CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg
Cookie ikon
Avatar billede toledo Nybegynder
22. september 2006 - 19:36 Der er 15 kommentarer og
1 løsning

Den har det hele. Og lidt til

Hej

Denne her giver mig sved på panden. Er der nogen, der vil hjælpe mig med at rense ud i snavset?

Logfile of HijackThis v1.99.1
Scan saved at 19:29:44, on 22-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\nwnmff_e10.exe
C:\kybrdff_e11.exe
C:\dfndrff_e10.exe
C:\PROGRA~1\BEACHI~1\BI1HEL~1.EXE
C:\Programmer\Fælles filer\{90F0CE49-02DA-1030-0921-00032320002d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
c:\ac3_0010.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\nwnmff_e11.exe
C:\Programmer\Network Monitor\netmon.exe
C:\WINDOWS\UEM\command.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) -  - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Programmer\DeluxeCommunications\DxcBho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programmer\Deskbar\deskbar.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Programmer\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Programmer\HbTools\Bin\4.8.0.0\HbtWeatherOnTray.exe
O4 - HKLM\..\Run: [spywarefighterguard] C:\Programmer\SPYWAREfighter\spftray.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\Run: [HbTools] C:\Programmer\HbTools\Bin\4.8.0.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Error Safe] C:\Programmer\Error Safe Free\ers.exe /scan
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e10.exe
O4 - HKLM\..\Run: [BI1HelperStartUp] C:\PROGRA~1\BEACHI~1\BI1HEL~1.EXE /partner BI1
O4 - HKLM\..\Run: [lubc65d9] RUNDLL32.EXE w00146f7.dll,n 004c65d50000000a00146f7
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ErrorSafe] "C:\Programmer\Error Safe Free\ers.exe" /min
O4 - HKCU\..\Run: [ArtoNotifier] C:\Programmer\Arto\Notifier\ArtoNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Programmer\DeluxeCommunications\Dxc.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/313133352D2D2D.exe
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotbar.com/installs/hbtools/programs/hbtools.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UEM\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programmer\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Avatar billede levich Nybegynder
22. september 2006 - 20:44 #1
Jeg ser på det, øjeblik.
Avatar billede toledo Nybegynder
22. september 2006 - 20:48 #2
Tak for det. Beklager, at point'ne smuttede for mig sidst
Avatar billede levich Nybegynder
22. september 2006 - 20:59 #3
Læs alle punkterne inden du gør noget.

(1)
Hent http://downloads.stevengould.org/cleanup/CleanUp40.exe
Læs vejledningen til Cleanup her: http://www.bleepingcomputer.com/forums/tutorial93.html

Hent http://www.spywarefri.dk/downloads1/ewido-setup.exe (Ewido).
Installer programmer og opdater det, men vent med at scanne.

Hent og udpak Killbox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Hent http://www.cexx.org/LSPFix.exe.
Hvis du senere ikke kan komme på internettet, skal du køre lspfix.exe, marker "I know what I am doing" og klik på finish.

(2)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op).
Tast CTRL+ALT+DEL, vælg faneblade Processer og find denne/disse fil(er):
svchost2.exe
svcproc.exe
Højreklik på hver fil og vælg Afslut.

(3)
Scan med Ewido, fix de ting som den finder og gem loggen, f.eks. på skrivebordet.

(4)
Fix følgende linjer med HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programmer\Deskbar\deskbar.dll
O4 - HKLM\..\Run: [WeatherOnTray] C:\Programmer\HbTools\Bin\4.8.0.0\HbtWeatherOnTray.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e11.exe
O4 - HKLM\..\Run: [HbTools] C:\Programmer\HbTools\Bin\4.8.0.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Error Safe] C:\Programmer\Error Safe Free\ers.exe /scan
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e10.exe
O4 - HKLM\..\Run: [lubc65d9] RUNDLL32.EXE w00146f7.dll,n 004c65d50000000a00146f7
O4 - HKCU\..\Run: [ErrorSafe] "C:\Programmer\Error Safe Free\ers.exe" /min
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/313133352D2D2D.exe
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotbar.com/installs/hbtools/programs/hbtools.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UEM\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programmer\Network Monitor\netmon.exe

(5)
Åbn "denne computer", i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper", sæt prik i "Vis skjulte filer og mapper". Husk at trykke på knappen "anvend på alle mapper" i stedet for "ok".

søg efter og slet følgende fil(er):
c:\\nwnmff_e11.exe
C:\\kybrdff_e11.exe
C:\\dfndrff_e10.exe
w00146f7.dll
dxclib303562752.dll
C:\WINDOWS\UEM\command.exe
… og følgende mappe(r):
C:\Programmer\Deskbar\
C:\Programmer\HbTools\
C:\Programmer\Error Safe Free\
C:\Programmer\Network Monitor\

Bemærk at nogle af dem kan allerede være slettet af Ewido.

(6)
Start KillBox, sæt prik i "Delete on reboot", kopier nedenstående filnavn(e) til tekstfeltet i Killbox og klik herefter på den røde knap med det hvide kryds. Gentag det for alle filerne, men sig først ja til at genstarte, når du kommer til den sidste fil. Du skal genstarte i fejlsikret tilstand.

C:\WINDOWS\UEM\command.exe
C:\Programmer\Network Monitor\netmon.exe

(7)
Kør Cleanup. Gå til option og sæt flueben ved cookies, prefetch, temp og all users. Tryk på “cleanup”.

(8)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind sammen med loggen fra Ewido, som du gemte tidligere.
Avatar billede levich Nybegynder
22. september 2006 - 21:00 #4
Jeg havde ikke set at det var dig. Nu er det din egen computer i stedet for din datters?
Avatar billede toledo Nybegynder
22. september 2006 - 21:05 #5
Nej, en kollegas datter. Da jeg endelig fik den op i et tempo, hvor man kunne snakke med den, viste den sig at være fuld af alle mulige sjove ting :-)
Avatar billede toledo Nybegynder
22. september 2006 - 21:13 #6
Jeg går igang med dine anvisninger og vender tilbage med resultatet. Måske først i morgen :-)
Avatar billede toledo Nybegynder
23. september 2006 - 07:52 #7
Det var en kamp.:-) Jeg kunne ikke slette dxclib303562752.dll og windows firewall virker ikke.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:            22:40:12, 22-09-2006
+ Report-Checksum:        F6136287

+ Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{023A4648-601A-4C30-8A2E-C72EBFA99AF6}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{19EBCBE0-9245-4397-BC5D-883D34782043}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1E07646F-07C4-4847-A250-0EC8114F2963}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159} -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{F814BE58-1BF9-4B50-829A-E889F86127AD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Gator.com -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\AppInfo -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\CMEII -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\Gator -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\Gator\dyn -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\Gator\dyn\GCH -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\Gator\dyn\GCH\_gs -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\trickles -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\trickles\TRICKLER_6106 -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\trickles\TRICKLER_6106\Trickler -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\.Owner -> Spyware.Gator : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
    HKU\S-1-5-21-117609710-1078081533-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
    HKU\S-1-5-21-117609710-1078081533-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@data2.perf.overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@partygaming.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@project2.realtracker[1].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@webpdp.gator[2].txt -> Spyware.Cookie.Gator : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\Lokale indstillinger\Temporary Internet Files\Content.IE5\NQ0JZHKP\drsmartload_js[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
    C:\Documents and Settings\Hr. Rasmussen\mt-uninstaller.exe -> Spyware.PurityScan.u : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\Config.xml -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\db -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\db\Aliases.dbs -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\db\Sites.dbs -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\dwld -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\dwld\WhiteList.xip -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\persist.dbs -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\report -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\report\aggr_storage.xml -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\report\ag_ShopperReports.xml -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\report\ag_ShopperReports.xml.db -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\report\send_ShopperReports.xml -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\report\send_ShopperReports.xml.db -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\report\send_storage.xml -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\res2 -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\cs\res2\WhiteList.dbs -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\report -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Application Data\ShopperReports\shprrprt.log -> Spyware.HotBar : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@ehg-ads.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@media.fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@track.commissionpartner[1].txt -> Spyware.Cookie.Commissionpartner : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@webpdp.gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
    C:\Documents and Settings\Meine mutti!\Cookies\meine mutti!@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Installer4.exe -> Spyware.Look2Me : Cleaned with backup
    C:\Programmer\Beach Islands Screensaver\BI1Helper.exe -> Adware.Gator : Cleaned with backup
    C:\Programmer\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Spyware.Comet : Cleaned with backup
    C:\warebundlenewer.exe -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
    C:\WINDOWS\SoftwareDistribution\Download\24bfd610bdb46921f65538b612c6b00706effe2e/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\24bfd610bdb46921f65538b612c6b00706effe2e/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\3181ff0986f6247624154a79edaf56178a465479/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\3181ff0986f6247624154a79edaf56178a465479/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\776a25836bc62b790bcf536f224f74e36a866e09/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\776a25836bc62b790bcf536f224f74e36a866e09/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\8e7032a29a0301dff35e3bcd2f24e6b8953f7164/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\8e7032a29a0301dff35e3bcd2f24e6b8953f7164/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\9ce75a9a879667b3f364a6eec042071f7180f804/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\9ce75a9a879667b3f364a6eec042071f7180f804/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\be71bf79777d7747994c7894b1b4541108f1b10d/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\be71bf79777d7747994c7894b1b4541108f1b10d/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\c6971f6f1ca17e6e04dec3164c05d9fe97803a87/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\c6971f6f1ca17e6e04dec3164c05d9fe97803a87/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\cfad82dbfac17602a764b7dc3cc93e2edbc4651d/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\cfad82dbfac17602a764b7dc3cc93e2edbc4651d/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
    C:\WINDOWS\SoftwareDistribution\Download\d9a8ff127832422cc0352f2668eb0212280172c0/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
    C:\WINDOWS\SoftwareDistribution\Download\d9a8ff127832422cc0352f2668eb0212280172c0/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
    C:\WINDOWS\SoftwareDistribution\Download\e3b1df221e708cbd2c376ef4d779036a43fda835/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
    C:\WINDOWS\SoftwareDistribution\Download\e3b1df221e708cbd2c376ef4d779036a43fda835/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
    C:\WINDOWS\system32\mhvbvm50.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\MRT.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
    C:\WINDOWS\system32\nrdeapi.dll -> Spyware.Look2Me : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 07:49:53, on 23-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
C:\Programmer\Winamp\winampa.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmer\Fælles filer\{90F0CE49-02DA-1030-0921-00032320002d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Arto\Notifier\ArtoNotifier.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Programmer\DeluxeCommunications\DxcBho.dll
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Programmer\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [spywarefighterguard] C:\Programmer\SPYWAREfighter\spftray.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ArtoNotifier] C:\Programmer\Arto\Notifier\ArtoNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Programmer\DeluxeCommunications\Dxc.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\tgpmon.dll (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\kt4ml7h11.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UEM\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Avatar billede levich Nybegynder
23. september 2006 - 14:22 #8
Der er stadig snavs tilbage.

Læs alle punkterne inden du gør noget.

(1)
Opdater Ewido, men vent med at scanne.

Hent L2mfix.exe fra et af disse steder: http://www.atribune.org/downloads/l2mfix.exe eller http://www.downloads.subratam.org/l2mfix.exe
Dobbeltklik på l2mfix.exe, vælg install og følg instruktionerne.

(2)
Åben den nye mappe der er dannet på dit Skrivebord (l2mfix). Dobbeltklik på l2mfix.bat og vælg option 2 (Run Fix) ved at taste "2" og "Enter". Tryk en vilkårlig knap, og computeren genstarter. Skrivebordet og ikonerne forsvinder et øjeblik (dette er normalt). L2mfix scanner og slutter med at åbne notepad med en log. Gem denne log, f.eks. på skrivebordet.

(3)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op).
Tast CTRL+ALT+DEL, vælg faneblade Processer og find denne/disse fil(er):
Update.exe
Højreklik på hver fil og vælg Afslut.

(4)
Scan med Ewido, fix de ting som den finder og gem loggen, f.eks. på skrivebordet.

(5)
Fix følgende linjer med HijackThis:
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\tgpmon.dll (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\kt4ml7h11.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UEM\command.exe (file missing)

(6)
Start KillBox, sæt prik i "Delete on reboot", kopier nedenstående filnavn(e) til tekstfeltet i Killbox og klik herefter på den røde knap med det hvide kryds. Gentag det for alle filerne, men sig først ja til at genstarte, når du kommer til den sidste fil. Du skal genstarte i fejlsikret tilstand.

C:\WINDOWS\UEM\command.exe

(6)
Åbn "denne computer", i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper", sæt prik i "Vis skjulte filer og mapper". Husk at trykke på knappen "anvend på alle mapper" i stedet for "ok".

søg efter og slet følgende fil(er):
C:\Programmer\Fælles filer\{90F0CE49-02DA-1030-0921-00032320002d}\Update.exe
C:\WINDOWS\system32\tgpmon.dll
C:\WINDOWS\system32\kt4ml7h11.dll
C:\WINDOWS\UEM\command.exe

Bemærk at nogle af dem kan allerede være slettet.

(7)
Kør Cleanup. Gå til option og sæt flueben ved cookies, prefetch, temp og all users. Tryk på “cleanup”.

(8)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind sammen med loggen fra Ewido og loggen fra L2Mfix som du gemte tidligere.
Avatar billede levich Nybegynder
23. september 2006 - 14:24 #9
Rettelse:

Du skal starte punkt (2) med at starte i fejlsikret tilstand.

Ellers er der ingen rettelser.
Avatar billede toledo Nybegynder
24. september 2006 - 11:08 #10
L2mfix 032106
Creating Account.
Kommandoen blev udf›rt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX  ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratorer  ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt4ml7h11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9DB7302A-1E76-4EA7-9286-BF0749EA444D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9DB7302A-1E76-4EA7-9286-BF0749EA444D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9DB7302A-1E76-4EA7-9286-BF0749EA444D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9DB7302A-1E76-4EA7-9286-BF0749EA444D}\InprocServer32]
@="C:\\WINDOWS\\system32\\tgpmon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AD23B04E-4A70-4C46-8379-4DFA844EB981}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{AD23B04E-4A70-4C46-8379-4DFA844EB981}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD23B04E-4A70-4C46-8379-4DFA844EB981}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD23B04E-4A70-4C46-8379-4DFA844EB981}\InprocServer32]
@="C:\\WINDOWS\\system32\\lkbc65d9.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9DB7302A-1E76-4EA7-9286-BF0749EA444D}"=-
"{AD23B04E-4A70-4C46-8379-4DFA844EB981}"=-
[-HKEY_CLASSES_ROOT\CLSID\{9DB7302A-1E76-4EA7-9286-BF0749EA444D}]
[-HKEY_CLASSES_ROOT\CLSID\{AD23B04E-4A70-4C46-8379-4DFA844EB981}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
    zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
  adding: backregs/9DB7302A-1E76-4EA7-9286-BF0749EA444D.reg (188 bytes security) (deflated 70%)
  adding: backregs/AD23B04E-4A70-4C46-8379-4DFA844EB981.reg (188 bytes security) (deflated 69%)
  adding: backregs/notibac.reg (140 bytes security) (deflated 87%)


---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den:            10:40:30, 24-09-2006
+ Rapport-Checksum:        2D8ED06E

+ Scanningsresultat:
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@com[1].txt -> TrackingCookie.Com : Renset med backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Renset med backup
    C:\Documents and Settings\Hr. Rasmussen\Cookies\hr. rasmussen@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Renset med backup
    C:\Documents and Settings\Hr. Rasmussen\Lokale indstillinger\Temp\ICD2.tmp\UERSK_0001_N91M2407NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Renset med backup
    C:\Documents and Settings\Hr. Rasmussen\Lokale indstillinger\Temporary Internet Files\Content.IE5\47BZQX4Z\ErrorSafeFreeInstall_dk[1].cab/UERSK_0001_N91M2407NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Renset med backup
    C:\WINDOWS\Downloaded Program Files\UERSK_0001_N91M2407NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Renset med backup


::Rapport slut


Logfile of HijackThis v1.99.1
Scan saved at 11:04:23, on 24-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
C:\Programmer\Winamp\winampa.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
c:\programmer\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Programmer\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Programmer\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Arto\Notifier\ArtoNotifier.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\programmer\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programmer\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Programmer\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Programmer\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ArtoNotifier] C:\Programmer\Arto\Notifier\ArtoNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158996138078
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\programmer\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
Avatar billede levich Nybegynder
24. september 2006 - 11:29 #11
Det ser ud som om det hele er væk, men nederst i loggen fra Look2Me skulle der gerne være et afsnit, som starter med følgende:

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************

Jeg vil gerne vide, hvad der står i det afsnit. Bare for at være sikker.
Avatar billede toledo Nybegynder
24. september 2006 - 11:38 #12
Jeg har lige kikket den igennem og det afsnit findes ikke i loggen.
Avatar billede levich Nybegynder
24. september 2006 - 11:50 #13
Ok, det er godt. Jeg vil mene, at computeren er ren. Kører den som den skal?
Avatar billede toledo Nybegynder
24. september 2006 - 12:00 #14
Den kører fint nu. Jeg fandt løsningen på firewall-problemet ovre i Firewall-kategorien. httm://www.eksperten.dk/spm/639883

Denne seance har vist mig nogle nye værktøjer og får mig nok til at give min egen pc en omgang "rengøring".

Tak hjælpen endnu en gang og hav en fortsat god weekend. (Skal nok huske point'ne denne gang :-))
Avatar billede levich Nybegynder
24. september 2006 - 14:27 #15
Hvis der ikke er noget konkret galt med en computer, vil jeg foreslå, at man kun kører en scan sit antivirusprogram, Ewido og Spybot en gang imellem. Ikke de andre værktøjer.
Avatar billede toledo Nybegynder
24. september 2006 - 17:17 #16
Det har du nok ret i. Jeg holder det fra døren på vores stationære med en opdateret antivirus og kører så spybot, adaware og empty temp folders en gang i måneden. Samtidig med at familien har lidt disciplin med hensyn til, hvad man downloader og installerer. Det er nok her, det går galt for de fleste.
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
Findes der mon et Antivirus program, som ikke, konstant, reklamerer, for at købe ? Af Ikke-ekspert i Virus 21 22/06/202419:22 23/06/202412:54
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus 23 07/05/202421:02 13/05/202419:48
trusler Af gerhardpet i Virus 4 26/01/202410:02 27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus 16 09/01/202416:37 10/01/202419:59
virusscanning Af JetteD i Virus 2 10/11/202312:55 10/11/202316:36
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester



Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
I dag 00:51 LibreOffice blokeres ved start Af Nobbernitte i Office & Kontorpakker
I går 12:26 4 GB Ram er blevet væk Af Marianne Tidemann i PC
I går 12:24 strømforsyning Af Shamanji i Andet software
24/0720:17 vlc viser kegle-icon Af casablanca i Andet software
24/0714:01 Oprette / gemme et par fotos i en mappe - Samsung Galaxy A 14 5G ? Af Ikke-ekspert i Mobiltelefoner
White papers
Flere white papers »


Premium
Teaser billede
Tidligere Tradeshift-CEO Christian Lanng skyder tilbage efter sexslave-anklager: Deler dagbøger og private beskeder
Læs mere »
”Det største it-nedbrud i historien” lammede store dele af verden: CrowdStrike giver nu kunder en kop kaffe som undskyldning
Top-CIO Rasmus Lundgaard Pedersen balancerer hele tiden mellem to poler
5.000 flyafgange i verden blev aflyst som følge af Crowdstrike-nedbrud: Vil Københavns Lufthavn søge erstatning?
Se alle »
Computerworld
Teaser billede
Microsoft-nedbrud spreder sig: It-systemer i lufthavne verden over er ramt
Læs mere »
Test: Denne mikro-pc er smartere end de stærkeste desktop-maskiner - men flopper alligevel
Elon Musk dropper CrowdStrike efter kæmpe nedbrud
Hundredevis af flyafgange ramt af stort Microsoft-nedbrud
Se alle »
CIO
Teaser billede
Microsoft er på sagen: I gang med at løse kæmpe nedbrud efter katastrofal Crowdstrike-fejl
Læs mere »
Så mange Microsoft-enheder blev ramt af gigantisk Crowdstrike-koks
Telenor skrotter ældre it-system: Nyt system er en hyldevare
Derfor står Danske Bank foran en kæmpe AWS-transformation: Ellers skulle vi bygge en ny infrastruktur for at følge med
Se alle »
Job & Karriere
Teaser billede
Efter 12 år er NNIT's hovedkvarter i Søborg nu ryddet og tomt - alle arbejder hjemme: "Det er med et vist vemod"
Læs mere »
Norlys skal splittes op i fem selskaber: Nu bliver flere ansatte og ledere fyret
Dansk top-profil trækker sig fra Microsoft: Skal være direktør i TDC Erhverv
KMD-direktør forlader selskabet: Det skal hun nu
Se alle »
White paper
Teaser billede
Få mere ud af din cloudinfrastruktur og gør op med de konstant stigende omkostninger
Læs mere »
Sådan høster du forretningsfordelene ved Internet of Things
Vejen væk fra WAN: Sådan skifter du til en moderne infrastruktur
MDR: Transparent sikkerhed og overvågning i realtid
Se alle »

Events
Flere events »
White papers
Flere white papers »
IT-Kurser
Se alle vores it-kurser »