CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg
Cookie ikon
Avatar billede carstenm Nybegynder
22. juli 2006 - 18:23 Der er 10 kommentarer og
2 løsninger

Hijackthis log

Hej, jeg er begyndt få popups ang. fejl i databasen og en virus jeg ikke kan huske hvad hedder.. har set en anden her inde med samme problem, han skulle sende en hijackthis log.. men jeg tør ikke, bare at følge hans tråd, da vi sikkert har forskellige logs.. så her får i min log.



Logfile of HijackThis v1.99.1
Scan saved at 18:18:31, on 22-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
C:\Programmer\BearShare\BearShare.exe
C:\WINDOWS\system32\Pd7tPan.Exe
C:\WINDOWS\system32\USBPlug.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\QuickTime\qttask.exe
C:\programmer\zango\zango.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\dgfg\Skrivebord\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D77F557F4F2136C7 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Pd7tPan] Pd7tPan.Exe
O4 - HKLM\..\Run: [dscService] C:\WINDOWS\system32\USBPlug.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zango] "c:\programmer\zango\zango.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe





håber nogle kan hjælpe.
Avatar billede Computer Hjælp (Gratis) Mester
22. juli 2006 - 19:37 #1
Bare det at du har [BearShare] kørende altid i baggrunden - så er der let ballade!!!

Afinstall [zango] i Kontrolpanel/Fjern programmer

Rul resten af proceduren herfra ->
http://www.eksperten.dk/artikler/954

(Ikke nødvendigvis mig der følger op...)

PS:
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D77F557F4F2136C7 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll
O4 - HKLM\..\Run: [Pd7tPan] Pd7tPan.Exe
Avatar billede fromsej Praktikant
23. juli 2006 - 09:44 #2
Her er lidt læsning om P2P og risisci ved at bruge dem.

http://newz.dk/forum/item/51863/ - http://www.benedelman.org/news/010205-1.html (engelsk desværre)
http://www.microsoft.com/danmark/athome/security/online/p2p_file_sharing.mspx
http://www.computerworld.dk/art/29010
http://www.pressbox.dk/Default.asp?obj=arkiv&id=10118

P2P er noget skrammel, man åbner sin maskine for omverdenen, det beskyttelse man i dyre domme har købt, eller hentet freewareversioner af, bliver udsat for alle mulige angreb, heldigvis kan nogle programmer holde det ude, men da det i sagens natur er "skidt"programmøren der er foran, vil der uværgerligt slippe noget igennem.

Den seneste tids debat om Rootkits, og hvor stort et problem de allerede er, burde også få folk til at genoverveje brugen af P2P.
http://www.computerforensics.dk/rootkits.htm
Der er ingen garanti for at det spil, program, film eller musik man henter ikke er inficeret, tværtimod er risikoen for at det er inficeret enorm.
Avatar billede carstenm Nybegynder
23. juli 2006 - 14:14 #3
SUPERAntiSpyware Scan Log
Generated 07/23/2006 at 02:01 PM

Core Rules Database Version : 3029
Trace Rules Database Version: 1093

Memory threats detected  : 0
Registry threats detected : 44
File threats detected    : 126

BearShare File Sharing Client
    [BearShare] C:\Programmer\BearShare\BearShare.exe
    C:\Programmer\BearShare\BearShare.exe
    C:\Documents and Settings\All Users\Menuen Start\Programmer\BearShare.lnk
    C:\Documents and Settings\dgfg\Skrivebord\BearShare.lnk
    C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP106\A0023033.lnk
    C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP106\A0023034.lnk
    C:\WINDOWS\Prefetch\BEARSHARE.EXE-1F7FB804.pf

Trojan.NewDotNet
    HKLM\Software\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\InprocServer32
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\InprocServer32#ThreadingModel
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\ProgID
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\Programmable
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\TypeLib
    HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\VersionIndependentProgID
    C:\Programmer\NewDotNet\newdotnet7_22.dll
    HKCR\Tldctl2.URLLink
    HKCR\Tldctl2.URLLink\CLSID
    HKCR\Tldctl2.URLLink\CurVer
    HKCR\Tldctl2.URLLink.1
    HKCR\Tldctl2.URLLink.1\CLSID
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#DisplayIcon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#DisplayVersion
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#Publisher
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#URLInfoAbout
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#HelpLink
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#URLUpdateInfo
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#VersionMajor
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#VersionMinor
    HKU\.DEFAULT\Software\New.net
    HKU\S-1-5-21-343818398-1801674531-725345543-1004\Software\New.net
    HKU\S-1-5-18\Software\New.net
    HKLM\Software\New.net
    HKLM\Software\New.net#InstalledVersion
    HKLM\Software\New.net#InstalledPath
    HKLM\Software\New.net#Tag
    HKLM\Software\New.net#DiscardTag
    HKLM\Software\New.net#FirstTime
    HKLM\Software\New.net#Source
    HKLM\Software\New.net#Prt
    HKLM\Software\New.net#LSPStatus
    HKLM\Software\New.net#NextUpgradeHi
    HKLM\Software\New.net#NextUpgradeLo
    HKLM\Software\New.net#UpgradeCounter
    HKLM\Software\New.net#Search
    HKLM\Software\New.net#Activity
    HKLM\Software\New.net#XpiDone
    C:\Programmer\NewDotNet\readme.html
    C:\Programmer\NewDotNet\uninstall6_38.#xe
    C:\Programmer\NewDotNet\uninstall7_22.#xe
    C:\Programmer\NewDotNet
    C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP122\A0025377.exe
    C:\WINDOWS\NDNuninstall6_38.#xe
    C:\WINDOWS\NDNUNI~2.EXE.#ir

Adware.Tracking Cookie
    C:\Documents and Settings\dgfg\Cookies\dgfg@msnportal.112.2o7[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@xxxcounter[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@statse.webtrendslive[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@winfixer[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@media.fastclick[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.sexyerotic[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@track.adform[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@interclick[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.0stats[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@as1.falkag[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@1070527576[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ad1.emediate[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@e2.emediate[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.sexbanden[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.belstat[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@cgi-bin[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@adopt.euroclick[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@cts.metricsdirect[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@counter1.sextracker[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@sextracker[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@tradedoubler[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@counter9.sextracker[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@cassava[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@stat.postdanmark[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ad.yieldmanager[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ads.arto[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ads.beamfile[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ad.adocean[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ads2.jubii[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@counter4.sextracker[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@as-eu.falkag[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@atdmt[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@vhost.oddcast[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@clicktorrent[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@adtech[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.winfixer[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@hit.stat[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@m1.webstats4u[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@adultfriendfinder[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ad2.adecn[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@a[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@indextools[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@bannere.fyens[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@888[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ilead.itrack[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@stats1.reliablestats[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@mb[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@307[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@fixionmedia[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ads.habbohotel[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@indexstats[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.burstnet[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@adecn[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@cs.sexcounter[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@43126847[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@adfair[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.webstat[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.sexfarmer[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@ads.habbogroup[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@sexlist[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@mediaplex[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@advertising[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@2o7[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@click.cashengines[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@doubleclick[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@fastclick[2].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@www.888[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@data2.perf.overture[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@1069940886[1].txt
    C:\Documents and Settings\dgfg\Cookies\dgfg@us01.xmlsearch.findwhat[1].txt
    C:\Documents and Settings\Gæst\Cookies\gæst@stats1.reliablestats[1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\WINDOWS\system32\stera.job

Adware.Starware
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafe.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafeA.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindIt.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindItHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\findithotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\finditxp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\games.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\gamesA.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\Highlight.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\HighlightHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlighthotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlightxp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\logo.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\logoxp.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\moviesA.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\Reference.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\ReferenceHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencehotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencexp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\screensaver.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\screensaverA.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\Weather.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherhotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherxp.png
    C:\Documents and Settings\All Users\Application Data\Starware\buttons
    C:\Documents and Settings\All Users\Application Data\Starware\contexts\error.xml
    C:\Documents and Settings\All Users\Application Data\Starware\contexts\related.xml
    C:\Documents and Settings\All Users\Application Data\Starware\contexts\travel.xml
    C:\Documents and Settings\All Users\Application Data\Starware\contexts
    C:\Documents and Settings\All Users\Application Data\Starware\images\walertXP.bmp
    C:\Documents and Settings\All Users\Application Data\Starware\images
    C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate
    C:\Documents and Settings\All Users\Application Data\Starware

Adware.Casino Games (Golden Palace Casino)
    C:\Programmer\GrandVirtual\Everest Poker\casino.exe

_____________________________________________________________________________________



setup.exe;C:\Documents and Settings\dgfg\Lokale indstillinger\Temp\NI.UWA6PK_0001_N73M1204;Trojan.Fakealert;Deleted.;
cstart-tmp.exe;C:\Programmer\GrandVirtual\Everest Poker;Adware.Casino;Renamed.;
cstart.exe;C:\Programmer\GrandVirtual\Everest Poker;Adware.Casino;Renamed.;
Everest Poker.exe;C:\Programmer\GrandVirtual\Everest Poker;Adware.Casino;Renamed.;
uninstall6_38.exe;C:\Programmer\NewDotNet;Adware.NewDotNet;Renamed.;
uninstall7_22.exe;C:\Programmer\NewDotNet;Adware.NewDotNet;Renamed.;
A0024867.dll;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP118;Adware.Zango;Renamed.;
A0025348.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP121;Adware.Zango;Renamed.;
A0025351.dll;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP121;Adware.Zango;Renamed.;
A0025372.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP122;Adware.Casino;Renamed.;
A0025373.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP122;Adware.Casino;Renamed.;
A0025374.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP122;Adware.Casino;Renamed.;
A0025375.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP122;Adware.NewDotNet;Renamed.;
A0025376.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP122;Adware.NewDotNet;Renamed.;
A0009359.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP59;Adware.Zango;Renamed.;
A0009444.dll;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP59;Adware.Zango;Renamed.;
A0012202.old;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP68;Adware.Casino;Renamed.;
A0016408.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP79;Adware.Casino;Renamed.;
A0016528.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP79;Adware.Casino;Renamed.;
A0016555.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP79;Adware.Casino;Renamed.;
A0016865.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP82;Adware.Casino;Renamed.;
A0017044.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP83;Adware.Casino;Renamed.;
A0017078.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP84;Adware.Casino;Renamed.;
A0017154.dll;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP85;Adware.NewDotNet;Renamed.;
A0017240.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP85;Adware.NewDotNet;Renamed.;
A0017382.exe;C:\System Volume Information\_restore{973552C9-F42B-4288-BBC5-4EB26BE78424}\RP85;Adware.Casino;Renamed.;
NDNuninstall6_38.exe;C:\WINDOWS;Adware.NewDotNet;Renamed.;

____________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 14:14:23, on 23-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\system32\Pd7tPan.Exe
C:\WINDOWS\system32\USBPlug.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\dgfg\Skrivebord\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Pd7tPan] Pd7tPan.Exe
O4 - HKLM\..\Run: [dscService] C:\WINDOWS\system32\USBPlug.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Avatar billede Computer Hjælp (Gratis) Mester
23. juli 2006 - 14:33 #4
Afinstall [[BearShare] via Kontrolpanel... (Jeg KAN altså ikke li' den...)

Er [Pd7tPan] noget til et lydkort ?

Så ka' jeg umiddelbart ikke finde mere 'snavs' ?
Avatar billede carstenm Nybegynder
23. juli 2006 - 15:14 #5
oki det er afinstalleret..


ja, [Pd7tPan] er til mit lydkort (Prodigy 7-1 LT)  skal den fil slettes eller?
Avatar billede Computer Hjælp (Gratis) Mester
23. juli 2006 - 15:39 #6
Nej - ser 'lovlig' ud...

<fromsej>: Den ser vel ordentlig ud nu ?
Avatar billede fromsej Praktikant
23. juli 2006 - 18:35 #7
Næsten.*S*
Kør Hijackthis igen, sæt flueben ved denne linie:
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
Luk alle andre vinduer, klik på fix checked.
Find og slet mappen C:\Programmer\BearShare\

Genstart, så er loggen ren.
Avatar billede carstenm Nybegynder
23. juli 2006 - 21:33 #8
tak for hjælpen.. kommer i lige med et "svar" jeg kan smide point efter.. det har selvfølgelig været svar nok, men hvordan smider jeg point efter "kommentar" :D
Avatar billede fromsej Praktikant
23. juli 2006 - 21:52 #9
Mit kommer her, men vent på Dr1, en deler er vel på sin plads her.*S*
Avatar billede Computer Hjælp (Gratis) Mester
23. juli 2006 - 22:40 #10
Ping...

(Det var et [svar] ...)

Afslutende 'tale':
For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
Avatar billede carstenm Nybegynder
25. juli 2006 - 00:22 #11
Jeg siger mange tak (: håber jeg har delt pointene rigtig.
Avatar billede fromsej Praktikant
25. juli 2006 - 11:14 #12
Velbekomme, tak for point. :-)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Andet sikkerhed kategorien

Titel Indlæg Oprettet Seneste aktivitet
Hjælp til wifi Af Kim1998 i Andet sikkerhed 2 07/09/202412:25 I dag 09:37
telefonnummer som id Af bvirk i Andet sikkerhed 3 13/08/202416:32 14/08/202418:28
Password sikkerhed Af jhjorsal i Andet sikkerhed 2 13/07/202413:12 13/07/202422:46
Automatisering af certifikat proces - Danske virksomheder Af Søren i Andet sikkerhed 1 29/05/202414:23 30/05/202409:03
VPN i forhold til facebook? Af Novice-1 i Andet sikkerhed 2 26/05/202412:09 26/05/202420:54
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester



Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
3 min siden Spørgsmål til SAMSUNG Galaxy Tab S9 FE- 5G 12.4 Af eksmojo i Tablet
29 min siden Print specifik subform Af per2edb i Access
I dag 12:55 Hvad sluttede Sygeplejeskolen, 5. Sæson med ? Af Ikke-ekspert i Diverse
I dag 11:34 Nvidia Shield tv pro 2024 Af johnnylassen i Andet hardware
I dag 10:56 Kopiere værdi fra 2 celler til en og hvis anden celle er tom, så skriv bestemt tekst Af HHA i Excel
White papers
Flere white papers »


Premium
Teaser billede
39 år gammel dansk it-virksomhed med 240 medarbejdere splittes op
Læs mere »
Danske Kenneth Lindegaard finalist i prestigefyldt CIO-konkurrence: Er blandt de bedste i verden
Top-profilen Helle Huss ny direktør i Microsoft Danmark - tiltræder om to måneder
Danske Aeven flytter hele hovedkontoret med 600 medarbejdere til ny adresse og tager Sentia med
Se alle »
Computerworld
Teaser billede
Om lidt går det løs: Så banebrydende bliver iPhone 16
Læs mere »
Nu kommer en af bilbranchens største software-opdateringer nogensinde
Lokker med ’Nordens hurtigste internet’: Sådan ved du, om du kan få adgang til Danmarks nyeste bredbåndsudbyder
Første indtryk: Volvos fortid møder fremtiden med to nye luksusbiler
Se alle »
CIO
Teaser billede
Kommunerne brugte 6,6 milliarder kroner på it i 2023: Se top 10 over hvem der bruger flest penge
Læs mere »
Microsoft vil have flere kunder ind i folden: Åbner for verdensomspændende rabat på Copilot M365
Dansk top-CIO har en nøglerolle ved kæmpe-opkøb: Her er hendes opskrift på succesfulde sammenlægninger
SAP’s CTO Jürgen Müller færdig i selskabet: Undskylder for upassende adfærd
Se alle »
Job & Karriere
Teaser billede
Pludselig exit fra Schultz kom som en overraskelse for Merete Søby: Derfor stoppede samarbejdet
Læs mere »
Merete Søby fratræder med omgående virkning som CEO for Schultz efter blot tre måneder på posten
Professor: "Det er på høje tid at opløse virksomhedernes it-afdelinger"
KMD-direktør forlader selskabet: Det skal hun nu
Se alle »
White paper
Teaser billede
Optimering af Source-to-Pay: Identificér oplagte gevinster og skær omkostninger
Læs mere »
Sådan får du overblik og beskytter dine cloudapplikationer
Whitepaper: Komplet sikkerhedsguide til Kubernetes
Opdag fordelene ved cloud-baseret backup og recovery
Se alle »

Events
Flere events »
White papers
Flere white papers »
IT-Kurser
Se alle vores it-kurser »