Avatar billede henning_b Nybegynder
02. januar 2005 - 16:29 Der er 31 kommentarer og
1 løsning

spyware, uønsket genstart

Jeg har vist fået noget snavs i på min maskine. Symptomerne er:
- ved start en besked om, at RUNDLL ikke kan køre en fil, en ny hver gang, og så: UMONITOR
- uønskede genstart eller komplet død maskine, selvfølgelig, når de er mest irriterende. Efter genstart ofte fejl med WINLOGON

Ifølge Symantec er maskinen virusfri.
At køre Ad-Aware 6.0 medfører genstart inden total kontrol.
At køre Spybot renser en række fejl, men den kan ikke rette de sidste seks problemer, og næste kørsel viser, at der er 14 problemer, hvoraf kun de otte bliver rettede.

HiJackThis-loggen ser således ud:

Logfile of HijackThis v1.98.2
Scan saved at 16:15:20, on 02-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\Interbase\bin\ibguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Interbase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\Mixer.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\wincmd\TOTALCMD.EXE
C:\Programmer\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmer\Netropa\Onscreen Display\OSD.exe
C:\Programmer\Internet Explorer\iexplore.exe
c:\junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ni.dk/"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Total Commander 32.lnk = C:\wincmd\TOTALCMD.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {26835CE1-D5EC-11d5-AF6E-00C06D0086BF} - (no file)
O9 - Extra button: (no name) - {6A0426D1-0FF2-49a0-ABC2-05B67826C727} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=f32ea71f93289f61b4dbf30a04a6a1144dbe14cda02fcaaa9fafbced2952791a768a1a41688817425fa5c9751a6be7b24046:f22d67e45739a8712f7edadac81f3fd5
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093384901218
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://80.198.90.242/webgis/acgm/acgm.cab

Jeg vil være yderst taknemmelig for jeres kloge svar.

Please help!

Mvh Henning
Avatar billede kalp Novice
02. januar 2005 - 16:33 #1
Prøver lige at se om jeg kan nå at tyde den inden der bliver ringet på døren(skal i bio)
Avatar billede trekkies Juniormester
02. januar 2005 - 16:34 #2
Hvis den skriver at den lukker ned om 30 sekunder, så har du sasser, gør den det?
Avatar billede johnstigers Seniormester
02. januar 2005 - 16:35 #3
trekkies> SP2 = ingen sasser
Avatar billede kalp Novice
02. januar 2005 - 16:58 #4
Sæt hak i disse i hijackthis og tryk på Fix Checked
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=f32ea71f93289f61b4dbf30a04a6a1144dbe14cda02fcaaa9fafbced2952791a768a1a41688817425fa5c9751a6be7b24046
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab

Sletning af filer og mapper:
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".
-------------------
Filer:
C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

Mapper:
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe


genstart normalt og smid en ny log herind
Avatar billede johnstigers Seniormester
02. januar 2005 - 17:02 #5
Hvis du ikke kan fixe linierne med O1 - Hosts: 69.20.16.183 ieautosearch - så prøv denne uninstaller: http://www.look2me.com/cgi-bin/UnInstaller
Avatar billede kalp Novice
02. januar 2005 - 17:06 #6
man må da sige det en pæn lang liste af den:)
Avatar billede henning_b Nybegynder
02. januar 2005 - 23:55 #7
Jeg gjorde som anbefalet, og det giver følgende log:

Logfile of HijackThis v1.98.2
Scan saved at 23:35:49, on 02-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\Interbase\bin\ibguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\Mixer.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmer\Interbase\bin\ibserver.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\wincmd\TOTALCMD.EXE
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmer\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmer\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
c:\junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ni.dk/"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Total Commander 32.lnk = C:\wincmd\TOTALCMD.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {26835CE1-D5EC-11d5-AF6E-00C06D0086BF} - (no file)
O9 - Extra button: (no name) - {6A0426D1-0FF2-49a0-ABC2-05B67826C727} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093384901218
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://80.198.90.242/webgis/acgm/acgm.cab

De fire O1-entries er vanskelige at slippe af med. Jeg har kørt HiJackThis flere gange, både i normal og i fejlsikker tilstand. Hyppigt viser næste scan, at de er væk, men at lukke og genstarte HiJackThis bringer dem frem igen.

Look2me Uninstaller svarer: No version of the application found to uninstall.

Spy-bot viser stadig en række problemer, pt 16 stk.

Og der har været et enkelt tilfælde af frysning af mus og KB.

RUNDLL xxx; UMONITOR-fejlen dukker stadig op nu og da.

Wat2do? Skifte til Linux?? eller Win 3.11??? Eller blot geninstallere alt efter reformattering af diskdrev???

Til kalp: ja,det er en hel del. sporer jeg et glimt af misundelse ;-)) ?
Avatar billede tonnybrandt Nybegynder
03. januar 2005 - 00:08 #8
Hent og udpak dette program:
http://www.fbeej.dk/Programmer/FindItNT2KXP.zip
Kør find.bat og læg log-filen herind.
Avatar billede kalp Novice
03. januar 2005 - 00:13 #9
Skulle lige til at smide poste et link til det program:)
Det lyder som om du har nogen snavsede dll filer som skal findes og slettes
Avatar billede tonnybrandt Nybegynder
03. januar 2005 - 00:19 #10
kalp > kør blot videre. Jeg overvågede blot spm fordi jeg vidste hvor træls de vx2 infektioner er.
Avatar billede kalp Novice
03. januar 2005 - 00:32 #11
Det helt okay jeg prøver det vist 3 gang jeg prøver sådan en her(gået fint tidligere) så hvis jeg kommer i tvivl vil jeg da lige poste det:)
Avatar billede henning_b Nybegynder
04. januar 2005 - 16:08 #12
Beklager forsinkelsen.

Find.bat giver følgende log:

Warning!XP This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32

04-01-2005  13:18          224.111 jt8o07l3e.dll
04-01-2005  10:48          225.343 gp2ml3f11.dll
04-01-2005  00:55          223.098 o284lclq1fqe.dll
03-01-2005  10:24          223.012 i806lids1806.dll
03-01-2005  10:16          223.215 d4j02e1mgh.dll
03-01-2005  10:01          223.145 r4p8le7u1h.dll
03-01-2005  09:57          223.207 mvrul9991.dll
03-01-2005  09:43          222.965 i4jqle151h.dll
02-01-2005  18:57          225.034 l68mlgl116q.dll
02-01-2005  10:55          225.030 lv8809lue.dll
01-01-2005  17:55          222.906 fp2m03f1e.dll
01-01-2005  17:47          223.016 fpl2033oe.dll
01-01-2005  17:07          222.783 j6p0lg7m16.dll
01-01-2005  16:59          222.783 aza40i9qe8.dll
01-01-2005  12:25          224.327 g0jola131d.dll
27-12-2004  00:39          225.939 ir4ql5h51.dll
17-12-2004  11:26          222.997 o8pqli7518.dll
15-12-2004  23:39          224.098 i6nmlg5116.dll
15-12-2004  22:13          223.864 dnlq0135e.dll
08-12-2004  15:35          226.214 enr0l19m1.dll
08-12-2004  15:13    <DIR>          dllcache
08-12-2004  13:27          223.042 o866lijs18o6.dll
08-12-2004  13:16          222.846 l6p2lg7o16.dll
08-12-2004  00:28          224.844 hrru0599e.dll
07-12-2004  22:40          224.785 n8l8li3u18.dll
07-12-2004  09:41          224.517 enn8l15u1.dll
07-12-2004  09:27          226.107 m6640gjqe6oe0.dll
06-12-2004  22:38          226.258 m0pola731d.dll
05-12-2004  17:58          226.067 p8r40i9qe8.dll
03-12-2004  08:22          225.878 n26q0cj5efo.dll
18-11-2002  23:41    <DIR>          Microsoft
              29 fil(er)        6.501.431 byte
              2 mappe(r)  100.800.618.496 byte ledig

------- Hidden Files in System32 Directory -------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32

08-12-2004  15:13    <DIR>          dllcache
30-08-2004  09:14            1.069 log.bak.txt
20-10-2003  22:33                94 tdb_G1asw.ini
12-05-2003  22:21            5.012 ws430379.ocx
23-10-2002  23:13              488 WindowsLogon.manifest
23-10-2002  23:13              488 logonui.exe.manifest
23-10-2002  23:12              749 nwc.cpl.manifest
23-10-2002  23:12              749 ncpa.cpl.manifest
23-10-2002  23:12              749 sapi.cpl.manifest
23-10-2002  23:12              749 cdplayer.exe.manifest
23-10-2002  23:12              749 wuaucpl.cpl.manifest
              10 fil(er)          10.896 byte
              1 mappe(r)  100.800.614.400 byte ledig

---------- Files Named "Guard" -------------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32

09-10-2001  13:00            2.660 CONFIG.TMP
              1 fil(er)            2.660 byte
              0 mappe(r)  100.800.614.400 byte ledig

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4C9E9E64-E923-4D3F-AFCD-E2792EF098D2}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp2ml3f11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

'Xfind' blev ikke genkendt som en intern eller ekstern kommando,
et program eller en batchfil.

-------------- Locate.com Results ---------------
Avatar billede kalp Novice
05. januar 2005 - 01:20 #13
okay jeg kan genkende et par af de der dll filer som er spyware.. de ser helt nye ud for mig... men jeg tror ikke der er mange af dem som er gode! men fordi jeg ikke kender dem og ikke engang kan finde info omkring dem vil jeg ikke risikere at ødelægge noget og overlader det til TonnyBrandt at guide dig videre.

Hvis jeg endelig skulle skrive hvad du skal hente og gøre ville det være fint hvis TonnyBrandt lige godkendte det jeg skriver før du udføre det.
Avatar billede tonnybrandt Nybegynder
05. januar 2005 - 02:04 #14
1.Nu har vi navnene på de snavsede filer. De skal slettes med KillBox... Hent KillBox her:

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Brugsanvisning kan du finde her:

http://www.fbeej.dk/KillBox2_manual.htm

***************************************

Det er vigtigt, at du afbryder forbindelsen til internettet inden du sletter nedenstående filer - hiv internetstikket ud af computeren.

Her er så listen over filer der skal slettes med KillBox:

c:\windows\system32\jt8o07l3e.dll
c:\windows\system32\gp2ml3f11.dll
c:\windows\system32\o284lclq1fqe.dll
c:\windows\system32\i806lids1806.dll
c:\windows\system32\d4j02e1mgh.dll
c:\windows\system32\r4p8le7u1h.dll
c:\windows\system32\mvrul9991.dll
c:\windows\system32\i4jqle151h.dll
c:\windows\system32\l68mlgl116q.dll
c:\windows\system32\lv8809lue.dll
c:\windows\system32\fp2m03f1e.dll
c:\windows\system32\fpl2033oe.dll
c:\windows\system32\j6p0lg7m16.dll
c:\windows\system32\aza40i9qe8.dll
c:\windows\system32\g0jola131d.dll
c:\windows\system32\ir4ql5h51.dll
c:\windows\system32\o8pqli7518.dll
c:\windows\system32\i6nmlg5116.dll
c:\windows\system32\dnlq0135e.dll
c:\windows\system32\enr0l19m1.dll
c:\windows\system32\o866lijs18o6.dll
c:\windows\system32\l6p2lg7o16.dll
c:\windows\system32\hrru0599e.dll
c:\windows\system32\n8l8li3u18.dll
c:\windows\system32\enn8l15u1.dll
c:\windows\system32\m6640gjqe6oe0.dll
c:\windows\system32\m0pola731d.dll
c:\windows\system32\p8r40i9qe8.dll
c:\windows\system32\n26q0cj5efo.dll

Kør KillBox, sæt prik i "Delete on reboot". Kopier hver enkel linie ind i tekstfeltet på Killbox og klik herefter på den røde knap med det hvide kryds. Programmet vil spørge om du vil genstarte - svar NEJ, undtagen når du har kopieret den sidste linie ind. Efter at have kopieret den sidste linie ind, skal du svare JA, og din computer vil genstarte (det vil formentlig være en langsom genstart, da infektionen vil lede efter de filer du har slettet).

2. Efter genstart skal du nu finde og slette den (igen):

c:\windows\system32\Guard.tmp

3. Åben Notepad/notesblokken, Kopier teksten i fed skrift (startende med REGEDIT4) ind i en tekstfil - gem filen på Skrivebordet som "Rens.reg" (i filtype skal du vælge Alle filer inden du trykker Gem). Find filen Rens.reg på skrivebordet og dobbeltklik på den - svar ja til at flette den ind i registreringsdatabasen.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{4C9E9E64-E923-4D3F-AFCD-E2792EF098D2}"=-

4. Læg en frisk HijackThis log herind. Vi skal også vide om din papirkurv virker... det finder vi ud af nu, når du sletter Rens.reg som ligger på Skrivebordet (du skal lige have dobbeltklikket på den inden du sletter den). Bliver filen slettet? Havner den i Papirkurven?
Avatar billede kalp Novice
05. januar 2005 - 02:06 #15
Godt nok så blev det bekræftet.. smider navnene på dll filer over i min liste over beskidte filer:)
Avatar billede tonnybrandt Nybegynder
05. januar 2005 - 02:15 #16
Det behøver du ikke. De ændrer navn hele tiden *s*
Avatar billede kalp Novice
05. januar 2005 - 02:17 #17
Er det pga Guard.tmp?
Avatar billede tonnybrandt Nybegynder
06. januar 2005 - 09:25 #18
Hovsa, jeg lavede en fejl i det fix jeg lagde tidligere.

Reg filen skal se således ud:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{4C9E9E64-E923-4D3F-AFCD-E2792EF098D2}"=-
Avatar billede henning_b Nybegynder
13. januar 2005 - 16:52 #19
Beklager den lange forsinkelse, jeg blev sendt til Tunis for firmaet.

Jeg har gjort som anbefalet. At slette filer med Killbox gik fint, men c:\windows\system32\guard.tmp fandtes ikke. Og de to nye nøgler: den første eksisterer ikke i registreringsdatabasen, den anden findes, men værdien er blank.
Fejlmeddelelsen DLL-RUN-error kommer stadig, og papirkurvens ikon er fyldt, men ved åbning er den tom. Dog spørges der: Ønsker du at slette disse tre elementer.

Den nyeste HiJackThis-log ser således ud:
Logfile of HijackThis v1.98.2
Scan saved at 16:25:47, on 13-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\Interbase\bin\ibguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Interbase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\Mixer.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmer\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmer\Netropa\Onscreen Display\OSD.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\wincmd\TOTALCMD.EXE
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Internet Explorer\iexplore.exe
c:\junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ni.dk/"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Total Commander 32.lnk = C:\wincmd\TOTALCMD.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {26835CE1-D5EC-11d5-AF6E-00C06D0086BF} - (no file)
O9 - Extra button: (no name) - {6A0426D1-0FF2-49a0-ABC2-05B67826C727} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093384901218
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://80.198.90.242/webgis/acgm/acgm.cab

Er jeg tæt på det totale sammenbrud?
Avatar billede henning_b Nybegynder
13. januar 2005 - 17:08 #20
. . . og for et øjeblik siden genstartede den. Tilmed, da den var færdig med sin genstart, frøs mus og tastatur. Reset!
Avatar billede tonnybrandt Nybegynder
13. januar 2005 - 18:26 #21
Prøv lige at fixe disse i HiJackThis:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O9 - Extra button: (no name) - {26835CE1-D5EC-11d5-AF6E-00C06D0086BF} - (no file)
O9 - Extra button: (no name) - {6A0426D1-0FF2-49a0-ABC2-05B67826C727} - (no file)

Genstart og ny log.

Om det nu er muligt at slette dem er ikke helt sikkert, idet dette fix helst skal laves i en køre. infektionen kan nemlig lave om i reg.basen ved hver genstart.
Avatar billede henning_b Nybegynder
13. januar 2005 - 22:34 #22
. . . og dette er så den nye log.

Logfile of HijackThis v1.98.2
Scan saved at 22:30:34, on 13-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\Interbase\bin\ibguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\Mixer.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmer\Interbase\bin\ibserver.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmer\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmer\Netropa\Onscreen Display\OSD.exe
C:\wincmd\TOTALCMD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Internet Explorer\iexplore.exe
c:\junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ni.dk/"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Total Commander 32.lnk = C:\wincmd\TOTALCMD.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093384901218
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://80.198.90.242/webgis/acgm/acgm.cab

En detalje: linien
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
var ikke med, da jeg skulle fixe i HiJackThis.
Avatar billede tonnybrandt Nybegynder
13. januar 2005 - 22:42 #23
Ok, vi er desværre nødt til at have endnu en log fra find.bat.

Og det ville hjælpe betydeligt hvis vi kan få loggen med det samme og at du ikke slukker eller genstarter pc'en før jeg har fortalt hvad du skal gøre.

Jeg er online en times tid endnu.
Avatar billede henning_b Nybegynder
13. januar 2005 - 23:40 #24
Håber, jeg når det!

Warning!XP This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32

13-01-2005  17:05          224.023 o4lu0e39eh.dll
13-01-2005  17:03          224.023 m6640gjqe6oe0.dll
13-01-2005  16:24          224.023 i0600ajmedoa0.dll
13-01-2005  16:22          222.573 gpp8l37u1.dll
09-01-2005  22:39          223.711 g8lmli3118.dll
09-01-2005  10:03          225.846 mvl6l93s1.dll
08-01-2005  17:20          222.760 azaola131d.dll
07-01-2005  08:37          225.803 h62olgf3162.dll
07-01-2005  08:22          225.068 dnrq0195e.dll
06-01-2005  14:59          224.276 en6ql1j51.dll
06-01-2005  09:32          223.009 g440lehm1h4a.dll
05-01-2005  20:35          225.972 o6pq0g75e6.dll
05-01-2005  11:13          224.111 lvj4091qe.dll
08-12-2004  15:13    <DIR>          dllcache
18-11-2002  23:41    <DIR>          Microsoft
              13 fil(er)        2.915.198 byte
              2 mappe(r)  101.716.762.624 byte ledig

------- Hidden Files in System32 Directory -------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32

08-12-2004  15:13    <DIR>          dllcache
30-08-2004  09:14            1.069 log.bak.txt
20-10-2003  22:33                94 tdb_G1asw.ini
12-05-2003  22:21            5.012 ws430379.ocx
23-10-2002  23:13              488 WindowsLogon.manifest
23-10-2002  23:13              488 logonui.exe.manifest
23-10-2002  23:12              749 nwc.cpl.manifest
23-10-2002  23:12              749 ncpa.cpl.manifest
23-10-2002  23:12              749 sapi.cpl.manifest
23-10-2002  23:12              749 cdplayer.exe.manifest
23-10-2002  23:12              749 wuaucpl.cpl.manifest
              10 fil(er)          10.896 byte
              1 mappe(r)  101.716.758.528 byte ledig

---------- Files Named "Guard" -------------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32

13-01-2005  22:23          224.023 guard.tmp
              1 fil(er)          224.023 byte
              0 mappe(r)  101.716.758.528 byte ledig

--------- Temp Files in System32 Directory --------

Disken i drev C har ikke noget navn.
Diskens serienummer er 448F-54E9

Indhold af C:\WINDOWS\System32

13-01-2005  22:23          224.023 guard.tmp
09-10-2001  13:00            2.660 CONFIG.TMP
              2 fil(er)          226.683 byte
              0 mappe(r)  101.716.758.528 byte ledig

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4C9E9E64-E923-4D3F-AFCD-E2792EF098D2}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\m6640gjqe6oe0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

'Xfind' blev ikke genkendt som en intern eller ekstern kommando,
et program eller en batchfil.

-------------- Locate.com Results ---------------

Avatar billede tonnybrandt Nybegynder
13. januar 2005 - 23:45 #25
Jeg er stadig online, og du får en tilpasset procedure om et par minutter *s*
Avatar billede tonnybrandt Nybegynder
13. januar 2005 - 23:52 #26
Det er vigtigt, at du afbryder forbindelsen til internettet inden du sletter nedenstående filer - hiv internetstikket ud af computeren.

Her er så listen over filer der skal slettes med KillBox:
c:\windows\system32\o4lu0e39eh.dll
c:\windows\system32\m6640gjqe6oe0.dll
c:\windows\system32\i0600ajmedoa0.dll
c:\windows\system32\gpp8l37u1.dll
c:\windows\system32\g8lmli3118.dll
c:\windows\system32\mvl6l93s1.dll
c:\windows\system32\azaola131d.dll
c:\windows\system32\h62olgf3162.dll
c:\windows\system32\dnrq0195e.dll
c:\windows\system32\en6ql1j51.dll
c:\windows\system32\g440lehm1h4a.dll
c:\windows\system32\o6pq0g75e6.dll
c:\windows\system32\lvj4091qe.dll

Kør KillBox, sæt prik i "Delete on reboot". Kopier hver enkel linie ind i tekstfeltet på Killbox og klik herefter på den røde knap med det hvide kryds. Programmet vil spørge om du vil genstarte - svar NEJ, undtagen når du har kopieret den sidste linie ind. Efter at have kopieret den sidste linie ind, skal du svare JA, og din computer vil genstarte (det vil formentlig være en langsom genstart, da infektionen vil lede efter de filer du har slettet).

2. Efter genstart skal du nu finde og slette den (igen):

c:\windows\system32\Guard.tmp

3. Åben Notepad/notesblokken, Kopier teksten i fed skrift (startende med REGEDIT4) ind i en tekstfil - gem filen på Skrivebordet som "Rens.reg" (i filtype skal du vælge Alle filer inden du trykker Gem). Find filen Rens.reg på skrivebordet og dobbeltklik på den - svar ja til at flette den ind i registreringsdatabasen.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{44C9E9E64-E923-4D3F-AFCD-E2792EF098D2}"=-


4. Genstart og fix disse i HiJackTHis:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

5. Genstart igen og læg en frisk HijackThis log herind. Vi skal også vide om din papirkurv virker... det finder vi ud af nu, når du sletter Rens.reg som ligger på Skrivebordet (du skal lige have dobbeltklikket på den inden du sletter den). Bliver filen slettet? Havner den i Papirkurven?
Avatar billede henning_b Nybegynder
14. januar 2005 - 00:38 #27
Og så ser den således ud:

Logfile of HijackThis v1.98.2
Scan saved at 00:21:55, on 14-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\Interbase\bin\ibguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Interbase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\Mixer.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\wincmd\TOTALCMD.EXE
C:\Programmer\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmer\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
c:\junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ni.dk/"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Total Commander 32.lnk = C:\wincmd\TOTALCMD.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093384901218
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://80.198.90.242/webgis/acgm/acgm.cab

Men papirkurven har ikke ændret sig. Når jeg lægger rens.reg i kurven, kan den ikke ses. Der er slet ingen ikoner i den. Alligevel, vælger jeg Tøm, spørger den Vil du slette disse tre elementer.
Avatar billede tonnybrandt Nybegynder
14. januar 2005 - 00:57 #28
Så lykkedes det at fjerne vx2 infektionen.

Så napper vi lige resten. Kør HiJackThis og fix disse:

O4 - HKCU\..\Run: [LDM] C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

Klik start | kør, skriv cmd og tryk enter
Skriv disse kommandoer en efter en og tryk enter:

cd c:\RECYCLER
attrib -h info*.*
del info

Genstart i fejlsikret tilstand og slet

C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

Genstart i normal tilstand og kom med en ny log. Check også at papirkurven nu virker.
Avatar billede henning_b Nybegynder
14. januar 2005 - 13:06 #29
Der var ingen info*.* i c:\recycler, men i en undermappe S-1-5. . . med en svimlende række tal fandtes en info2. Den omdøbte jeg til info2.old, men det har ikke ændret ved papirkurvens indhold. Der er ingen synlige ikoner, men ved tøm papirkurven får jeg meddelelsen "ønsker du at slette disse tre elementer?" Og i netop denne undermappe er der 3 filer, DC1.lnk til DC3.lnk. Siger det noget?

Og C:\Programmer\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
fandtes ikke. Derimod fandtes i denne mappe tre dll-filer:
BWCHelpr-8876480.dll
BWfiles-8876480.dll
bwscriptext-8876480.dll
Den har jeg omdøbt til at andet efternavn uden synlige gener.

HiJackThis ser nu sådan ud:

Logfile of HijackThis v1.98.2
Scan saved at 12:49:21, on 14-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\Interbase\bin\ibguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Interbase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\Mixer.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\wincmd\TOTALCMD.EXE
C:\Programmer\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmer\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
c:\junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ni.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ni.dk/"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\henning\Application Data\Mozilla\Profiles\default\xh2idnj6.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmer\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Total Commander 32.lnk = C:\wincmd\TOTALCMD.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093384901218
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://80.198.90.242/webgis/acgm/acgm.cab
Avatar billede tonnybrandt Nybegynder
14. januar 2005 - 14:11 #30
Loggen er ren nu så nu mangler vi kun at få fikset papirkurven.

Et andet råd jeg har hørt skulle virke er at gå i fejlsikret tilstand og slette mappen c:\recycler
Dette har jeg dog ikke selv testet. Det var en bruger der havde samme problemer som du, der gjorde det og det virkede fortalte han.

Du kan evt installere nogle af programmerne i spywarefri pakken..de er alle små, konflikter ikke og er meget effektive mod snavs af den slags du lige har været angrebet af.

Specielt anbefaler vi Spybot,spywareblaster, IE-Spyad og spywareguard.
Se mere i "pakken" her
http://www.spywarefri.dk/pakken.htm
Avatar billede henning_b Nybegynder
15. januar 2005 - 16:10 #31
Det virkede sandelig! Du skal have mange tak for din tålmodighed og indsats.

Med venlig hilsen
Henning.
Avatar billede tonnybrandt Nybegynder
15. januar 2005 - 17:29 #32
Velbekomme og takker for point :)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester