CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg
Cookie ikon
Avatar billede hans_bertelsen Nybegynder
17. april 2007 - 22:42 Der er 8 kommentarer

Hvordan fjerner man Murlo Trojan?

Hvordan slipper jeg af med en Murlo trojan infection?
Har prøvet at fjerne den med XOFT SPY, både i normal og fejlsikret tilstand men den vender tilbage.
Og de andre gængse spy fjernere kan ikke fjerne den , har prøvet alt på nær format c:  og det viljeg helst undgå.
Avatar billede Computer Hjælp (Gratis) Mester
18. april 2007 - 09:17 #1
... stik mig/os en HiJackThis Log ->
http://www.spywareinfo.dk/index.htm#/manualer/hijackthis.htm
Avatar billede hans_bertelsen Nybegynder
18. april 2007 - 10:31 #2
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:29:40, on 18-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SkyTel.EXE
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Hans Bertelsen\Skrivebord\NoAdware5.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Hans Bertelsen\Skrivebord\Hovedprojekt 4 sem\new isofiles 2007\spyware fjernere\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmer\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.aarhus.dk/Mapguide%20viewer/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176068908828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172648509109
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmer\Fælles filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE (file missing)
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe

--
End of file - 6757 bytes
Avatar billede hans_bertelsen Nybegynder
18. april 2007 - 10:35 #3
er ved at  inst. Mcfee antivirus selv om den ikke kan  fjerne trojaneren sender lige en log fra XoftSpy også .
Avatar billede Computer Hjælp (Gratis) Mester
18. april 2007 - 10:39 #4
... der er umiddelbart ikke spor efter 'snavs' ifølge din Log - mere lidt oprydning... (Som jeg kommer tilbage til...)

PS: Du bør smutte til WindowsUpdate for nyeste opdateringer -> http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=da ...
Avatar billede hans_bertelsen Nybegynder
18. april 2007 - 10:46 #5
her er xoft log  +  ny hijack efter genstart

