Avatar billede data2k.dk Nybegynder
04. december 2004 - 16:20 Der er 21 kommentarer og
2 løsninger

spyware log fil

jeg har denne logfil.. lavet med Bazooka scanner.

nogen som kan fortælle mig hvordan jeg fjerne den spyware jeg har på mit system? for har helt sikkert noget!

****************************************
Bazooka Scanner v1.13.02
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
support@kephyr.com
Log created 16:05:51.
OS: Windows NT 5.1
Database version: 2.220000
Database format version: 1.020000
Database date: 20040806
Current date: 2004-12-04 16:05


****************************************
Result when scanning:

Internet Optimizer 123.000.003 C:\Program Files\Internet Optimizer\
C:\Program Files\Internet Optimizer\
http://www.kephyr.com/spywarescanner/library/internetoptimizer/index.phtml

KeenValue.Updater 643.000.001 %ProgramsDir%\Common Files\updater\
C:\Programmer\Common Files\updater\
http://www.kephyr.com/spywarescanner/library/keenvalue.updater/index.phtml

****************************************
Auto start entries:
    C:\Documents and Settings\All Users.WINDOWS\Menuen Start\Programmer\Start\desktop.ini
    C:\Documents and Settings\All Users.WINDOWS\Menuen Start\Programmer\Start\desktop.ini
    C:\Documents and Settings\kalb\Menuen Start\Programmer\Start\desktop.ini
    C:\Documents and Settings\kalb\Menuen Start\Programmer\Start\desktop.ini

    Go here to analyse the startup entries and the associated files:
    http://www.kephyr.com/filedb/index.php

****************************************
Run entries:
    avast!        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\avast!

    Windows TaskAd        C:\Program Files\Windows TaskAd\WinTaskAd.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows TaskAd

    Microsoft Services        lssrv.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Services

    Windows Services Update        SVCH0ST.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Update

    MSConfig        C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig

    NDIS Adapter       
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\NDIS Adapter

    Sygate Personal Firewall        qtask.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Sygate Personal Firewall

    ALTER DATA        c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ALTER DATA

    Windows Services Update        SVCH0ST.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Services Update

    Windows Compliant        pgkeyl.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Compliant

    Start aThe Roll        enotxa2.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Start aThe Roll

    Microsoft Services        lssrv.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Services

    kernel32dll        guardpc.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\kernel32dll

    NDIS Adapter        lsass2.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\NDIS Adapter

    MP Services        mpsvc.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MP Services

    Microsoft Synchronization Manager        netinfo.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Synchronization Manager

    blc proc drv        blcproc.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\blc proc drv

    MSMSGS        "C:\Programmer\Messenger\msmsgs.exe" /background
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS

    Spyware Doctor        "C:\Spyware Doctor\swdoctor.exe" /Q
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Spyware Doctor

    NDIS Adapter        lsass2.exe
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\NDIS Adapter


    Go here to analyse the run entries and the associated files:
    http://www.kephyr.com/filedb/index.php

****************************************
Browser helper objects:


****************************************
Toolbars:

{8E718888-423F-11D2-876E-00A0C9082467}    C:\WINDOWS\System32\msdxm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{8E718888-423F-11D2-876E-00A0C9082467}

{01E04581-4EEE-11D0-BFE9-00AA005B4383}    C:\WINDOWS\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}

{0E5CBF21-D15F-11D0-8301-00AA005B4383}    C:\WINDOWS\system32\SHELL32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}

{4D5C8C25-D075-11d0-B416-00C04FB90376}    C:\WINDOWS\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

{32683183-48a0-441b-a342-7c2a440a9478}    C:\WINDOWS\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}


****************************************
All processes:

    [System Process]
    System
    smss.exe
    csrss.exe
    winlogon.exe
    services.exe
    lsass.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    rundll32.exe
    spoolsv.exe
    explorer.exe
    ashDisp.exe
    SVCH0ST.exe
    lssrv.exe
    msmsgs.exe
    WinSched.exe
    alg.exe
    aswUpdSv.exe
    ashServ.exe
    ashMaiSv.exe
    swdoctor.exe
    WinTaskAd.exe
    iexplore.exe
    wmplayer.exe
    spywarescanner.exe

    Go here to analyse the running processes:
    http://www.kephyr.com/filedb/index.php

****************************************
Internet Explorer Settings:

    Default_Page_URL    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

    Default_Search_URL    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

    Local Page    C:\WINDOWS\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

    Search Page    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

    Start Page    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

    SearchAssistant    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

    CustomizeSearch    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

        http://
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

    www    http://
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

    provider   
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider

    Default_Page_URL    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

    Default_Search_URL    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

    Local Page    C:\WINDOWS\about.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

    Search Page    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

    Start Page    about:blank
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

    SearchAssistant    http://www.couldnotfind.com/search_page.html?&account_id=151916
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant


****************************************
Avatar billede data2k.dk Nybegynder
04. december 2004 - 16:27 #1
tror jeg har disse på mit system

Alexa Toolbar
Spy #ab019
KeenValue
Spy #mdh22
Spy #ps124
Spy #rse11
Avatar billede majsmarken Nybegynder
04. december 2004 - 17:07 #2
Jo der er en del...
Hent Spybot og HijackThis:
http://www.spywarefri.dk/vaerktoj.htm
Installer og kør Spybot, opdater online, scan, afhjælp valgte problemer og genstart.
Derefter kører du Hijackthis > Scan > Save log. Kopier logfilen herind, så kigger vi på den.
Lad være med at slette noget selv med Hijackthis, vi skal nok hjælpe med at tyde loggen.
Avatar billede data2k.dk Nybegynder
04. december 2004 - 17:53 #3
det prøver jeg lige: )
Avatar billede data2k.dk Nybegynder
04. december 2004 - 19:00 #4
sådan


Logfile of HijackThis v1.98.2
Scan saved at 18:59:47, on 12/04/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\WINDOWS\system32\SVCH0ST.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [Windows Services Update] SVCH0ST.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] qtask.exe
O4 - HKLM\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\RunServices: [Windows Services Update] SVCH0ST.exe
O4 - HKLM\..\RunServices: [Windows Compliant] pgkeyl.exe
O4 - HKLM\..\RunServices: [Start aThe Roll] enotxa2.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [kernel32dll] guardpc.exe
O4 - HKLM\..\RunServices: [NDIS Adapter] lsass2.exe
O4 - HKLM\..\RunServices: [MP Services] mpsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] netinfo.exe
O4 - HKLM\..\RunServices: [blc proc drv] blcproc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.com/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102170483842
Avatar billede data2k.dk Nybegynder
04. december 2004 - 19:02 #5
har stadig lidt spyware i hvertfald.. får denne popup en gang imellem

http://www.americansingles.com/default.asp?p=7090&PRM=22138&LGID=1918Ximproper
Avatar billede data2k.dk Nybegynder
04. december 2004 - 19:10 #6
Avatar billede arlet Juniormester
04. december 2004 - 19:11 #7
Du kan lige starte med denne her:
Hent og kør denne scanner fra Kaspersky : http://www.arlet.dk/mwti.htm

genstart og ny hijackthis log
Avatar billede data2k.dk Nybegynder
04. december 2004 - 19:16 #8
okay den finder mere... er i gang med at scanne.. vender tilbage:)
Avatar billede data2k.dk Nybegynder
04. december 2004 - 20:34 #9
Det går overdrevet langsomt... lidt over en time nu og den har kigget 26000filer igennem.. jeg har måske lidt over en halv mio filer liggende så håber da ikke det kommer til at tage 19timer før den er færdig... 500000 / 26000 hehe
Avatar billede data2k.dk Nybegynder
04. december 2004 - 20:46 #10
Logfile of HijackThis v1.98.2
Scan saved at 20:46:00, on 12/04/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Kaspersky\mwavscan.com
C:\Programmer\Messenger\msmsgs.exe
C:\Kaspersky\kavss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\BullsEye Network\bin\bargains.exe
C:\Programmer\CashBack\bin\cashback.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [mwavscan] "C:\Kaspersky\mwavscan.com" /s
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] netinfo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.com/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102170483842




efter scan er en af de gamle spyware vent tilbage.. en cashback.exe, men det kan vel ses i log'en
Avatar billede data2k.dk Nybegynder
04. december 2004 - 20:54 #11
sorry det var en gammel log.. det er den nye her


Logfile of HijackThis v1.98.2
Scan saved at 20:53:53, on 12/04/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\CashBack\bin\cashback.exe
C:\Programmer\BullsEye Network\bin\bargains.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [mwavscan] "C:\Kaspersky\mwavscan.com" /s
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] netinfo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.com/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102170483842
Avatar billede arlet Juniormester
04. december 2004 - 21:05 #12
Så gik det stærk til sidst med scanneren..

Den har fjernet en del, men der mangler stadig noget..

Vender tilbage om lidt med hvad du så gør..
Avatar billede arlet Juniormester
04. december 2004 - 21:08 #13
Du skal nu til at i gang med at fixe:

Deaktiver systemgendannelse:
http://www.arlet.dk/systemgendannelsen.htm

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] netinfo.exe



--------------------------------------------------------------------

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

--------------------------------------------------------------------

Find og slet manuelt i fejlsikret(f8 ved opstart):

C:\Program Files\Windows TaskAd\WinTaskAd.exe

gå i søg og søg efter:
lssrv.exe
netinfo.exe

slet alt hvad den finder


Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.
Først når din log er endelig godkendt, må du aktiver din systemgendannelse igen.
Avatar billede data2k.dk Nybegynder
04. december 2004 - 21:36 #14
Logfile of HijackThis v1.98.2
Scan saved at 21:33:50, on 12/04/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.com/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102170483842



der røg lidt, men kan da se

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

og systemgendannelse er slået fra.. hvis det har noget med det at gøre
Avatar billede data2k.dk Nybegynder
04. december 2004 - 21:40 #15
prøvede at slette dem og genstarte og nu er de væk


Logfile of HijackThis v1.98.2
Scan saved at 21:39:37, on 12/04/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.com/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102170483842
Avatar billede data2k.dk Nybegynder
04. december 2004 - 21:42 #16
Avatar billede data2k.dk Nybegynder
04. december 2004 - 21:43 #17
siger denne dig noget?

Win32:Trojano-213 [Trj]
Avatar billede data2k.dk Nybegynder
04. december 2004 - 22:01 #18
i spyware doctor finder den


   
Infection Name Location Risk
Zango Search Assistant multiple Elevated
CashBack HKLM\SOFTWARE\CashBack Elevated
CashBack HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack Elevated
eXact Advertising HKCR\clsid\{CE188402-6EE7-4022-8868-AB25173A3E14} Elevated
IEPlugin HKCR\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} Medium
IEPlugin HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468} Medium
IEPlugin HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3} Medium
IEPlugin HKCR\CB.UrlCatcher Medium
IEPlugin HKCR\CB.UrlCatcher.1 Medium
IEPlugin HKLM\SOFTWARE\CashBack Medium
IEPlugin HKLM\SOFTWARE\eXactUtil Medium
eXact Advertising {CE188402-6EE7-4022-8868-AB25173A3E14} Elevated
IEPlugin C:\WINDOWS\system32\exdl.exe Medium
Zango Search Assistant C:\WINDOWS\system32\ide21201.vxd Elevated
IEPlugin C:\WINDOWS\system32\instsrv.exe Medium
IEPlugin C:\WINDOWS\system32\mscb.dll Medium
Avatar billede arlet Juniormester
04. december 2004 - 22:30 #19
Din log er ren og kan aktiver din systemgendannelse igen

For at beskytte dig mod snavs har jeg lavet en sikkerhedspakke,
som du kan hente her : www.arlet.dk/pakke.htm

Du skal ikke bruge spyware doctor....
Avatar billede data2k.dk Nybegynder
04. december 2004 - 22:55 #20
har lige indstalleret de nævnte freeware programmer.. vil lige scanne min pc for at se om Win32:Trojano-213 [Trj] stadig er der .. med avast..
og har slået system gendannelse til igen

Logfile of HijackThis v1.98.2
Scan saved at 22:53:17, on 12/04/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.com/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102170483842
Avatar billede kile Nybegynder
05. december 2004 - 00:08 #21
Nu ser jeg en masse spørgsmål og løsninger igennem her På E, som jeg lære en masse af
(er ved at uddanne mig til edb tekniker)
Bl.a ser jeg også en masse HTJ logs igennem og lærer en held del af det.
Her kan man jo også se:
C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe

Mit spørgsmål er så, er du den samme som bruger:
http://www.eksperten.dk/bruger.phtml?navn=kalb

Der også svarer på spørgsmål ?
Avatar billede arlet Juniormester
05. december 2004 - 08:41 #22
Nej, man har kun en bruger iher på E.

Min bruger er arlet http://www.eksperten.dk/bruger.phtml?navn=arlet

<<C:\Documents and Settings\kalb\Skrivebord\hijackthis.exe>>
Det er Kalb, der har lagt hijackthis.exe på sit skrivebord..
Der har vi hjulpet kalb med at rense hans computer..
Avatar billede data2k.dk Nybegynder
05. december 2004 - 15:23 #23
kile:

nej jeg er ikke kalb også... har været her meget længere tid end ham! Det er rent tilfælde... ser jeg dine sammensætning af bogstaver i dit nick i et andet spørgsmål behøver det jo ikke være dig vel? hehe

Takker arlet for svar! Værsgod point!
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester