Avatar billede tander Nybegynder
15. februar 2005 - 17:38 Der er 22 kommentarer og
2 løsninger

HTJ LOG - need help

En der vil være venlig at kigge denne log igennem.

Logfile of HijackThis v1.99.0
Scan saved at 17:33:34, on 15-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\addzr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\appui.exe
C:\WINDOWS\system32\msxmidi.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\hefbjae.exe
C:\WINDOWS\system32\dddd.exe
C:\WINDOWS\system32\tibs5.exe
C:\Programmer\ISTsvc\istsvc.exe
C:\Documents and Settings\Administrator\Internet Optimizer\optimize.exe
C:\WINDOWS\nlpjnog.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\windows\system32\packager.exe
C:\Programmer\Web_Rebates\WebRebates1.exe
E:\CD\stinger.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\system32\soft.exe
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {F84C1CC5-9D74-621C-DC89-61AE7E705D00} - C:\WINDOWS\system32\d3cm32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [appui.exe] C:\WINDOWS\appui.exe
O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\11.tmp.exe 1 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\msxmidi.exe
O4 - HKLM\..\Run: [11.tmp.exe] C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\11.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [hefbjae] c:\windows\system32\hefbjae.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\dddd.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\3.tmp.exe 4 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
O4 - HKLM\..\Run: [sais] c:\programmer\180solutions\sais.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Programmer\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\Run: [iexplore.exe] C:\Programmer\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitetfa32.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmer\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\Administrator\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [JZA26cAuf] C:\WINDOWS\nlpjnog.exe
O4 - HKLM\..\Run: [-
] C:\WINDOWS\nlpjnog.exe
O4 - HKLM\..\RunOnce: [addzr.exe] C:\WINDOWS\system32\addzr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\msxmidi.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\dddd.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Programmer\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programmer\SideFind\sidefind.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/9f0573b9/enter.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - Unknown - C:\Documents and Settings\Administrator\Skrivebord\cwshredder.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\msjl.exe (file missing)
Avatar billede levich Nybegynder
15. februar 2005 - 17:39 #1
jeg ser på den...
Avatar billede tander Nybegynder
15. februar 2005 - 17:40 #2
takker :)
Avatar billede levich Nybegynder
15. februar 2005 - 17:58 #3
Genstart computeren I fejlsikret tilstand (F8 ved opstart) og fix følgende linjer med hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itxwc.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\system32\soft.exe
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {F84C1CC5-9D74-621C-DC89-61AE7E705D00} - C:\WINDOWS\system32\d3cm32.dll
O4 - HKLM\..\Run: [appui.exe] C:\WINDOWS\appui.exe
O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\11.tmp.exe 1 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\msxmidi.exe
O4 - HKLM\..\Run: [11.tmp.exe] C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\11.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [hefbjae] c:\windows\system32\hefbjae.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\dddd.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\3.tmp.exe 4 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
O4 - HKLM\..\Run: [sais] c:\programmer\180solutions\sais.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Programmer\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitetfa32.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmer\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\Administrator\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [JZA26cAuf] C:\WINDOWS\nlpjnog.exe
O4 - HKLM\..\Run: [-
] C:\WINDOWS\nlpjnog.exe
O4 - HKLM\..\RunOnce: [addzr.exe] C:\WINDOWS\system32\addzr.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\msxmidi.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\dddd.exe
O8 - Extra context menu item: Web Rebates - file://C:\Programmer\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programmer\SideFind\sidefind.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/9f0573b9/enter.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O23 - Service: CWShredder Service - Unknown - C:\Documents and Settings\Administrator\Skrivebord\cwshredder.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\msjl.exe (file missing)

Bagefter åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

søg efter og slet nedenstående filer:
C:\WINDOWS\system32\soft.exe
C:\WINDOWS\system32\d3cm32.dll
C:\WINDOWS\appui.exe
C:\WINDOWS\system32\msxmidi.exe
c:\windows\system32\hefbjae.exe
C:\WINDOWS\system32\dddd.exe
C:\WINDOWS\system32\tibs5.exe
C:\windows\system32\elitetfa32.exe
C:\Documents and Settings\Administrator\Internet Optimizer\optimize.exe
C:\WINDOWS\nlpjnog.exe
C:\WINDOWS\system32\addzr.exe
C:\WINDOWS\system32\msxmidi.exe
C:\WINDOWS\system32\dddd.exe

… og følgende mapper:
C:\WINDOWS\itxwc.dll
C:\WINDOWS\isrvs
c:\programmer\180solutions
C:\Programmer\Web_Rebates
C:\Programmer\ISTsvc
C:\Programmer\SideFind

Start -> programmer -> tilbehør -> systemværktøjer -> diskoprydning -> Slet Temporary internet files, papirkurv og midlertidige filer.

Genstart computer og lav en ny log med hijackthis, og send den herind, hvorefter jeg ser den igennem.
Avatar billede tander Nybegynder
15. februar 2005 - 19:15 #4
ny log

Logfile of HijackThis v1.99.0
Scan saved at 19:14:38, on 15-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hefbjae.exe
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\jnrtycpr6.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\msxmidi.exe
O4 - HKLM\..\Run: [11.tmp.exe] C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\11.tmp.exe 1 10001
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\Run: [iexplore.exe] C:\Programmer\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ztontvigelqg] C:\WINDOWS\system32\hefbjae.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteoko32.exe
O4 - HKLM\..\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Programmer\YourSiteBar\ysb.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\lmf32v.dll
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: fcvhgrkytjbf - Unknown - C:\WINDOWS\system32\jnrtycpr6.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
Avatar billede tander Nybegynder
15. februar 2005 - 19:16 #5
havde en del problemer efter fjernelse af de første ting og kan se at noget af det er kommet igen.
Avatar billede tander Nybegynder
15. februar 2005 - 20:25 #6
slet igen der kan hjælpe?
Avatar billede levich Nybegynder
15. februar 2005 - 21:06 #7
Tilbage efter aftensmaden. Der skal lidt hårdere midler til kan jeg forstå.

TAG BACKUP ALLE DINE VIGTIGE DATA, emails, dokumenter, billeder osv.

(1)
Deaktiver systemgendannelse, ved at Højreklikke på "Denne Computer" på skrivebordet -> egenskaber -> Systemgendannelse -> sæt flueben i "Deaktiver systemgendannelse" -> Klik OK.

(2)
Tag stikket ud til internettet. Og genstart i fejlsikret tilstand.

(3)
Opdater og kør Spybot, og slette alle de linjer den finder og angiver med rød tekst.

(4)
Fix følgende med hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\Run: [ztontvigelqg] C:\WINDOWS\system32\hefbjae.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteoko32.exe
O4 - HKLM\..\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Programmer\YourSiteBar\ysb.dll"
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\lmf32v.dll

(5)
Søg efter filerne boln.dll og advpack.dll og slet dem.

Slet filerne:
C:\WINDOWS\system32\hefbjae.exe
C:\WINDOWS\Xhrmy.exe
C:\windows\system32\eliteoko32.exe
C:\WINDOWS\system32\lmf32v.dll

Slet mapperne:
C:\WINDOWS\EliteToolBar
C:\WINDOWS\isrvs
C:\Programmer\YourSiteBar
C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll

(6)
Slet midlertidige filer for alle oprette brugere på computeren. Det gør du ved at gå ind i c:\documents and settings\"brugernavn"\lokale indstillinger\temp og slette alle filerne i den mappe. Gentages for alle brugere. Der er lige så mange brugere som der er mapper under c:\documents and settings\.

(7)
Kør spybot igen.

(8)
Genstart computeren.
Sæt internetstikket i igen.
Smid en ny hijackthis log herind.
Avatar billede levich Nybegynder
15. februar 2005 - 21:07 #8
UPS, opdater spybot først. Det kan du jo ikke når internetstikket er taget ud. Men det er nok allerede opdateret.
Avatar billede tander Nybegynder
15. februar 2005 - 22:20 #9
ny log

Logfile of HijackThis v1.99.0
Scan saved at 22:14:40, on 15-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\jnrtycpr6.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll (file missing)
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Programmer\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: fcvhgrkytjbf - Unknown - C:\WINDOWS\system32\jnrtycpr6.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
Avatar billede levich Nybegynder
15. februar 2005 - 23:03 #10
Hver gang du genstarter computeren ændre virusen/spywaren blot filnavn. Hmm, måske virker det her:

(1)
ctrl+alt+del -> vælg fanebladet "processer" og marker jnrtycpr6.exe for at trykke på "afslut proces".

(2)
genstart i fejlsikret tilstand.
fix følgende linjer med hijackthis:
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll (file missing)
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll
O23 - Service: fcvhgrkytjbf - Unknown - C:\WINDOWS\system32\jnrtycpr6.exe

(3)
søg efter og slet alle filer på harddisken ved navn boln.dll

(4)
Hent scannereren http://www.spywareinfo.dk/download/mwav.exe, og kør den.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files
Og så trykker du på Scan Clean
Scanningen kan godt tage et par timer.

(5)
færdig.

Regner med at du er en nogenlunde erfaren PC-bruger, og ikke har problemer med at forstå hvad jeg skriver du skal gøre?
Avatar billede tander Nybegynder
17. februar 2005 - 18:34 #11
På skrivebordet kommer baggrundsbilledet "Warning you are in danger", Kan bare ikke komme af med den.

ny log:

Logfile of HijackThis v1.99.0
Scan saved at 18:33:27, on 17-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Skrivebord\hijackthis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
Avatar billede tander Nybegynder
17. februar 2005 - 18:41 #12
glemte lige at skrive.
Har prøvet at slette denne linje i hijackthis men den kommer igen ved næste scan.
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)
Avatar billede tander Nybegynder
17. februar 2005 - 19:12 #13
slet igen der kan hjælp!
Avatar billede kalp Novice
17. februar 2005 - 19:14 #14
kigger lige de forskellige indlæg igennem om ser om jeg kan bidrage med noget
Avatar billede kalp Novice
17. februar 2005 - 19:26 #15
Genstart i Fejlsikret tilstand ved at taste F8 under opstart.
Kør HijackThis, scan og sæt et flueben ud for disse linjer - luk øvrige programvinduer - klik "Fix checked":

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)

Det på dit skrivebord er ikke spyware. Det fjerner du her
Højreklik på skrivebordet.. vælge egenskaber.. Tryk på fanen skrivebord og tryk på knappen tilpas skrivebord... tryk nu på fanen Web.. og her fjerner du flueben i alle de punkter der er under "web".

Genstart normalt og ny log.
Avatar billede tander Nybegynder
17. februar 2005 - 19:47 #16
Fik endelig den væk fra skrivebordet, men havde prøvet det mange gange før hvor det ikke virkede :? Lidt underligt

ny log:

Logfile of HijackThis v1.99.0
Scan saved at 19:46:18, on 17-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Skrivebord\hijackthis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmer\Fælles filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
Avatar billede kalp Novice
17. februar 2005 - 19:58 #17
Genstart i fejlsikret tilstand

tryk start-> kør og skriv "regedit" ..tryk ctrl+b og skriv

B70E72D3-83C6-CF19-34C1-F0C81E2B26B3

i søgefeltet.. tryk enter.. slet den mappe den finder.. sørg selvfølgelig for den passer med søgeresultatet:) dvs numrende..

start hijackthis og fiks

O2 - BHO: (no name) - {B70E72D3-83C6-CF19-34C1-F0C81E2B26B3} - (no file)

genstart normalt og ny log.. nu håber jeg den er væk..
Avatar billede levich Nybegynder
17. februar 2005 - 21:08 #18
Din log er blevet meget kortere - det er positivt.
Bliver spændende at se om den sidste linje forsvinder med kalp's hjælp.
Avatar billede kalp Novice
17. februar 2005 - 21:10 #19
yes det håber vi da:) og hvis ikke han må slette den skal vi lige give ham tilladelser til det (eller windows skal).
Avatar billede tander Nybegynder
21. februar 2005 - 12:51 #20
Så opgav jeg. Efter sidte forsøg fik jeg ikke fjernet den sidste linje og nåede lige ind på eksperten for at skrive. Så poppede alt muligt op og jeg kunne begynde forfra :-(

Så vi kom frem til at en format c: var lettest. Så smid nogle svar og jeg fordeler point
Avatar billede kalp Novice
21. februar 2005 - 13:08 #21
:/ det var da lidt ærgeligt
Avatar billede levich Nybegynder
21. februar 2005 - 13:45 #22
:-(
Avatar billede tander Nybegynder
21. februar 2005 - 14:21 #23
Håber at det er ok med pointfordelingen og endnu engang tak for hjælpen
Avatar billede ejvindh Ekspert
21. februar 2005 - 16:28 #24
Jeg tror der har kørt parallel-løb på denne log:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=10895

Jeg undrede mig også lidt over nogle af de noget springende fremskridt, der pludselig var på loggen (jeg ville ikke have forventet at man kunne komme så langt uden deldomains og nogle CWS-værktøjer -- og det kunne man altså heller ikke). :-)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester