Hjælp til HijackThis log

... rul evt. proceduren herfra ->
http://www.eksperten.dk/artikler/954

(Ikke nødvendigvis mig der følger op...)

PS:
Du har et par IBM elementer til at starte op hver gang - er de nødvendige ?
Samt [KNet Utility] - ved du selv hvad det er ?

PS(2): Du ka' 'varme op' (?) til at få M$ ServicePack2 instaleret - men først når putter er 'ren' ...

Du skal følge Dr1´s vejledning, men du skal lige gøre dette først:

. Hent Look2Me-Destroyer herfra:

http://www.atribune.org/ccount/click.php?id=7

...og gem værktøjet på dit Skrivebord.

2. Luk alle åbne programvinduer - inklusiv Internet Explorer.

3. Dobbeltklik på Look2Me-Destroyer, sæt et flueben i "Run this program as a task". Du får en meddelelse om, at Look2Me-Destroyer vil lukke og åbne efter 10 sekunder - klik på OK.

Når Look2Me-Destroyer genåbner - klik på "Scan for L2M" - dine ikoner forsvinder - klik "Remove L2M". Klik OK når du får meddelelsen "Done scanning".

Nu får du meddelelsen "Done removing infected files!. Programmet vil lukke din computer - klik OK. Nu skal du finde filen C:\Look2Me-Destroyer.txt og kopiere indholdet herind, sammen med en frisk HijackThis log.

4. Hvis din firewall vil blokere Look2Me-Destroyers adgang til nettet, så skal du lade programmet få adgang.

Hvis du får en runtime error 339, så skal du hente MSWINSCK.OCX herfra:

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

...og placere den i mappen C:\Windows\System32 .

<fromsej>: Hvilket 'element' viser at [Look2Me] er på banen ?

Jeg er ikke sikker, men en hurtig Google på ktpol7731.dll gav dette:
http://forums.spywareinfo.com/lofiversion/index.php/t62557.html

Nå - så er jeg vist ved at være klar.

-----------------------------------------
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 20-07-2006 23:20:13

Infected! C:\WINDOWS\system32\g4lmle311h.dll
Infected! C:\WINDOWS\system32\ebent97.dll
Infected! C:\WINDOWS\system32\fpl6033se.dll
Infected! C:\WINDOWS\system32\g4lmle311h.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\g4lmle311h.dll
C:\WINDOWS\system32\g4lmle311h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ebent97.dll
C:\WINDOWS\system32\ebent97.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpl6033se.dll
C:\WINDOWS\system32\fpl6033se.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\g4lmle311h.dll
C:\WINDOWS\system32\g4lmle311h.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{52AA535C-2C10-47D0-92E6-F3CA46FCFE93}"
HKCR\Clsid\{52AA535C-2C10-47D0-92E6-F3CA46FCFE93}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A6F4F4C2-A0BA-4AD2-9CF4-B9A64521D56F}"
HKCR\Clsid\{A6F4F4C2-A0BA-4AD2-9CF4-B9A64521D56F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{525986F8-6987-45AB-BA49-84F6F1B7CA72}"
HKCR\Clsid\{525986F8-6987-45AB-BA49-84F6F1B7CA72}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{37844603-D94F-46AC-A712-E38E65E43F17}"
HKCR\Clsid\{37844603-D94F-46AC-A712-E38E65E43F17}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{264D6763-4A30-4FC8-8103-1682DBAFEE56}"
HKCR\Clsid\{264D6763-4A30-4FC8-8103-1682DBAFEE56}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EDE486A9-745F-4C22-A0C0-2CF0C63095A6}"
HKCR\Clsid\{EDE486A9-745F-4C22-A0C0-2CF0C63095A6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D8EACFE8-7A8A-45F6-BA16-CF81AC776A53}"
HKCR\Clsid\{D8EACFE8-7A8A-45F6-BA16-CF81AC776A53}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9741037C-972B-4E87-81E6-6B74464B5DF3}"
HKCR\Clsid\{9741037C-972B-4E87-81E6-6B74464B5DF3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1A47CE6F-6FBC-4526-9070-913909F2FA3D}"
HKCR\Clsid\{1A47CE6F-6FBC-4526-9070-913909F2FA3D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DF2EF495-8C29-4194-B9AC-D18AA163854B}"
HKCR\Clsid\{DF2EF495-8C29-4194-B9AC-D18AA163854B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{62D05602-DE65-4E54-AA4D-C7FFCF6CFB29}"
HKCR\Clsid\{62D05602-DE65-4E54-AA4D-C7FFCF6CFB29}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratorer - Succeeded
-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 00:12:58, on 21-07-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
c:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Programmer\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
c:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programmer\KNet Utility\KNet Utility.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Andreas Møller\Skrivebord\New Folder på Moeller-rcqh5vp\midlertidig\HijackThis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmer\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Programmer\Fælles filer\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Programmer\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [K-Net Utility] "C:\Programmer\KNet Utility\KNet Utility.exe" -winstart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://csg.dan-ejendomme.dk/Citrix/MetaFrame/ICAWEB_common/en/ica32/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153318110781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153404415062
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect (navapsvc) - Symantec Corporation - c:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVScan - Symantec Corporation - c:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FÆLLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

-----------------------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 07/20/2006 at 11:04 PM

Core Rules Database Version : 3026
Trace Rules Database Version: 1089

Memory threats detected  : 0
Registry threats detected : 24
File threats detected    : 27

Adware.Tracking Cookie
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@ad.yieldmanager[2].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@82763522[1].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@server.iad.liveperson[1].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@adtech[1].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@bluestreak[1].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@overture[1].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@partygaming.122.2o7[1].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@cs.sexcounter[2].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@stats1.reliablestats[2].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@www.teeniesxxx[2].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@microsofteup.112.2o7[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@partypoker[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt
    C:\Documents and Settings\Andreas Møller\Cookies\andreas møller@server.iad.liveperson[2].txt

Trojan.NetMon/DNSChange
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.DollarRevenue
    C:\WINDOWS\keyboard1.dat

Adware.NicTech Networks
    C:\WINDOWS\icont.#xe
    C:\WINDOWS\system32\f60o0gd3e60.#ll
    C:\WINDOWS\system32\gp8sl3l71.#ll
    C:\WINDOWS\system32\h0l20a3oed.#ll
    C:\WINDOWS\system32\i2nmlc511f.#ll
    C:\WINDOWS\system32\icaksie.#ll
    C:\WINDOWS\system32\kt00l7dm1.#ll
    C:\WINDOWS\system32\mew3prt.#ll
    C:\WINDOWS\system32\mfvcp50.#ll

Worm.IRCBot
    C:\WINDOWS\system32\fswinsys.exe
---------------------------------------------------------------

Håber at i kan hjælpe.
Men der var rigtig nok den der Look2Me ting - den kunne hverken spybot eller AdAware fjerne nemlig.

yderligere:
K-net er ok - min netværks.logon-ting

IBM-tingene - nogle skal fjernes, men min installation er helt frisk, så jeg har ikke gjort så meget ved det endnu.

SP2 - ville jeg også gerne have installeret - men windows update meldte fejl hver gang jeg prøvede.


Hele mit problem startede egentlig med at jeg reetablerede min maskine og da jeg ville logge på windows update havde jeg glemt at jeg hverken havde SP2 eller nogen som helst form for programmer der kunne blokke for alt det crap.

Det har så lige kostet mig en hel dag nu. Flot!

"Servicepack 2 på, derefter Antivirus, først nu på nettet og opdatere...." -

Hvis jeg tager en RÅ default XP (ikke WindowsUpdate opdateret) og smider direkte på nettet så går der 1-30 MINUTTER og så er der kommer Uønskede' elementer på putter. Og det UDEN at have startet noget som helst mht IE...
(Har lige prøvet det igen i sidste uge på en UK version = ~5 min. så var Balster/Sasser igang...)
NB: En RÅ default XP har _ikke_ firewall aktiveret - bla derfor...

Sååååå - der _kan_ jo godt være kommer en form for Uønskede elementer ind i systemet alligevel... Som du hermed ka' bekræfte ...

Sammenligning: Du sætter dig i bilen; kører med fuld fart på motorvejen (med alle de andre bilister); først derefter tænker du på at finde sikkerhedsselen og fumle med den IMENS du ruller med 100-200 Kmh... Det er _ikke_ lige sådan vi normalt anbefaler...

Ja jeg vidste det jo egentlig godt - tænkte mig bare ikke om.

Men var der nogen kommentarer til min log???