<?xml version = "1.0"?>
<Session START = "18 Apr 07 10:37:51" END = "18 Apr 07 10:40:52">
<Information Version = "4.22" DatabaseVersion = "234" DataBaseDate = "2007/4/11"/>
<Information OS = "Win XP"/>
<Information ServicePack = "Service Pack 2"/>
<Information WorkingDirectory = "C:\Programmer\XoftSpy\"/>
<Information Option = "AdvSpyware Scan" State = "ON"/>
<Information Option = "Scan IE Favorites" State = "ON"/>
<Information Option = "Scan Host Files" State = "ON"/>
<Information Option = "Scan Drives" State = "ON"/>
<Information Option = "Do Not Scan Executables" State = "OFF"/>
<Information Option = "Scan Registry" State = "ON"/>
<Information Option = "Scan Active Processes" State = "ON"/>
<Information Option = "Automatic Database Update" State = "OFF"/>
<Information Option = "Automatic Program Update" State = "OFF"/>
<Information Option = "Automatic Removal" State = "OFF"/>
<Information Option = "Exit When Finished" State = "OFF"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "MsnMsgr" Data = "C:\Programmer\MSN Messenger\MsnMsgr.Exe /background" MD5 = "4dd68b53724ead6ea7d4f5cad7fff2d6" Path = ""/>
<Information Value = "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" Data = "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe" MD5 = "928130e85250808bdb45694983aedf65" Path = ""/>
<Information Value = "ctfmon.exe" Data = "C:\WINDOWS\system32\ctfmon.exe" MD5 = "8289923e26d00213080e3e3d7e219f4c" Path = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "High Definition Audio Property Page Shortcut" Data = "HDAShCut.exe" MD5 = "9c3b2302b60fb0efb13bc880a5e3e93e" Path = "C:\WINDOWS\SYSTEM32\HDAShCut.exe"/>
<Information Value = "SkyTel" Data = "SkyTel.EXE"/>
<Information Value = "SynTPEnh" Data = "C:\Programmer\Synaptics\SynTP\SynTPEnh.exe" MD5 = "5c99d998094553b4151b74f1be7631f2" Path = ""/>
<Information Value = "DAEMON Tools-1033" Data = "C:\Programmer\D-Tools\daemon.exe  -lang 1033" MD5 = "804fbb66ec6ca862b840d173efc638a7" Path = ""/>
<Information Value = "Acrobat Assistant 7.0" Data = "C:\Programmer\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" MD5 = "78ff388fd58ce0bae1f7c9670f5473c1" Path = ""/>
<Information Value = "SunJavaUpdateSched" Data = "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe" MD5 = "9c1c80bbf8e6044980890e2d2d91091c" Path = ""/>
<Information Value = "ATICCC" Data = "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe runtime -Delay" MD5 = "64c4c17bf6a40ff1cd21205e6fd415b8" Path = ""/>
<Information Value = "NeroFilterCheck" Data = "C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe" MD5 = "c93ab037a8c792d5f8a1a9fc88a7c7c5" Path = ""/>
<Information Value = "!AVG Anti-Spyware" Data = "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized" MD5 = "01d90ae5dccbce0c7b52874fec35a608" Path = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/>
<Information Value = "Userinit" Data = "C:\WINDOWS\SYSTEM32\Userinit.exe,"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/>
<Information Value = "Shell" Data = "Explorer.exe"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "AppInit_DLLs" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"/>
<Information Value = "PostBootReminder" Data = "{7849596a-48ea-486e-8937-a2a3009f31a9}"/>
<Information Value = "CDBurn" Data = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"/>
<Information Value = "WebCheck" Data = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"/>
<Information Value = "SysTray" Data = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"/>
<Information Value = "WPDShServiceObj" Data = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\OLE"/>
<Information Value = "DefaultLaunchPermission" Data = ""/>
<Information Value = "MachineLaunchRestriction" Data = ""/>
<Information Value = "MachineAccessRestriction" Data = ""/>
<Information Value = "EnableDCOM" Data = "Y"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "NoUpdateCheck" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "NoJITSetup" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "Cache_Update_Frequency" Data = "Once_Per_Session"/>
<Information Value = "Do404Search" Data = ""/>
<Information Value = "Local Page" Data = "\blank.htm"/>
<Information Value = "Start Page" Data = "http://www.msn.com/"/>
<Information Value = "Search Page" Data = "http://www.msn.com/access/allinone.asp"/>
<Information Value = "Window_Placement" Data = ""/>
<Information Value = "XMLHTTP" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "CompatibilityFlags" Data = "(DWORD) 0 0 0 0"/>
<Information Value = "SearchMigrated" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "ControlTooltipCount" Data = "(DWORD) 0x2 0 0 0"/>
<Information Value = "Use Custom Search URL" Data = "(DWORD) 0 0 0 0"/>
<Information Value = "RunOnceHasShown" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "RunOnceComplete" Data = "(DWORD) 0x1 0 0 0"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "Search Page" Data = ""/>
<Information Value = "Cache_Percent_of_Disk" Data = ""/>
<Information Value = "Local Page" Data = ""/>
<Information Value = "Anchor_Visitation_Horizon" Data = ""/>
<Information Value = "Placeholder_Width" Data = ""/>
<Information Value = "Placeholder_Height" Data = ""/>
<Information Value = "Start Page" Data = "http://www.msn.com/"/>
<Information Value = "CompanyName" Data = "Microsoft Corporation"/>
<Information Value = "Custom_Key" Data = "MICROSO"/>
<Information Value = "Wizard_Version" Data = "6.0.2600.0000"/>
<Information Value = "Default_Secondary_Page_URL" Data = ""/>
<Information Value = "Extensions Off Page" Data = "about:NoAdd-ons"/>
<Information Value = "Security Risk Page" Data = "about:SecurityRisk"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Search"/>
<Information Value = "" Data = ""/>
<Information Value = "SearchAssistant" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"/>
<Information Value = "Default_Search_URL" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "CustomizeSearch" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\SearchURL"/>
<Information Value = "" Data = "http://home.microsoft.com/access/autosearch.asp?p=%s"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\URLSearchHooks"/>
<Information Value = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Toolbar"/>
<Information Value = "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" Data = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Toolbar"/>
<Information Value = "LinksFolderName" Data = "Links"/>
<Information Value = "Locked" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "SaveLinksOrder" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\exefile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\comfile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\batfile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\piffile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\scrfile\shell\open\command"/>
<Information Value = "" Data = "%1 /S"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\htafile\shell\open\command"/>
<Information Value = "" Data = "mshta.exe %1 %*"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings"/>
<Information Value = "ProxyEnable" Data = "(DWORD) 0 0 0 0"/>
<Information Directory = "C:\Documents and Settings\Hans Bertelsen\Menuen Start\Programmer\Start\*" Program = "desktop.ini" MD5 = "d6a6856702e3f0953e7246a9b4a9fe35" />
<Information Directory = "C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\*" Program = "Adobe Acrobat Speed Launcher.lnk" LinkFile = "C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe" MD5 = "d6294d59171ac375cd142003566aa89e"/>
<Information Directory = "C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\*" Program = "AutoCAD Startup Accelerator.lnk" LinkFile = "C:\Programmer\Fælles filer\Autodesk Shared\acstart16.exe" MD5 = "573fbdcc2704016e8f7b0ce435092ca1"/>
<Information Directory = "C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\*" Program = "desktop.ini" MD5 = "d6a6856702e3f0953e7246a9b4a9fe35" />
<Scanning TIME = "18 Apr 07 10:37:51">
<PROCESS NAME = "C:\WINDOWS\system32\services.exe" MD5 = "55bbe54a196b1a9f99ec2e01f4ac1215"/>
<PROCESS NAME = "C:\WINDOWS\system32\lsass.exe" MD5 = "9086126fb5fd15ceb387121506400244"/>
<PROCESS NAME = "C:\WINDOWS\system32\Ati2evxx.exe" MD5 = "a061a24f123e3993354f14402cbf12f3"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "46fe2ed518fdfbfd289f014a3078575c"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "46fe2ed518fdfbfd289f014a3078575c"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "46fe2ed518fdfbfd289f014a3078575c"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "46fe2ed518fdfbfd289f014a3078575c"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "46fe2ed518fdfbfd289f014a3078575c"/>
<PROCESS NAME = "C:\WINDOWS\system32\spoolsv.exe" MD5 = "da81ec57acd4cdc3d4c51cf3d409af9f"/>
<PROCESS NAME = "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe" MD5 = "e8fbdcc8d618d1bb84b828f247a6244b"/>
<PROCESS NAME = "C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE" MD5 = "11f714f85530a2bd134074dc30e99fca"/>
<PROCESS NAME = "C:\WINDOWS\system32\tcpsvcs.exe" MD5 = "6d6796ee4496939d0857fa78ce92b265"/>
<PROCESS NAME = "C:\WINDOWS\SYSTEM32\Ati2evxx.exe" MD5 = "a061a24f123e3993354f14402cbf12f3"/>
<PROCESS NAME = "C:\WINDOWS\Explorer.EXE" MD5 = "da77b9561cc9ac54584c86cab36ebf25"/>
<PROCESS NAME = "C:\WINDOWS\system32\wscntfy.exe" MD5 = "19401e25cddcd8ee1b38fcc8093e0c34"/>
<PROCESS NAME = "C:\WINDOWS\System32\alg.exe" MD5 = "4b4a23c50148601ca60d969d4ac0c116"/>
<PROCESS NAME = "C:\WINDOWS\system32\wbem\wmiprvse.exe" MD5 = "75f335a81603e580923832e094e35642"/>
<PROCESS NAME = "C:\WINDOWS\SkyTel.EXE" MD5 = "4cecadca220598f2c29af4cf981a70c4"/>
<PROCESS NAME = "C:\Programmer\Synaptics\SynTP\SynTPEnh.exe" MD5 = "5c99d998094553b4151b74f1be7631f2"/>
<PROCESS NAME = "C:\Programmer\D-Tools\daemon.exe" MD5 = "804fbb66ec6ca862b840d173efc638a7"/>
<PROCESS NAME = "C:\Programmer\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" MD5 = "78ff388fd58ce0bae1f7c9670f5473c1"/>
<PROCESS NAME = "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe" MD5 = "9c1c80bbf8e6044980890e2d2d91091c"/>
<PROCESS NAME = "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" MD5 = "64c4c17bf6a40ff1cd21205e6fd415b8"/>
<PROCESS NAME = "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" MD5 = "01d90ae5dccbce0c7b52874fec35a608"/>
<PROCESS NAME = "C:\Programmer\MSN Messenger\MsnMsgr.Exe" MD5 = "4dd68b53724ead6ea7d4f5cad7fff2d6"/>
<PROCESS NAME = "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe" MD5 = "928130e85250808bdb45694983aedf65"/>
<PROCESS NAME = "C:\WINDOWS\system32\ctfmon.exe" MD5 = "8289923e26d00213080e3e3d7e219f4c"/>
<PROCESS NAME = "C:\Programmer\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe" MD5 = "569c6e4f88943b8929dcbc3f6a44a6a8"/>
<PROCESS NAME = "C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe" MD5 = "7ab558b9643de6983f343a840b09b6c6"/>
<PROCESS NAME = "C:\WINDOWS\system32\wbem\wmiprvse.exe" MD5 = "75f335a81603e580923832e094e35642"/>
<PROCESS NAME = "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" MD5 = "64c4c17bf6a40ff1cd21205e6fd415b8"/>
<PROCESS NAME = "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" MD5 = "64c4c17bf6a40ff1cd21205e6fd415b8"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "46fe2ed518fdfbfd289f014a3078575c"/>
<PROCESS NAME = "C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe" MD5 = "8dd0cdb0c700992d10169d8769ef5f43"/>
<PROCESS NAME = "C:\Programmer\MSN Messenger\usnsvc.exe" MD5 = "c5b70a6aa947667ce0e5fc84a05ec8b6"/>
<PROCESS NAME = "C:\WINDOWS\system32\wbem\wmiapsrv.exe" MD5 = "7c1717a59dce002fb4358f4da6e9e0f9"/>
<PROCESS NAME = "C:\Programmer\XoftSpy\XoftSpy.exe" MD5 = "a59c0fba2410a4f119046bb34ea84ebd"/>
<PROCESS NAME = "C:\WINDOWS\system32\wuauclt.exe" MD5 = "88299433b4d599b2537952a6964d5253"/>
<ScanningRegKeys>
</ScanningRegKeys>
<ScanningRegValues>
</SW>
<SW NAME = "Murlo Trojan">
<REGVALUE VALUE = "Murlo Trojan system\currentcontrolset\services\ip6fw\enum\0"/>
<REGVALUEFOUND NAME = "system\currentcontrolset\services\ip6fw\enum\0"/>
</SW>
<SW NAME = "Murlo Trojan">
<REGVALUE VALUE = "Murlo Trojan system\currentcontrolset\services\ip6fw\enum\count"/>
<REGVALUEFOUND NAME = "system\currentcontrolset\services\ip6fw\enum\count"/>
</SW>
<SW NAME = "Murlo Trojan">
<REGVALUE VALUE = "Murlo Trojan system\currentcontrolset\services\ip6fw\enum\nextinstance"/>
<REGVALUEFOUND NAME = "system\currentcontrolset\services\ip6fw\enum\nextinstance"/>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
</Scanning>

<Information Message = "Starting to Quarantine 3 Items"/>
<Quarantines>
<QTFILE PATH = "C:\Programmer\XoftSpy\Quarantine\Quarantine18-04-2007-10-40-00.xpy" />
<INFO ACTION = "Added"/>
<INFO TIME = "18-04-2007-10-40-00"/>
<REGVALUE RES = "0 = Root\\LEGACY_IP6FW\\0000
">
<REGVALUE RES = "count = dword:00000001
">
<REGVALUE RES = "nextinstance = dword:00000001
">
</Quarantines>
<QInformation Message = "Quarantining File REG BACKUP - C:\DOCUME~1\HANSBE~1\LOKALE~1\Temp\regbackup.reg"/>
<Removal>
<SW NAME = "Murlo Trojan">
<REGVALUE NAME = "system\currentcontrolset\services\ip6fw\enum\0"/>
<REGVALUE RES = "Successfully Removed"/>
<REGVALUE NAME = "system\currentcontrolset\services\ip6fw\enum\count"/>
<REGVALUE RES = "Successfully Removed"/>
<REGVALUE NAME = "system\currentcontrolset\services\ip6fw\enum\nextinstance"/>
<REGVALUE RES = "Successfully Removed"/>
</SW>
</Removal>
</Session>

den fjerner dem men efter genstart er de tilbage !

ny hijack:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:41:31, on 18-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SkyTel.EXE
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Hans Bertelsen\Skrivebord\Hovedprojekt 4 sem\new isofiles 2007\spyware fjernere\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmer\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmer\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.aarhus.dk/Mapguide%20viewer/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176068908828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172648509109
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmer\Fælles filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE (file missing)
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe

--
End of file - 6955 bytes
Avatar billede Computer Hjælp (Gratis) Mester
18. april 2007 - 11:02 #6
(Smid den til http://www.spywarefri.dk/forum/ istedet. De er goe' *S*. Og henvis til denne tråd... Jeg har ikke så meget tid...)
Avatar billede hans_bertelsen Nybegynder
18. april 2007 - 11:04 #7
Den finder ingen updates hos microsoft som mangler.

har kørt en regcleaner i håb om at den kunne fjerne skidtet så det er muligt jeg skal køre en win rep  og så hente alle updates fra microsoft ?
Avatar billede hans_bertelsen Nybegynder
18. april 2007 - 22:11 #8
Hej igen  fik lidt hjælp i spywarefri og vi  konkluderede at det er XoftSpy den er gal med for ingen andre skannere fandt noget overhovedet så  det  må man vel tro på , sålænge pc  kører ok . men  tak for tippet.
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
pop up black friday Af Malm i Virus 10 22/11/202420:49 23/11/202410:46
Findes der mon et Antivirus program, som ikke, konstant, reklamerer, for at købe ? Af Ikke-ekspert i Virus 21 22/06/202419:22 23/06/202412:54
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus 23 07/05/202421:02 13/05/202419:48
trusler Af gerhardpet i Virus 4 26/01/202410:02 27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus 16 09/01/202416:37 10/01/202419:59
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester



Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
I dag 17:06 Sort skærm Af luffe1955 i Windows
I dag 15:18 WM-bus Minomess Single Jet vandmåler Brunata/Zenner Af kulawig i Andet hardware
I dag 14:23 Navn i stifinder til ny bruger: C:\Users\defaultuser100000 Af Jørgen Kirkegaard i Windows
I dag 11:44 Sti og filnavn i sidefod Af boro23 i Word
I dag 11:02 Zyxel Multy U netværk Af jcr18 i Wifi
White papers
Flere white papers »


Premium
Teaser billede
Netcompany udsat for endnu et datalæk
Læs mere »
Leverandør til 50 danske kommuner ramt af ransomware: "Det er ikke sjovt," siger direktør Thomas à Porta
Norlys-kunder har store problemer efter sammenlægning af it-systemer: Internet, tv og telefoni crasher i lange baner
Meldes til politiet for grove GDPR-brud og elendig sikkerhed: Mere end 1.000 tidligere ansatte har haft fri adgang til centralt KMD-system
Se alle »
Computerworld
Teaser billede
Stort Microsoft-nedbrud rammer flere kunder: Problemer med Teams og mails
Læs mere »
Test: Den snusfornuftige Volkswagen ID.3 blevet til lidt af el-bisse
Kæmpe datalæk på hospital: 750.000 patienters fortrolige data lækket
Et ”mareridt for privatlivets fred”: Kontroversiel Windows-funktion er udkommet i en test-version
Se alle »
CIO
Teaser billede
Microsoft hæver priserne på M365: Sådan kommer de nye priser til at ramme
Læs mere »
Stort Microsoft-nedbrud rammer flere kunder: Problemer med Teams og mails
Leverandør til 50 danske kommuner ramt af ransomware: "Det er ikke sjovt," siger direktør Thomas à Porta
Konsulenthus vil rulle Microsoft 365 Copilot ud til 200.000 ansatte
Se alle »
Job & Karriere
Teaser billede
Microsoft klar med ny direktion for den danske forretning: Her er de nye direktører
Læs mere »
Efter skelsættende møde med sportscoach: Stor dansk it-arbejdsplads indfører fredags-fri og isbade i arbejdstiden
Linus Torvalds giver russiske Linux-udviklere sparket: Vil ikke have noget med dem at gøre
Twoday er rykket til et af de dyreste postnumre i Danmark – og det kan betale sig, siger topchef Lars Berthelsen
Se alle »
White paper
Teaser billede
SAP: Skab værdi og minimér omkostninger med effektiv dokumenthåndtering
Læs mere »
Sådan gør du: Elektronisk dokumentudveksling i praksis
Cyberangreb bliver mere kostbare: Er du forberedt?
Sikkerhed uden grænser: Cisco Hypershield
Se alle »

Events
Flere events »
White papers
Flere white papers »
IT-Kurser
Se alle vores it-kurser »