Avatar billede 187 Nybegynder
09. januar 2005 - 13:34 Der er 13 kommentarer og
1 løsning

Logfile of HijackThis

Logfile of HijackThis v1.98.2
Scan saved at 13:29:32, on 09-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\SYSTEM32\RAVMOND.exe
C:\Programmer\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Programmer\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Programmer\Creative\Shared Files\CAMTRAY.EXE
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\QuickTime\qttask.exe
C:\Documents and Settings\B-H\Skrivebord\MsgPlus.exe
C:\PROGRA~1\SPAMEX~1\oeSpamExtractLdr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\dllhost.exe
C:\PROGRA~1\INCRED~1\BIN\IMAPP.EXE
C:\WINDOWS\System32\inetsrv\DavCData.exe
C:\WINDOWS\System32\gbruozqck.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\B-H\Skrivebord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.olezeqzrwushxgszxjbldz.uk/rxDtW4BFZDDUqXmfflCNwUdiP3b3c61EHos3luIe/wPF1VeIVOEx1_tydH64DeLr.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wpxlbxqinaj.com/rxDtW4BFZDB94cqCin7Ex/xLJM8bcjr6XGflFDLSWS0.cgi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F3 - REG:win.ini: run=RAVMOND.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C0652632-3276-35EE-971A-DA93A5B769FC} - C:\DOCUME~1\B-H\APPLIC~1\STARTB~1\soft poll.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Programmer\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmer\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmer\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Spyware Stormer] C:\Programmer\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\B-H\Skrivebord\MsgPlus.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpamExtract] C:\PROGRA~1\SPAMEX~1\oeSpamExtractLdr.exe
O4 - HKLM\..\Run: [WinHelp] C:\WINDOWS\System32\WinHelp.exe
O4 - HKLM\..\Run: [WinGate initialize] C:\WINDOWS\System32\WinGate.exe  -remoteshell
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll  ondll_reg
O4 - HKLM\..\Run: [Program In Windows] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Firstfiletraysupport] C:\WINDOWS\All Users\Programdata\sect cash first file\Inside Cash.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\B-H\Skrivebord\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [tick axis] C:\DOCUME~1\B-H\APPLIC~1\HELPAI~1\Safeshow.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Startup: MemTurbo.lnk = C:\Programmer\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: NetMeter 2.54.lnk = C:\Programmer\NetValue\NetMeter\Netmeter.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101558795520
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://www.danskenetbank.dk/netbank/activex/DanskeSikker.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
Avatar billede kalp Novice
09. januar 2005 - 13:39 #1
Har du messenger plus! 3 installeret? så kunne du starte med at afinstallere det og komme med en ny log (med mindre du vil beholde det og har sagt nej til adware da du installerede det)
Avatar billede 187 Nybegynder
09. januar 2005 - 13:58 #2
Logfile of HijackThis v1.98.2
Scan saved at 13:57:52, on 09-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\RAVMOND.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\PROGRA~1\SPAMEX~1\oeSpamExtractLdr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\DavCData.exe
C:\WINDOWS\System32\gbruozqck.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\All Users\Programdata\sect cash first file\BUILDIDLE.exe
C:\WINDOWS\All Users\Programdata\sect cash first file\BUILDIDLE.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\All Users\Programdata\sect cash first file\BUILDIDLE.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\All Users\Programdata\sect cash first file\BUILDIDLE.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\All Users\Programdata\sect cash first file\BUILDIDLE.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\system32\IEEXPLORE.exe
C:\WINDOWS\System32\sysmsvc.exe
C:\Documents and Settings\B-H\Skrivebord\HijackThis.exe
C:\WINDOWS\system32\sysmsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wgbkamuxkqgwqvlelugmqrcp.com/rxDtW4BFZDDUqXmfflCNwUdiP3b3c61EHos3luIe/wMsd0tzqLPdsetydH64DeLr.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F3 - REG:win.ini: run=RAVMOND.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Programmer\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmer\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmer\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Spyware Stormer] C:\Programmer\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpamExtract] C:\PROGRA~1\SPAMEX~1\oeSpamExtractLdr.exe
O4 - HKLM\..\Run: [WinHelp] C:\WINDOWS\System32\WinHelp.exe
O4 - HKLM\..\Run: [WinGate initialize] C:\WINDOWS\System32\WinGate.exe  -remoteshell
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll  ondll_reg
O4 - HKLM\..\Run: [Program In Windows] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\B-H\LOKALE~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\RunOnce: [remititit25810] C:\WINDOWS\System32\command.com /c del C:\WINDOWS\ALLUSE~1\PROGRA~1\SECTCA~1\BUILDI~1.EXE
O4 - HKCU\..\RunOnce: [remititit12578] C:\WINDOWS\System32\command.com /c del C:\WINDOWS\ALLUSE~1\PROGRA~1\SECTCA~1\BROWSE~1
O4 - Startup: MemTurbo.lnk = C:\Programmer\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: NetMeter 2.54.lnk = C:\Programmer\NetValue\NetMeter\Netmeter.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101558795520
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://www.danskenetbank.dk/netbank/activex/DanskeSikker.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
Avatar billede 187 Nybegynder
09. januar 2005 - 14:16 #3
ingen der har til tl at kikke den igennem
Avatar billede kalp Novice
09. januar 2005 - 14:20 #4
kigger den igennem nu:)
Avatar billede kalp Novice
09. januar 2005 - 14:26 #5
Jeg skriver lige hvad du skal gøre.. der er lidt af hvert i din log:o)
Avatar billede kalp Novice
09. januar 2005 - 14:39 #6
Okay din pc er seriøst inficeret med alt muligt:)  så er slet ikke sikker på jeg kan få den ren, men vil give det et godt forsøg! Der er lidt trojan måske skal fjernes manuelt men det vil vise sig i den sidste log du sender mig.. følge denne guide


Vejledning er her:
Download og gem denne scanner på skrivebordet.
http://www.spywareinfo.dk/download/mwav.exe
dobbeltlik på mwav.exe, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files
(Det kan sagtens tage et par timer!)
Bagefter
I hijackthis sæt hak ud for følgende og sig fix checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wgbkamuxkqgwqvlelugmqrcp.com/rxDtW4BFZDDUqXmfflCNwUdiP3b3c61EHos3luIe/wMsd0tzqLPdsetydH64DeLr.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: run=RAVMOND.exe
O4 - HKLM\..\Run: [WinGate initialize] C:\WINDOWS\System32\WinGate.exe -remoteshell
O4 - HKLM\..\Run: [WinHelp] C:\WINDOWS\System32\WinHelp.exe
O4 - HKLM\..\Run: [WinGate initialize] C:\WINDOWS\System32\WinGate.exe -remoteshell
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll ondll_reg
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\B-H\LOKALE~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\RunOnce: [remititit25810] C:\WINDOWS\System32\command.com /c del C:\WINDOWS\ALLUSE~1\PROGRA~1\SECTCA~1\BUILDI~1.EXE
O4 - HKCU\..\RunOnce: [remititit12578] C:\WINDOWS\System32\command.com /c del C:\WINDOWS\ALLUSE~1\PROGRA~1\SECTCA~1\BROWSE~1
O4 - Global Startup: NetMeter 2.54.lnk = C:\Programmer\NetValue\NetMeter\Netmeter.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Genstart din computer i fejlsikret tilstand find og fjern følgende filer og mapper "WinGate.exe" "RAVMOND.exe" "gbruozqck.exe" "sect cash first file" "sysmsvc.exe" "SPAMEX~1"

C:\WINDOWS\System32\WinGate.exe
C:\WINDOWS\SYSTEM32\RAVMOND.exe
C:\WINDOWS\System32\gbruozqck.exe
C:\WINDOWS\All Users\Programdata\sect cash first file\BUILDIDLE.exe
C:\WINDOWS\System32\sysmsvc.exe
C:\PROGRA~1\SPAMEX~1\oeSpamExtractLdr.exe

genstart og smid en ny log herind
Avatar billede 187 Nybegynder
09. januar 2005 - 16:06 #7
Logfile of HijackThis v1.98.2
Scan saved at 16:02:51, on 09-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\sysmsvc.exe
C:\WINDOWS\System32\gbruozqck.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\INCRED~1\BIN\IMAPP.EXE
C:\WINDOWS\System32\IEXPLORE.EXE
C:\Documents and Settings\B-H\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F3 - REG:win.ini: run=RAVMOND.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmer\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmer\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpamExtract] C:\PROGRA~1\SPAMEX~1\oeSpamExtractLdr.exe
O4 - HKLM\..\Run: [Program In Windows] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\Run: [WinHelp] C:\WINDOWS\System32\WinHelp.exe
O4 - HKLM\..\Run: [WinGate initialize] C:\WINDOWS\System32\WinGate.exe  -remoteshell
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll  ondll_reg
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - Startup: MemTurbo.lnk = C:\Programmer\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101558795520
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://www.danskenetbank.dk/netbank/activex/DanskeSikker.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
Avatar billede kalp Novice
09. januar 2005 - 16:12 #8
Hav tålmodighed.. jeg bliver nød til at gå nu, men du har stadig virus på din pc.. som jeg gættede på vi skal fjerne dem manuelt og altså ind i registry.

Jeg vender tilbage senere med instruktioner til hvordan det sidste fjernes!
Avatar billede 187 Nybegynder
09. januar 2005 - 16:16 #9
det er okay
Avatar billede serverservice Praktikant
09. januar 2005 - 18:56 #10
Her er lige et par gode råd til jer begge to.
Vi plejer at anbefale at tømme disse mapper i fejlsikret, da de indeholder snavs og midlertidige installationsfiler , som er overflødige:
C:\Documents and Settings\Brugernavn?\Lokale indstillinger\Temp         tømmes
C:\Windows\temp     tømmes

Brug denne engansgscanner i fejlsikret , indstil den til at scanne alt på disken
http://www.spywareinfo.dk/download/mwav.exe

kom så med en ny log til Kalp...
Avatar billede gratis Nybegynder
09. januar 2005 - 20:07 #11
en indskudt bemærkning:. den sidste version af HJT er 1.99.0 ,den kan hentes her
http://www.spywareinfo.com/~merijn/
Avatar billede kalp Novice
09. januar 2005 - 20:46 #12
187>> Jeg kigger stadig din log igennem så snart jeg er hjemme.. sidder ikke hjemme lige nu.

Dannyboyd>>

læs kommentar

Kommentar: kalp
09/01-2005 14:39:51

personen har mwav på sin pc:)
Avatar billede kalp Novice
09. januar 2005 - 23:26 #13
Gør følgende.. Højreklik på Denne Computer.. vælge Egenskaber. Tryk på fanen systemgendannelse og sæt hak i deaktiver systemgendannelse.
Koble din computer af internettet.. dvs hiv stikket ud.
Download dette værktøj
http://securityresponse.symantec.com/avcenter/FixLG.com
kør det så det kan fjerne din virus.. genstart din computer og kør det endnu en gang for at være sikker på der ikke er mere!

Tryk nu på Start - Kør - og skriv "regedit" og tryk enter
Find nu frem til følgende punkter
HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->Run
HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->RunServices
HKEY_CURRENT_USER->Software->Microsoft->OLE
HKEY_CURRENT_USER->SYSTEM->CurrentControlSet->Control\Lsa
og kig i højre side efter "MsWindows SysDate" = "sysmsvc.exe"
slet dem alle ved at højreklikke på dem og sig slet.

Start hijackthis og scan.

Sæt hak i disse og sig fix checked

F3 - REG:win.ini: run=RAVMOND.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\Run: [WinHelp] C:\WINDOWS\System32\WinHelp.exe
O4 - HKLM\..\Run: [WinGate initialize] C:\WINDOWS\System32\WinGate.exe -remoteshell
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll ondll_reg
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] gbruozqck.exe
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] gbruozqck.exe

Find frem til disse filer og slet dem.
C:\WINDOWS\System32\sysmsvc.exe
C:\WINDOWS\System32\gbruozqck.exe
C:\WINDOWS\System32\WinHelp.exe
C:\WINDOWS\System32\RAVMOND.exe
C:\WINDOWS\System32\WinGate.exe
Måske er du heldig at de er slettet..

Genstart i fejlsikret tilstand
brug din scanner fra før (http://www.spywareinfo.dk/download/mwav.exe)
scan.. genstart normalt og smid en ny hijackthis log herind.. så burde du have en ren pc.. men ser selvfølgelig på loggen.
Avatar billede 187 Nybegynder
05. februar 2007 - 21:24 #14
jeg er ked af at jeg ikke fik givet dig point, skriv så skal du få!!!
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester