Avatar billede rexthem8 Nybegynder
23. oktober 2005 - 18:23 Der er 15 kommentarer og
2 løsninger

hijackthis log

Hej! Min computer opfører sig meget mærkeligt lige nu, jeg kan f.eks.  ikke finde mine cd-rom drev. Jeg har lavet en hjt log som i kan se her:

Logfile of HijackThis v1.99.1
Scan saved at 18:22:38, on 23-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programmer\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
E:\Programmer\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
E:\programmer\powerstrip\pstrip.exe
C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\D-Tools\daemon.exe
E:\Programmer\BullGuard\bullguard.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\games\steam\steam.exe
C:\Programmer\Google\Google Talk\googletalk.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\iPod\bin\iPodService.exe
E:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David Rex\Skrivebord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://netbank.danskebank.dk/html/index.html?site=DBNB
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Programmer\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PowerStrip] e:\programmer\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKCU\..\Run: [BullGuard] "E:\Programmer\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [googletalk] "C:\Programmer\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmer\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\k044lahq1d4e.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - E:\Programmer\BullGuard\BullGuardUpdate.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

på forhånd tak!
Avatar billede levich Nybegynder
23. oktober 2005 - 18:59 #1
Jeg ser på det, øjeblik
Avatar billede levich Nybegynder
23. oktober 2005 - 19:06 #2
Læs alle punkterne inden du gør noget.

(1)
Deaktiver systemgendannelse, ved at Højreklikke på "Denne Computer" på skrivebordet -> egenskaber -> Systemgendannelse -> sæt flueben i "Deaktiver systemgendannelse" -> Klik OK.

(2)
Hent scannereren http://www.spywareinfo.dk/download/mwav.exe.

(3)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op), og fix følgende linjer med HijackThis:
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Programmer\TheSearchAccelerator\UCMTSAIE.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\k044lahq1d4e.dll

(4)
Åbn en tilfældig mappe, i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

søg efter og slet følgende fil(er):
C:\WINDOWS\system32\k044lahq1d4e.dll
... og følgende mappe(r):
C:\Programmer\TheSearchAccelerator\

(5)
Start -> kør -> skriv "cleanmgr" -> Slet Temporary internet files, papirkurv og midlertidige filer. Gentag for alle dine drev.

(6)
Kør scanneren mwav.exe, og sæt flueben i følgende: Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files. Tryk på Scan Clean.
Scanningen kan godt tage nogen tid.

(7)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind.

(8)
Når vi er helt færdige, så husk at aktiver systemgendannelse igen.
Avatar billede rexthem8 Nybegynder
23. oktober 2005 - 20:22 #3
Det hjalp helt sikkert, men det er sket noget mærkeligt i forbindelse med det her. Hvis du har lyst til at hjælpe ville det være fedt.

http://vidrex.dk/showcase/prb1.jpg

http://vidrex.dk/showcase/prb2.jpg

Mine cd-rom drev virker bare ikke og jeg kan ikke lige få dem installeret igen..

Logfile of HijackThis v1.99.1
Scan saved at 20:16:15, on 23-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programmer\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
E:\Programmer\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
E:\programmer\powerstrip\pstrip.exe
C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\D-Tools\daemon.exe
E:\Programmer\BullGuard\bullguard.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\games\steam\steam.exe
C:\Programmer\Google\Google Talk\googletalk.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\iPod\bin\iPodService.exe
E:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David Rex\Skrivebord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://netbank.danskebank.dk/html/index.html?site=DBNB
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PowerStrip] e:\programmer\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKCU\..\Run: [BullGuard] "E:\Programmer\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [googletalk] "C:\Programmer\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmer\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\s4pu0e79eh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - E:\Programmer\BullGuard\BullGuardUpdate.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Avatar billede ejvindh Ekspert
23. oktober 2005 - 20:52 #4
Det er en l2m-infektion. Den skal fixes med special-værktøj:
Hent L2mfix.exe fra et af disse steder:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Gem filen på dit Skrivebord og dobbeltklik på l2mfix.exe. Klik på Install knappen og følg instruktionerne. Åben herefter den nye mappe der er dannet på dit Skrivebord (l2mfix). Dobbeltklik på l2mfix.bat og vælg option 1 (Run Find log) ved at taste "1" og "Enter". Din computer bliver nu scannet - efter et par minutter åbnes en tekstfil i Notesblok. Kopier indholdet herind.

NB: Du må ikke køre option 2 eller andre af filerne i l2mfix mappen, før du er blevet bedt om det.
Avatar billede rexthem8 Nybegynder
23. oktober 2005 - 20:56 #5
Super fedt, tak for hjælpen!

her er hvad den spyttede ud:


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g0jo0a13ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Read            BUILTIN\Superbrugere
(ID-IO) ALLOW  Read            BUILTIN\Superbrugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0E30D051-C422-106C-E5AA-2174E113474A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskabsark for multimediefiler"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerstyring"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Sikkerhedsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskabsside for OLE-dokumentfil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Gr‘nsefladeudvidelse til deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rm"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security-side"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Udvidelsen Diskcopy"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Gr‘nsefladeudvidelser til Microsoft Windows-netv‘rksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-sk‘rmstyring"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerstyring"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Gr‘nsefladeudvidelser til filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Gr‘nsefladeudvidelse til webudskrift"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontekstmenu til kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Rejsetaske"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-ikon"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Sikkerhedsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Gr‘nsefladeudvidelse til deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-filtype"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto signeringsfiltype"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netv‘rksforbindelser"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netv‘rksforbindelser"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-udvidelser til Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-dataforbindelse"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte opgaver"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Proceslinje og menuen Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›g"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hj‘lp og support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hj‘lp og support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="K›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Skrifttyper"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administration"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Egenskabsside for tidligere versioner"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Tidligere versioner"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internetv‘rkt›jslinje"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Status for hentning"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Webs›gning"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Redigeringsboks til adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-oversigtstjeneste"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Oversigt"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbillede til Internet Explorer 4-suiten"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internettet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-cachemappe"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Programstyring"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Opt‘lling af installerede programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Udpakning af miniaturer til GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Dokumentinfo om miniaturehandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Udpakning af HTML-miniaturer"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Guiden Webudgivelse"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestil billedudskrift over World Wide Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objekt til guiden Webudgivelse"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Guiden F† et Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brugerkonti"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Genvej til kanal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Menuen Offlinefiler"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Indstillinger for mappen Offlinefiler"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappen Offlinefiler"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Efter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BF05BB6E-442C-428B-8025-82280B7BC26C}"="Zen Micro Media Explorer"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{FF2EEF97-2525-48BC-9056-1D3611B8E353}"=""
"{77D3CDC3-26D8-40DF-9E34-10B61841EE08}"=""
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FF2EEF97-2525-48BC-9056-1D3611B8E353}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{FF2EEF97-2525-48BC-9056-1D3611B8E353}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FF2EEF97-2525-48BC-9056-1D3611B8E353}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FF2EEF97-2525-48BC-9056-1D3611B8E353}\InprocServer32]
@="C:\\WINDOWS\\system32\\rXsser.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{77D3CDC3-26D8-40DF-9E34-10B61841EE08}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{77D3CDC3-26D8-40DF-9E34-10B61841EE08}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{77D3CDC3-26D8-40DF-9E34-10B61841EE08}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{77D3CDC3-26D8-40DF-9E34-10B61841EE08}\InprocServer32]
@="C:\\WINDOWS\\system32\\nchtml.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
  browseui.dll  Sat  3 Sep 2005  2.05.16  A....      1.019.904  996,00 K
  catsrv.dll    Tue 26 Jul 2005  6.41.02  A....        225.792  220,50 K
  catsrvut.dll  Tue 26 Jul 2005  6.41.02  A....        625.152  610,50 K
  cdfview.dll    Sat  3 Sep 2005  2.05.16  A....        151.552  148,00 K
  cdosys.dll    Sat 10 Sep 2005  3.55.14  A....      2.067.968    1,97 M
  clbcatex.dll  Tue 26 Jul 2005  6.41.02  A....        110.080  107,50 K
  clbcatq.dll    Tue 26 Jul 2005  6.41.02  A....        498.688  487,00 K
  client~1.dll  Wed 19 Oct 2005  16.01.44  A....        53.248    52,00 K
  cmdlin~1.dll  Fri 30 Sep 2005  18.04.26  A....        98.304    96,00 K
  colbact.dll    Tue 26 Jul 2005  6.41.02  A....        60.416    59,00 K
  comrepl.dll    Tue 26 Jul 2005  6.41.02  A....        97.792    95,50 K
  comsvcs.dll    Tue 26 Jul 2005  6.41.02  A....      1.267.200    1,21 M
  comuid.dll    Tue 26 Jul 2005  6.41.02  A....        540.160  527,50 K
  danim.dll      Sat  3 Sep 2005  2.05.16  A....      1.055.744    1,00 M
  dxtrans.dll    Sat  3 Sep 2005  2.05.16  A....        205.312  200,50 K
  en6ql1~1.dll  Sun 23 Oct 2005  15.17.54  ..S.R        234.272  228,78 K
  es.dll        Tue 26 Jul 2005  6.41.04  A....        243.200  237,50 K
  extmgr.dll    Sat  3 Sep 2005  2.05.16  A....        55.808    54,50 K
  g0jo0a~1.dll  Sun 23 Oct 2005  20.14.56  ..S.R        234.045  228,56 K
  gwfspi~1.dll  Mon 29 Aug 2005  13.27.06  A....        23.304    22,76 K
  iepeers.dll    Sat  3 Sep 2005  2.05.16  A....        251.392  245,50 K
  inseng.dll    Sat  3 Sep 2005  2.05.16  A....        96.768    94,50 K
  irl8l5~1.dll  Sun 23 Oct 2005  20.43.48  ..S.R        235.880  230,35 K
  lccl.dll      Wed  3 Aug 2005  13.58.16  A....        53.248    52,00 K
  legitc~1.dll  Mon 29 Aug 2005  13.27.12  A....        520.968  508,76 K
  libeay32.dll  Wed 10 Aug 2005  0.13.32  A....        831.488  812,00 K
  linkinfo.dll  Thu  1 Sep 2005  3.43.26  A....        19.968    19,50 K
  msdtcprx.dll  Tue 26 Jul 2005  6.41.04  A....        425.472  415,50 K
  msdtctm.dll    Tue 26 Jul 2005  6.41.04  A....        945.152  923,00 K
  msdtcuiu.dll  Tue 26 Jul 2005  6.41.04  A....        161.280  157,50 K
  mshtml.dll    Tue  4 Oct 2005  17.27.36  A....      3.013.120    2,87 M
  mshtmled.dll  Sat  3 Sep 2005  2.05.18  A....        448.512  438,00 K
  msrating.dll  Sat  3 Sep 2005  2.05.18  A....        146.432  143,00 K
  mstime.dll    Sat  3 Sep 2005  2.05.18  A....        530.432  518,00 K
  mtxclu.dll    Tue 26 Jul 2005  6.41.04  A....        66.560    65,00 K
  mtxoci.dll    Tue 26 Jul 2005  6.41.04  A....        91.136    89,00 K
  nchtml.dll    Sun 23 Oct 2005  20.43.48  ..S.R        234.045  228,56 K
  netman.dll    Mon 22 Aug 2005  20.35.38  A....        197.632  193,00 K
  nv4_disp.dll  Tue  2 Aug 2005  16.35.00  A....      3.908.864    3,73 M
  nvcod.dll      Tue  2 Aug 2005  16.35.00  A....        32.768    32,00 K
  nvcodins.dll  Tue  2 Aug 2005  16.35.00  A....        32.768    32,00 K
  nvcpl.dll      Tue  2 Aug 2005  16.35.00  A....      7.110.656    6,78 M
  nvhwvid.dll    Tue  2 Aug 2005  16.35.00  A....        540.672  528,00 K
  nview.dll      Tue  2 Aug 2005  16.35.00  A....      1.466.368    1,40 M
  nvmctray.dll  Tue  2 Aug 2005  16.35.00  A....        86.016    84,00 K
  nvnt4cpl.dll  Tue  2 Aug 2005  16.35.00  A....        286.720  280,00 K
  nvoglnt.dll    Tue  2 Aug 2005  16.35.00  A....      5.140.480    4,90 M
  nvshell.dll    Tue  2 Aug 2005  16.35.00  A....        466.944  456,00 K
  nvwddi.dll    Tue  2 Aug 2005  16.35.00  A....        81.920    80,00 K
  nvwdmcpl.dll  Tue  2 Aug 2005  16.35.00  A....      1.662.976    1,59 M
  nvwimg.dll    Tue  2 Aug 2005  16.35.00  A....      1.019.904  996,00 K
  nwwks.dll      Thu 11 Aug 2005  17.11.40  A....        65.024    63,50 K
  ole32.dll      Tue 26 Jul 2005  6.41.04  A....      1.284.608    1,22 M
  olecli32.dll  Tue 26 Jul 2005  6.41.04  A....        74.752    73,00 K
  olecnv32.dll  Tue 26 Jul 2005  6.41.04  A....        37.888    37,00 K
  pngfilt.dll    Sat  3 Sep 2005  2.05.18  A....        39.424    38,50 K
  qt-dx331.dll  Wed 10 Aug 2005  0.12.30  A....      3.596.288    3,43 M
  quartz.dll    Tue 30 Aug 2005  5.55.56  A....      1.291.264    1,23 M
  rpcss.dll      Tue 26 Jul 2005  6.41.04  A....        397.824  388,50 K
  shdocvw.dll    Sat  3 Sep 2005  2.05.18  A....      1.483.776    1,41 M
  shell32.dll    Fri 23 Sep 2005  5.07.22  A....      8.462.336    8,07 M
  shlwapi.dll    Sat  3 Sep 2005  2.05.18  A....        473.600  462,50 K
  sirenacm.dll  Sat 13 Aug 2005  14.41.12  A....        118.784  116,00 K
  ssleay32.dll  Wed 10 Aug 2005  0.13.32  A....        159.744  156,00 K
  txflog.dll    Tue 26 Jul 2005  6.41.04  A....        101.376    99,00 K
  umpnpmgr.dll  Tue 23 Aug 2005  5.39.58  A....        124.416  121,50 K
  urlmon.dll    Sat  3 Sep 2005  2.05.18  A....        605.696  591,50 K
  wininet.dll    Sat  3 Sep 2005  2.05.18  A....        659.968  644,50 K
  winsrv.dll    Thu  1 Sep 2005  3.43.26  A....        291.840  285,00 K
  xolehlp.dll    Tue 26 Jul 2005  6.41.04  A....        11.776    11,50 K

70 items found:  70 files (4 H/S), 0 directories.
  Total of file sizes:  58.254.866 bytes    55,55 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Disken i drev C har ikke noget navn.
Diskens serienummer er 106F-496C

Indhold af C:\WINDOWS\System32

23-10-2005  20:43          234.045 nchtml.dll
23-10-2005  20:43          235.880 irl8l53u1.dll
23-10-2005  20:40    <DIR>          dllcache
23-10-2005  20:29            8.192 Thumbs.db
23-10-2005  20:14          234.045 g0jo0a13ed.dll
23-10-2005  15:17          234.272 en6ql1j51.dll
19-09-2005  12:26    <DIR>          Microsoft
              5 fil(er)          946.434 byte
              2 mappe(r)  2.748.186.624 byte ledig
Avatar billede ejvindh Ekspert
23. oktober 2005 - 21:01 #6
Ja, den var god nok:

Luk alle programmer - du vil om lidt blive bedt om at genstarte din computer.

Fra mappen l2mfix skal du køre l2mfix.bat igen - denne gang skal du vælge option 2 (Run Fix). Så skal du taste en tilfældig tast for at genstarte. Når der er genstartet, vil dit skrivebord og dine ikoner forsvinde, imens l2mfix scanner videre. Når programmet er færdigt, vil en ny tekstfil blive åbnet i Notesblok. Kopier indholdet herind sammen med en frisk HijackThis log.

Hvis der efter genstarten ikke sker noget, skal du gøre følgende: Åbn mappen med l2mfix, find filen second.bat, og dobbeltklik på den. Så skulle fixet helt sikkert gå i gang. Hvis du er nødt til at gøre dette, må du gerne lige skrive det i næste post.

NB: Du må ikke køre andre af filerne i l2mfix mappen, før du er blevet bedt om det.
Avatar billede levich Nybegynder
23. oktober 2005 - 21:04 #7
Jeg kan ikke finde ud af, at tyde den sidstnævnte log. Men jeg smider lige et svar pga. hijackthis-loggen.
Avatar billede ejvindh Ekspert
23. oktober 2005 - 21:09 #8
Levich: Ja, undskyld indblandingen. Men det er én af de sværeste infektioner i øjeblikket, og jeg er ret sikker på, at den ikke kan fixes uden L2Mfix eller et andet VX2-værktøj...
Avatar billede rexthem8 Nybegynder
23. oktober 2005 - 21:10 #9
Jeg blev nødt til selv at åbne "second.bat".

Logfile of HijackThis v1.99.1
Scan saved at 21:09:08, on 23-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\programmer\powerstrip\pstrip.exe
C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\D-Tools\daemon.exe
E:\Programmer\BullGuard\bullguard.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\games\steam\steam.exe
C:\Programmer\Google\Google Talk\googletalk.exe
C:\Programmer\Messenger\msmsgs.exe
E:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
E:\Programmer\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
E:\Programmer\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\David Rex\Skrivebord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://netbank.danskebank.dk/html/index.html?site=DBNB
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PowerStrip] e:\programmer\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKCU\..\Run: [BullGuard] "E:\Programmer\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [googletalk] "C:\Programmer\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmer\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - E:\Programmer\BullGuard\BullGuardUpdate.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


og den anden:

L2Mfix 1.04a

Running From:
C:\Documents and Settings\David Rex\Skrivebord\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Read            BUILTIN\Superbrugere
(ID-IO) ALLOW  Read            BUILTIN\Superbrugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY  --C-------      BUILTIN\Administratorer
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Read            BUILTIN\Superbrugere
(ID-IO) ALLOW  Read            BUILTIN\Superbrugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\David Rex\Skrivebord\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\David Rex\Skrivebord\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1500 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1580 'rundll32.exe'
Killing PID 1696 'rundll32.exe'
Killing PID 1704 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\hodserv.dll
        1 fil(er) kopieret.
Backing Up: C:\WINDOWS\system32\irl8l53u1.dll
        1 fil(er) kopieret.
Backing Up: C:\WINDOWS\system32\nchtml.dll
        1 fil(er) kopieret.
deleting: C:\WINDOWS\system32\hodserv.dll 
Successfully Deleted: C:\WINDOWS\system32\hodserv.dll
deleting: C:\WINDOWS\system32\irl8l53u1.dll 
Successfully Deleted: C:\WINDOWS\system32\irl8l53u1.dll
deleting: C:\WINDOWS\system32\nchtml.dll 
Successfully Deleted: C:\WINDOWS\system32\nchtml.dll


Zipping up files for submission:
  adding: hodserv.dll (164 bytes security) (deflated 4%)
  adding: irl8l53u1.dll (164 bytes security) (deflated 5%)
  adding: nchtml.dll (164 bytes security) (deflated 4%)
  adding: clear.reg (164 bytes security) (deflated 36%)
  adding: echo.reg (164 bytes security) (deflated 12%)
  adding: direct.txt (164 bytes security) (stored 0%)
  adding: lo2.txt (164 bytes security) (deflated 76%)
  adding: readme.txt (164 bytes security) (deflated 52%)
  adding: report.txt (164 bytes security) (deflated 66%)
  adding: test.txt (164 bytes security) (deflated 49%)
  adding: test2.txt (164 bytes security) (deflated 16%)
  adding: test3.txt (164 bytes security) (deflated 16%)
  adding: test5.txt (164 bytes security) (deflated 16%)
  adding: xfind.txt (164 bytes security) (deflated 44%)
  adding: backregs/77D3CDC3-26D8-40DF-9E34-10B61841EE08.reg (164 bytes security) (deflated 70%)
  adding: backregs/FF2EEF97-2525-48BC-9056-1D3611B8E353.reg (164 bytes security) (deflated 69%)
  adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
  adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Read            BUILTIN\Superbrugere
(ID-IO) ALLOW  Read            BUILTIN\Superbrugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators  ... failed (GetAccountSid(Administrators)=1332

Restoring Windows Update Certificates.:

deleting local copy: hodserv.dll 
deleting local copy: irl8l53u1.dll 
deleting local copy: nchtml.dll 

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\hodserv.dll
C:\WINDOWS\system32\irl8l53u1.dll
C:\WINDOWS\system32\nchtml.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FF2EEF97-2525-48BC-9056-1D3611B8E353}"=-
"{77D3CDC3-26D8-40DF-9E34-10B61841EE08}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FF2EEF97-2525-48BC-9056-1D3611B8E353}]
[-HKEY_CLASSES_ROOT\CLSID\{77D3CDC3-26D8-40DF-9E34-10B61841EE08}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Avatar billede ejvindh Ekspert
23. oktober 2005 - 21:24 #10
Det hjalp på den. Logsene er rene. Fik du løst dit problem?

Lidt oprydning tror jeg dog stadig ville være godt. For at gøre det følgende, skal du lige slå udvidet visning til:

Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

Prøv om du kan finde disse filer. Hvis du kan så slet dem:
C:\WINDOWS\system32\g0jo0a13ed.dll
C:\WINDOWS\system32\rXsser.dll
C:\WINDOWS\system32\en6ql1j51.dll
C:\WINDOWS\system32\guard.tmp
Avatar billede levich Nybegynder
23. oktober 2005 - 21:24 #11
ejvindh -> Hvad er det, som indikerer en l2m-infektion?
Avatar billede ejvindh Ekspert
23. oktober 2005 - 21:49 #12
Levich:

Oprindelig var de kendetegnet ved nogle entries af denne type:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Nu kan de typisk genkendes på en O20-linie. Hvis du laver en google på dll-navnet, vil du typisk ofte finde nogle hits, hvor l2mfixet har været brugt på dem, og den har fixet dem. Der er rigtig mange af den type infektioner i denne tid :-)
Avatar billede rexthem8 Nybegynder
23. oktober 2005 - 22:08 #13
Hmm nej de er stadig ikke til at få fat i, ser sådan her ud:

http://vidrex.dk/showcase/prb1.jpg
http://vidrex.dk/showcase/prb2.jpg
Avatar billede ejvindh Ekspert
23. oktober 2005 - 22:13 #14
Prøv inde i enhedshåndteringen at højreklikke på de entries med gult udråbstegn, og klikke på "Fjern". Genstart herefter computeren. Så vil den (hvis der ikke er hardwarefejl) automatisk finde dem igen, og installere dem påny.

Hvis du har brugt særlige drivere, da enhederne blev installeret, skal du muligvis bruge installations-cd'erne igen.
Avatar billede rexthem8 Nybegynder
23. oktober 2005 - 22:20 #15
det virker heller ikke, men jeg fandt den her:

http://support.microsoft.com/default.aspx?scid=kb;da;314060

prøver mig lige lidt frem
Avatar billede rexthem8 Nybegynder
23. oktober 2005 - 22:24 #16
Super fedt, det virker nu, det hjalp at ændre de ting i regbasen.

Tak for hjælpen i to, deler pointene mellem jer hvis det er ok!
Avatar billede ejvindh Ekspert
24. oktober 2005 - 08:07 #17
Det lyder godt. Jeg ville også nok mene, at den fejl ikke havde med den virus-infektion at gøre. L2M er primært en adware, og har ingen "interesse" i at deaktivere dit drev.

Jeg takker for point :-)

For at gøre arbejdet helt færdigt med rensningen, kan følgende være en god ide:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Du kan også rense browser cachen (hvis du bruger IE-explorer)
1. Klik på Funktioner - Internetindstillinger
2. Under midlertidige filer, klik på Slet cookies
3. Under midlertidige filer, klik på slet filer – sæt flueben i slet alt offline indhold
4. Under Oversigten, klik på ryd oversigten
5. Klik på ok.
Tøm din papirkurv.
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Jeg vil anbefale at følgende som minimum bør være installeret: Antivirus, Spywareguard, Spywareblaster, IE-spyad og en firewall. Alle programmer kan du finde links til herfra:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester