRotator

IconAds

 

Ladda ner VundoFix:

http://www.atribune.org/ccount/click.php?id=4

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Dubbelklicka på VundoFix.exe för att starta programmet.

När den startar igen så tryck på Scan for Vundo.

När skanningen är klar så tryck på Remove Vundo.

Svara Ja/Yes på frågan om du vill ta bort filerna.

Därefter kommer Skrivbordet att försvinna medan filerna tas bort.

När det är klart så kommer det en fråga om att din dator kommer att stängas av, tryck på OK.

Sätt igång datorn igen i normalt läge.

 

Om det är så att VundoFix inte kunde ta bort någon fil vid första försöket så kommer VundoFix att starta igen när datorn startas, följ i så fall beskrivningen en gång till.

 

Klistra in C:\vundofix.txt i ditt svar.

 

Gå till mappen C:\Program\Trend Micro\Hijackthis med Utforskaren eller Den här datorn och byt namn på programmet HijackThis.exe till något annat, t ex rensning.exe, skapa sedan en ny logg som klistras in här.

 

[Börje Nordberg]

 

VundoFix V6.5.11

 

Checking Java version...

 

Sun Java not detected

Scan started at 14:17:45 2007-11-11

 

Listing files found while scanning....

 

C:\WINDOWS\ekyxep.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\ekyxep.dll

C:\WINDOWS\ekyxep.dll Could not be deleted.

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.5.11

 

Checking Java version...

 

Sun Java not detected

Scan started at 14:33:04 2007-11-11

 

Listing files found while scanning....

 

C:\WINDOWS\ekyxep.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\ekyxep.dll

C:\WINDOWS\ekyxep.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

Tack för hjälpen

MVH

Börje

 

 

 

[Cecilia]

 

Gå till mappen C:\Program\Trend Micro\Hijackthis med Utforskaren eller Den här datorn och byt namn på programmet HijackThis.exe till något annat, t ex rensning.exe, skapa sedan en ny logg som klistras in här.