Hijack log

Hent den nyester version her: http://www.spychecker.com/program/hijackthis.html.
Og lav en ny log.

Logfile of HijackThis v1.99.1
Scan saved at 17:49:11, on 01-08-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\Programmer\COMPAQ\CpqWebDMI\webdmi.EXE
C:\WINNT\System32\svchost.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\INV32CLI.EXE
C:\Programmer\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\System32\NTME\METHWNT.EXE
C:\WINNT\System32\NTME\brad32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\WUSER32.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Programmer\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\CHKADMIN.EXE
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Microsoft Office\Office\FRONTPG.EXE
C:\INST\Anvendelige programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frederiksvaerk.dk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [cpqek] C:\Programmer\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programmer\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINNT\System\MSMSGSVC.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run WinVNC (App Mode).lnk = C:\Programmer\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .bmp: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5458E538-0CF8-4195-AC86-E510B4D4A576}: NameServer = 194.239.134.83,172.16.10.29
O20 - Winlogon Notify: Compatibility - C:\WINNT\system32\AvCWIZ.DLL (file missing)
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\duintf.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Programmer\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Programmer\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Network Associates Management Agent - Network Associates, Inc. - C:\WINNT\System32\NTME\METHWNT.EXE
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe

Ser på det, øjeblik

cool

(1)
Hent http://downloads.stevengould.org/cleanup/CleanUp40.exe
Læs vejledningen til Cleanup her: http://www.bleepingcomputer.com/forums/tutorial93.html

Hent scannereren http://www.spywareinfo.dk/download/mwav.exe.

Hent Killbox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

(2)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op), og fix følgende linjer med HijackThis:
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINNT\System\MSMSGSVC.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O20 - Winlogon Notify: Compatibility - C:\WINNT\system32\AvCWIZ.DLL (file missing)
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\duintf.dll
O23 - Service: Network Associates Management Agent - Network Associates, Inc. - C:\WINNT\System32\NTME\METHWNT.EXE

(3)
Åbn en tilfældig mappe, i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

søg efter og slet følgende filer:
C:\WINNT\System\MSMSGSVC.exe
C:\WINNT\system32\AvCWIZ.DLL
C:\WINNT\system32\duintf.dll
C:\WINNT\System32\NTME\METHWNT.EXE

(4)
Kør scanneren mwav.exe, og sæt flueben i følgende: Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files. Tryk på Scan Clean.
Scanningen kan godt nogen tid.

(5)
Kør Cleanup. Gå til option og sæt flueben ved cookies, prefetch, temp og all users. Tryk på “cleanup”.
Luk programme tog genstart computeren i fejlsikret tilstand.

(6)
Start KillBox, sæt prik i "Delete on reboot", kopier nedenstående filnavn til tekstfeltet i Killbox og klik herefter på den røde knap med det hvide kryds. Du skal genstarte i fejlsikret tilstand.

C:\WINNT\System32\NTME\METHWNT.EXE

(7)
Start -> kør -> skriv "cleanmgr" -> Slet Temporary internet files, papirkurv og midlertidige filer. Gentag for alle dine drev.

(8)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind.

hej... sikke en smøre man skal igennem, men de er godt nok også krasbørstige efterhånden addwares. den nye log ser sådan her ud. Da jeg kørte mwav.exe.. dukkede der en reklame op, så tror den muligvis stadig har fat.

mvh

JJ

Logfile of HijackThis v1.99.1
Scan saved at 02:25:14, on 02-08-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\Programmer\COMPAQ\CpqWebDMI\webdmi.EXE
C:\WINNT\System32\svchost.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\INV32CLI.EXE
C:\Programmer\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\WUSER32.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Programmer\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\CHKADMIN.EXE
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\INST\Anvendelige programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frederiksvaerk.dk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [cpqek] C:\Programmer\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programmer\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run WinVNC (App Mode).lnk = C:\Programmer\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .bmp: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5458E538-0CF8-4195-AC86-E510B4D4A576}: NameServer = 194.239.134.83,172.16.10.29
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Programmer\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Programmer\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe

Det tager nogen tid - desværre. Men der er stadig hurtigere end en formatering af harddisken.

Følgende linje: O4 - Global Startup: Run WinVNC (App Mode).lnk = C:\Programmer\ORL\VNC\WinVNC.exe
kan enten skyldes en WINVNC, som bruges til fjernstyring af din computer via internettet eller en internet orm, som skal fjernes.
Har du installeret programmet WINVNC?
Link: http://startup.iamnotageek.com/srch-WinVNC.exe.html

Det er en offentlig computer, som bruger programmet.  Tror ikke det er det. Men jeg har bemærket mig, at de irriterende pop ups er væk... så måske er den kureret?

Hvis den er kureret, så er her et svar.

tak for hjælpen... jeg har trykket på acceptere... du må lige síge til hvis pointene ikke er kommet ,

mvh
Jj

hgjg

Det er de ikke. Du skal markere mit navn i denne lille boks og så trykke på acceptere.

Læs evt. her: http://expfaq.1go.dk/?id=3#behandling_af_svar