Avatar billede rainbow Nybegynder
16. oktober 2008 - 20:56 Der er 22 kommentarer og
1 løsning

har jeg fået virus? Hijack log til gennemsyn.

Har lige kørt Ad-Aware free 2008 som fandt
1 st. Trojan Downloader / Malware
165 kritiske objekter
84 private
249 filer
med alt muligt skidt

Er min computer "ren" nu eller er der fortsat noget i logén?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38:36, on 16-10-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\Dichoe\Skrivebord\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dichoe.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Programmer\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {1B77DC8B-0BCF-4669-ACA1-EBCAD4524D10} (HAIRTOOLS.Salon) - https://hairtools.dk/salon/hairtools.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153398771281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161966013546
O20 - AppInit_DLLs: C:\WINDOWS\System32\glmf3232.dll
O20 - Winlogon Notify: 3862891d448 - C:\WINDOWS\System32\glmf3232.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: spkrmon - Unknown owner - C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 5225 bytes

Håber eksperterne kan hjælpe mig med denne udfordring.

Mvh- Rainbow
Avatar billede johnstigers Seniormester
16. oktober 2008 - 21:40 #1
Den er ikke ren...

SpyNoMore - er det et program du selv har installeret?
Der findes rigtig mange såkaldte antispyware programmer, desværre får man tit nyt oveni det eksisterende ved nogen af dem - især SpyNoMore.

Afinstaller det og ny log - der skal fjernes mere af programmet manuelt, men det tager vi bagefter.
Avatar billede rainbow Nybegynder
17. oktober 2008 - 11:58 #2
Hej John Stinger
Undskyld jeg kommer lidt sent med svaret, men blev akut forhindret i, at fortsætte i går aftes. 
Ja ... jeg har selv installeret SpyNoMore for at fjerne spyware.

Nu er den afinstalleret her er ny log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:06, on 17-10-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dichoe\Skrivebord\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dichoe.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Programmer\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {1B77DC8B-0BCF-4669-ACA1-EBCAD4524D10} (HAIRTOOLS.Salon) - https://hairtools.dk/salon/hairtools.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153398771281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161966013546
O20 - AppInit_DLLs: C:\WINDOWS\System32\glmf3232.dll
O20 - Winlogon Notify: 3862891d448 - C:\WINDOWS\System32\glmf3232.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: spkrmon - Unknown owner - C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 5357 bytes


Rainbow
Avatar billede rainbow Nybegynder
17. oktober 2008 - 12:03 #3
Hvilket antispyware programmer kan du anbefale?
Lige nu har jeg besluttet at bruge sitet "spywarefri" til at hente mit antispyware.
Har tillid til sitet.
Har installeret avasti og bruger ad-aware til at fjerne skidtet med.
17. oktober 2008 - 23:06 #4
<john_stigers> fortsætter bare ...
Avatar billede rainbow Nybegynder
20. oktober 2008 - 18:04 #5
Hej John_stigers.
Ville du hjælpe mig med min log?
Har fjernet SpyNoMore fra programmer, men den ligger vist stadig og spøger et sted.
Ad-aware 2008 fjerner den, men den kommer igen efter jeg har slukket computeren.
Rainbow
Avatar billede johnstigers Seniormester
20. oktober 2008 - 20:41 #6
Sorry - har ikke fået mail fra visse spørgsmål. >Hvorfor ved jeg ikke-  kigger på det nu...
Avatar billede johnstigers Seniormester
20. oktober 2008 - 20:43 #7
Download "Malwarebytes Anti-Malware" her: http://www.malwarebytes.org/mbam.php
Installer og start programmet, husk at lade det opdatere, lav en "fuld systemscanning" under fanebladet "skanner".
Bagefter klikker du på "vis resultater", trykker på "Fjern det valgte" og sender loggen herind.
Avatar billede rainbow Nybegynder
20. oktober 2008 - 21:25 #8
Ok jeg iler ... og tak
Avatar billede rainbow Nybegynder
20. oktober 2008 - 21:38 #9
Så scanner den. Jeg har et bud på hvorfor du ikke fik mails fra mit spørgsmål idet jeg ændrede min mailadresse umiddelbart efter vi talte sammen sidst?
Avatar billede rainbow Nybegynder
20. oktober 2008 - 21:50 #10
Så har jeg scannet > fjernet det valgte, men den fjernede kun 20 fejl ud af 136?
Kan ikke umiddelbart finde loggen i malware.
Som du nok kan se er jeg ganske grøn herinde.
Her er hijack loggen.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:38, on 20-10-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe
C:\Programmer\Advanced Registry Optimizer\ARO.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dichoe\Skrivebord\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dichoe.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programmer\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programmer\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Programmer\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AROReminder] C:\Programmer\Advanced Registry Optimizer\ARO.exe -rem
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {1B77DC8B-0BCF-4669-ACA1-EBCAD4524D10} (HAIRTOOLS.Salon) - https://hairtools.dk/salon/hairtools.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153398771281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161966013546
O20 - AppInit_DLLs: C:\WINDOWS\System32\glmf3232.dll
O20 - Winlogon Notify: 3862891d448 - C:\WINDOWS\System32\glmf3232.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: spkrmon - Unknown owner - C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 6144 bytes
Avatar billede rainbow Nybegynder
20. oktober 2008 - 22:02 #11
Ok forkert scanner har lige hentet "Malwarebytes Anti-Malware" ved at scanne loggen kommer om lidt. Sorry
Avatar billede rainbow Nybegynder
20. oktober 2008 - 22:21 #12
Så er loggen her

Malwarebytes' Anti-Malware 1.29
Database version: 1298
Windows 5.1.2600 Service Pack 3

20-10-2008 22:20:06
mbam-log-2008-10-20 (22-20-06).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 87996
Tid tilbagelagt: 16 minute(s), 0 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 1
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 1
Inficerede Mapper: 0
Inficerede Filer: 1

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\Documents and Settings\Dichoe\Lokale indstillinger\Temporary Internet Files\Content.IE5\W4SFF5JC\setup_110104_3_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
Avatar billede johnstigers Seniormester
21. oktober 2008 - 21:10 #13
http://www.ctrlaltdel.dk/SWF_hent.exe < og gem det på skrivebordet. Herefter dobbeltklikker du på det (SWF_hent.exe). Du skal måske tillade programmet at hente filer fra nettet!

Programmet henter nødvendige rense-programmer. Når programmerne er hentet, vil der være en mappe på skrivebordet med navnet "Spywarefri". Heri ligger programmerne sammen med en kort vejledning - hvis vejledningen ikke åbner automatisk så dobbeltklik på "SWF_vejledning.html".

Følg vejledningen og kopier logfilerne herind i tråden.

OBS!! Da vores renseprogrammer af mange sikkerhedsprogrammet vil blive opfattet som infektioner – er det en god idé at afbryde sikkerhedsprogrammerne under installation og scanninger…

****HUSK!!!!**** at deaktivere Avast - der er ingen virus i.
Se evt. kommentarer i http://www.eksperten.dk/spm/847773
Avatar billede rainbow Nybegynder
21. oktober 2008 - 22:10 #14
Så har jeg downloaded "pakken" og fulgt anvisningerne.
Her er de 3 log´s: (Undladt cleaner log som beskrevet)

Malwarebytes' Anti-Malware 1.29
Database version: 1304
Windows 5.1.2600 Service Pack 3

21-10-2008 21:57:17
mbam-log-2008-10-21 (21-57-17).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 72467
Tid tilbagelagt: 13 minute(s), 32 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 1
Inficerede Mapper: 0
Inficerede Filer: 0

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
(Ingen mistænkelige filer fundet)


ComboFix 08-10-19.04 - Dichoe 2008-10-21 22:02:02.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1030.18.263 [GMT 2:00]
Running from: C:\Documents and Settings\Dichoe\Skrivebord\Spywarefri\ComboFix.exe
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\xcrashdump.dat

.
(((((((((((((((((((((((((  Files Created from 2008-09-21 to 2008-10-21  )))))))))))))))))))))))))))))))
.

2008-10-21 21:37 . 2008-10-21 21:37    <DIR>    d--------    C:\Programmer\CCleaner
2008-10-20 21:29 . 2008-10-20 21:29    <DIR>    d--------    C:\Programmer\AskBarDis
2008-10-19 18:59 . 2008-10-20 22:25    <DIR>    d--------    C:\Programmer\Spybot - Search & Destroy
2008-10-19 18:59 . 2008-10-20 22:25    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 20:46 . 2008-10-16 20:46    <DIR>    d--------    C:\Kaspersky
2008-10-16 20:24 . 2008-10-16 20:24    <DIR>    d--------    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-10-16 20:24 . 2008-10-16 20:25    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-16 20:12 . 2008-10-16 20:12    <DIR>    d--------    C:\WINDOWS\system32\da
2008-10-16 20:12 . 2008-10-16 20:12    <DIR>    d--------    C:\WINDOWS\l2schemas
2008-10-16 19:35 . 2007-08-13 18:54    33,792    --a--c---    C:\WINDOWS\system32\dllcache\custsat.dll
2008-10-16 19:34 . 2008-08-14 15:25    2,191,744    -----c---    C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-16 19:34 . 2008-08-14 15:25    2,147,840    -----c---    C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-16 19:34 . 2008-08-14 15:25    2,068,608    -----c---    C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-16 19:34 . 2008-08-14 15:25    2,026,496    -----c---    C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-16 19:34 . 2008-09-15 17:27    1,846,400    -----c---    C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-16 19:34 . 2008-09-08 12:41    333,824    -----c---    C:\WINDOWS\system32\dllcache\srv.sys
2008-10-14 21:47 . 2008-10-14 21:47    <DIR>    d--------    C:\Programmer\Alwil Software
2008-10-14 21:20 . 2008-10-21 21:42    <DIR>    d--------    C:\Programmer\Malwarebytes' Anti-Malware
2008-10-14 21:20 . 2008-10-14 21:20    <DIR>    d--------    C:\Documents and Settings\Dichoe\Application Data\Malwarebytes
2008-10-14 21:20 . 2008-10-14 21:20    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-14 21:20 . 2008-10-16 20:25    38,496    --a------    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-14 21:20 . 2008-10-16 20:25    15,504    --a------    C:\WINDOWS\system32\drivers\mbam.sys
2008-10-14 21:11 . 2008-10-16 15:24    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Birdstep Technology
2008-10-14 21:10 . 2008-10-14 21:10    <DIR>    d--------    C:\Programmer\Huawei Modems
2008-10-14 21:10 . 2008-05-30 13:14    102,016    --a------    C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-10-14 21:10 . 2008-05-30 13:14    100,992    --a------    C:\WINDOWS\system32\drivers\ewusbnet.sys
2008-10-14 21:10 . 2008-10-14 21:10    71,636    --a------    C:\WINDOWS\Huawei ModemsUninstall.exe
2008-10-14 21:10 . 2008-05-30 13:14    24,448    --a------    C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-09-26 14:58 . 2008-09-26 14:58    1,152    --a------    C:\WINDOWS\system32\windrv.sys
2008-09-22 22:15 . 2008-04-14 18:05    1,306,624    ---------    C:\WINDOWS\system32\msxml6.dll
2008-09-22 22:14 . 2008-04-14 18:05    786,432    -----c---    C:\WINDOWS\system32\dllcache\migrate.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 18:25    ---------    d-----w    C:\Programmer\Lavasoft
2008-10-16 18:25    ---------    d-----w    C:\Documents and Settings\Dichoe\Application Data\Lavasoft
2008-10-14 19:09    ---------    d--h--w    C:\Programmer\InstallShield Installation Information
2008-10-14 19:05    ---------    d-----w    C:\Programmer\Fælles filer\InstallShield
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\LocalService\Application Data\AVG7
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\Dichoe\Application Data\AVG7
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Grisoft
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\avg7
2008-09-15 15:27    1,846,400    ----a-w    C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41    333,824    ----a-w    C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 08:27    826,368    ----a-w    C:\WINDOWS\system32\wininet.dll
2008-08-14 13:25    2,191,744    ----a-w    C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 13:25    2,068,608    ----a-w    C:\WINDOWS\system32\ntkrnlpa.exe
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 15:20    279944    --a------    C:\Programmer\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "C:\Programmer\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "C:\Programmer\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"WireLessMouse"="C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"WireLessKeyboard"="C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"type32"="C:\Programmer\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]
"IntelliPoint"="C:\Programmer\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Adobe Reader Speed Launcher"="C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\glmf3232.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmer\\Messenger\\msmsgs.exe"=
"C:\\Programmer\\ProLøn Lønindberetning\\SafeIP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed6f99a4-9a22-11dd-9393-001143a03ef1}]
\Shell\AutoRun\command - E:\AutoRun.exe

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - C:\Programmer\MSN Messenger\MsnMsgr.Exe
HKLM-Run-SNM - C:\Programmer\SpyNoMore\SNM.exe
Notify-3862891d448 - C:\WINDOWS\System32\glmf3232.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dichoe.dk/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.google.dk/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: {1B77DC8B-0BCF-4669-ACA1-EBCAD4524D10} - hxxps://hairtools.dk/salon/hairtools.cab
C:\WINDOWS\Downloaded Program Files\Hairtools.inf
C:\WINDOWS\system32\MSVBVM60.DLL
C:\WINDOWS\system32\OLEAUT32.DLL
C:\WINDOWS\system32\OLEPRO32.DLL
C:\WINDOWS\system32\ASYCFILT.DLL
C:\WINDOWS\system32\STDOLE2.TLB
C:\WINDOWS\system32\COMCAT.DLL
C:\WINDOWS\Downloaded Program Files\Hairtools.dll
C:\WINDOWS\system32\TABCTL32.OCX
C:\WINDOWS\system32\MSMASK32.OCX
C:\WINDOWS\system32\MSCOMCT2.OCX
C:\WINDOWS\system32\COMDLG32.OCX
C:\WINDOWS\system32\flxdrv.dll
C:\WINDOWS\Downloaded Program Files\Pbs.dll
C:\WINDOWS\Downloaded Program Files\PointTerminalStop.bmp
C:\WINDOWS\Downloaded Program Files\PointTerminalOkD.bmp
C:\WINDOWS\Downloaded Program Files\PointTerminalOk.bmp
C:\WINDOWS\Downloaded Program Files\PointTerminalBackGround.bmp
C:\WINDOWS\Downloaded Program Files\PointTerminal.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 22:03:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-21 22:03:55
ComboFix-quarantined-files.txt  2008-10-21 20:03:52

Pre-Run: 72.191.119.360 byte ledig
Post-Run: 72,213,200,896 byte ledig

145    --- E O F ---    2008-10-16 19:48:01


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:05:47, on 21-10-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dichoe\Skrivebord\Spywarefri\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dichoe.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programmer\AskBarDis\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programmer\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {1B77DC8B-0BCF-4669-ACA1-EBCAD4524D10} (HAIRTOOLS.Salon) - https://hairtools.dk/salon/hairtools.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153398771281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161966013546
O20 - AppInit_DLLs: C:\WINDOWS\System32\glmf3232.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: spkrmon - Unknown owner - C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 4967 bytes
Avatar billede johnstigers Seniormester
21. oktober 2008 - 22:45 #15
Vigtigt-> Deaktiver dit antivirus/antispyware program. Da det/de kan ”forstyrre” og konflikte med combofix, eller fjerne vigtige combofix filer, hvilket kan få computeren til fryse.


Kopiér indholdet mellem de bølgede linier ind i et notepad/notesblok-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Killall::

Snapshot::

Folder::
C:\Programmer\AskBarDis


~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den CFScript filen med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen, som vist her ->
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Avatar billede rainbow Nybegynder
22. oktober 2008 - 00:07 #16
Ok så har jeg gjort som du beskrev ny log her.

ComboFix 08-10-19.04 - Dichoe 2008-10-21 23:58:59.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1030.18.302 [GMT 2:00]
Running from: C:\Documents and Settings\Dichoe\Skrivebord\Spywarefri\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dichoe\Skrivebord\Spywarefri\CFScript..txt
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programmer\AskBarDis
C:\Programmer\AskBarDis\bar\bin\askBar.dll
C:\Programmer\AskBarDis\bar\bin\askPopStp.dll
C:\Programmer\AskBarDis\bar\bin\psvince.dll
C:\Programmer\AskBarDis\bar\Cache\0000FB96
C:\Programmer\AskBarDis\bar\Cache\00010A8A
C:\Programmer\AskBarDis\bar\Cache\00010BE2.bin
C:\Programmer\AskBarDis\bar\Cache\00010E05.bin
C:\Programmer\AskBarDis\bar\Cache\00011027.bin
C:\Programmer\AskBarDis\bar\Cache\00011141.bin
C:\Programmer\AskBarDis\bar\Cache\0001126A.bin
C:\Programmer\AskBarDis\bar\Cache\00011373.bin
C:\Programmer\AskBarDis\bar\Cache\000114FA.bin
C:\Programmer\AskBarDis\bar\Cache\files.ini
C:\Programmer\AskBarDis\bar\History\search
C:\Programmer\AskBarDis\bar\Settings\config.dat
C:\Programmer\AskBarDis\bar\Settings\config.dat.bak
C:\Programmer\AskBarDis\bar\Settings\prevcfg.htm
C:\Programmer\AskBarDis\unins000.dat
C:\Programmer\AskBarDis\unins000.exe

.
(((((((((((((((((((((((((  Files Created from 2008-09-21 to 2008-10-21  )))))))))))))))))))))))))))))))
.

2008-10-21 21:37 . 2008-10-21 21:37    <DIR>    d--------    C:\Programmer\CCleaner
2008-10-19 18:59 . 2008-10-20 22:25    <DIR>    d--------    C:\Programmer\Spybot - Search & Destroy
2008-10-19 18:59 . 2008-10-20 22:25    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 20:46 . 2008-10-16 20:46    <DIR>    d--------    C:\Kaspersky
2008-10-16 20:24 . 2008-10-16 20:24    <DIR>    d--------    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-10-16 20:24 . 2008-10-16 20:25    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-16 20:12 . 2008-10-16 20:12    <DIR>    d--------    C:\WINDOWS\system32\da
2008-10-16 20:12 . 2008-10-16 20:12    <DIR>    d--------    C:\WINDOWS\l2schemas
2008-10-16 19:35 . 2007-08-13 18:54    33,792    --a--c---    C:\WINDOWS\system32\dllcache\custsat.dll
2008-10-16 19:34 . 2008-08-14 15:25    2,191,744    -----c---    C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-16 19:34 . 2008-08-14 15:25    2,147,840    -----c---    C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-16 19:34 . 2008-08-14 15:25    2,068,608    -----c---    C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-16 19:34 . 2008-08-14 15:25    2,026,496    -----c---    C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-16 19:34 . 2008-09-15 17:27    1,846,400    -----c---    C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-16 19:34 . 2008-09-08 12:41    333,824    -----c---    C:\WINDOWS\system32\dllcache\srv.sys
2008-10-14 21:47 . 2008-10-14 21:47    <DIR>    d--------    C:\Programmer\Alwil Software
2008-10-14 21:20 . 2008-10-21 21:42    <DIR>    d--------    C:\Programmer\Malwarebytes' Anti-Malware
2008-10-14 21:20 . 2008-10-14 21:20    <DIR>    d--------    C:\Documents and Settings\Dichoe\Application Data\Malwarebytes
2008-10-14 21:20 . 2008-10-14 21:20    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-14 21:20 . 2008-10-16 20:25    38,496    --a------    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-14 21:20 . 2008-10-16 20:25    15,504    --a------    C:\WINDOWS\system32\drivers\mbam.sys
2008-10-14 21:11 . 2008-10-16 15:24    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Birdstep Technology
2008-10-14 21:10 . 2008-10-14 21:10    <DIR>    d--------    C:\Programmer\Huawei Modems
2008-10-14 21:10 . 2008-05-30 13:14    102,016    --a------    C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-10-14 21:10 . 2008-05-30 13:14    100,992    --a------    C:\WINDOWS\system32\drivers\ewusbnet.sys
2008-10-14 21:10 . 2008-10-14 21:10    71,636    --a------    C:\WINDOWS\Huawei ModemsUninstall.exe
2008-10-14 21:10 . 2008-05-30 13:14    24,448    --a------    C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-09-26 14:58 . 2008-09-26 14:58    1,152    --a------    C:\WINDOWS\system32\windrv.sys
2008-09-22 22:15 . 2008-04-14 18:05    1,306,624    ---------    C:\WINDOWS\system32\msxml6.dll
2008-09-22 22:14 . 2008-04-14 18:05    786,432    -----c---    C:\WINDOWS\system32\dllcache\migrate.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 18:25    ---------    d-----w    C:\Programmer\Lavasoft
2008-10-16 18:25    ---------    d-----w    C:\Documents and Settings\Dichoe\Application Data\Lavasoft
2008-10-14 19:09    ---------    d--h--w    C:\Programmer\InstallShield Installation Information
2008-10-14 19:05    ---------    d-----w    C:\Programmer\Fælles filer\InstallShield
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\LocalService\Application Data\AVG7
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\Dichoe\Application Data\AVG7
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Grisoft
2008-10-14 18:49    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\avg7
2008-09-08 10:41    333,824    ----a-w    C:\WINDOWS\system32\drivers\srv.sys
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"WireLessMouse"="C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"WireLessKeyboard"="C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"type32"="C:\Programmer\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]
"IntelliPoint"="C:\Programmer\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Adobe Reader Speed Launcher"="C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\glmf3232.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmer\\Messenger\\msmsgs.exe"=
"C:\\Programmer\\ProLøn Lønindberetning\\SafeIP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed6f99a4-9a22-11dd-9393-001143a03ef1}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programmer\AskBarDis\bar\bin\askBar.dll
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programmer\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Programmer\AskBarDis\bar\bin\askBar.dll



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 00:01:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\Programmer\Analog Devices\SoundMAX\spkrmon.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Programmer\40700 Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-10-22  0:03:51 - machine was rebooted [Dichoe]
ComboFix-quarantined-files.txt  2008-10-21 22:03:46
ComboFix2.txt  2008-10-21 20:03:57

Pre-Run: 72.199.675.904 byte ledig
Post-Run: 72,188,518,400 byte ledig

136    --- E O F ---    2008-10-16 19:48:01
Avatar billede rainbow Nybegynder
22. oktober 2008 - 00:09 #17
Jeg kommer til at gå på køjen nu, skal op 05.30 fortsætter imorgen hvis du har tiden.
Tak for hjælpen så langt.

Rainbow
Avatar billede johnstigers Seniormester
22. oktober 2008 - 19:45 #18
Efter hvad jeg kan se er den ren nu.
Avatar billede rainbow Nybegynder
22. oktober 2008 - 19:48 #19
Tak for din tolmodoghed og hjælpen John stigers i min verden en meget kompliceret opgave.
Kan du anbefale at man udskifter windows firewall med en fra spywarefri?

Rainbow
Avatar billede rainbow Nybegynder
22. oktober 2008 - 19:50 #20
"tålmodighed"
Avatar billede johnstigers Seniormester
22. oktober 2008 - 20:24 #21
Windows firewall er absolut bedre end slet ingen, men ja, udskift den gerne.
Kan anbefale Comodo.
Den kan være lidt tricky, men når du først lige vænner dig til den er den faktisk nem at finde ud af.
Avatar billede rainbow Nybegynder
23. oktober 2008 - 08:39 #22
Takker for det hele.
Avatar billede johnstigers Seniormester
23. oktober 2008 - 22:03 #23
Anytime :)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester