CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg

Log ind eller opret profil

Du kan også logge ind via nedenstående tjenester

mamme Nybegynder

10. april 2010 - 21:41 Der er 20 kommentarer og
1 løsning

PC problem -> hijackthis log

Hej,
Min søsters bærbare pc vil genstarte hver gang man starter den, plus den kommer med et par underlige systemfejl.. Så derfor har jeg lavet en log til jer it-hajer.
Jeg fandt ud af, jeg kunne få den til ikke at genstarte ved at skrive Kør->shutdown -a

Er der en der vil tjekke loggen? masser af point at hente :-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:28:40, on 10-04-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\Google\Update\GoogleUpdate.exe
C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\UltraVNC\WinVNC.exe
C:\Programmer\McAfee\Common Framework\naPrdMgr.exe
C:\Programmer\Canon\CAL\CALMAIN.exe
C:\Programmer\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wininet.exe
C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmer\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\windows\system32\wuaucldt.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Documents and Settings\Joan\reader_s.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe syce.xto nqxwp
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmer\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmer\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Programmer\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MsXSLT] C:\WINDOWS\system32\msxslt3.exe
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [6.tmp] C:\WINDOWS\system32\6.tmp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [syncman] c:\documents and settings\joan\wuaucldt.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Joan\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-220523388-583907252-839522115-1010\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-220523388-583907252-839522115-1010\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe (User '?')
O4 - HKUS\S-1-5-21-220523388-583907252-839522115-1010\..\Run: [reader_s] C:\Documents and Settings\Joan\reader_s.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Opdateringsagent.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki ... - res://C:\Programmer\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.kps.dk/Codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.kps.dk/codebase/ffmail.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.aarhus.dk/Mapguide%20viewer/v65/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258051879187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201767695571
O16 - DPF: {86702DD4-6E0B-4D72-8715-C963F1BA38B3} (RxClientView Control) - http://www.byggeweb.dk/plugin/RxClientView.cab
O16 - DPF: {92EB6641-286A-11D2-A68E-00A0C996A6DD} (Adobe Signature Object) - http://www.kps.dk/codebase/jfsignature.cab
O16 - DPF: {AD90E8D1-3B47-11D2-A696-00A0C996A6DD} (jfCryptoSignature Class) - http://www.kps.dk/codebase/jfcrypto.cab
O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://asp.photoprintit.de/microsite/4066/defaults/activex/ips/IPSUploader4.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.kps.dk/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://support.persits.com/xupload/XUpload.ocx
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.kps.dk/codebase/fontinstaller.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.plf.dk/greve/ACGM/acgm.cab
O20 - Winlogon Notify: reset5c - C:\WINDOWS\SYSTEM32\reset5c.dll
O21 - SSODL: LGootkitSSO - {42AB8980-EB32-470E-9C3F-B5E5AC67ABE2} - C:\WINDOWS\System32\lmsxsltsso.dll
O21 - SSODL: GootkitSSO - {F033DD9F-88B5-4D51-A74A-560E680028B2} - C:\WINDOWS\System32\msxsltsso.dll
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Tjenesten Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmer\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmer\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Programmer\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10784 bytes

Synes godt om

f-arn Guru

10. april 2010 - 22:16 #1

Hej, der er da også noget der ser lidt "underligt ud.

Hent "Malwarebytes' Anti-Malware" her: http://www.besttechie.net/tools/mbam-setup.exe

Eller her ->
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

Installer og start programmet, klik på fanen opdater, klik Tjek for opdatering, lav "fuld systemskan" under fanebladet "skanner"
Bagefter klik på "vis resultater", tryk på "Fjern det valgte" og send loggen herind sammen med en log fra DDS som du finder her: http://download.bleepingcomputer.com/sUBs/dds.scr

eller her: http://www.forospyware.com/sUBs/dds

Den laver to logs,(DDS.txt og Attach.txt) gem dem på skrivebordet og kopier indholdet af DDS.txt herind.

OBS - DDS skal gemmes på computeren og ikke køres fra nettet

NB Når du opdaterer Malwarebytes, så klik på Tjek for opdatering til den skriver at der ikke er flere opdateringer.

Synes godt om

Computer Hjælp (Gratis) Mester

10. april 2010 - 22:29 #2

Yffer Pyffer - der er >10 meget mistænkelige elementer - og det er dem der umiddelbart er synlige - ifølge din log...

Hvad har du (=din søster) haft gang i ?

Glæder mig *S* til at se/læse reslutatet fra #1 proceduren...

Synes godt om

f-arn Guru

10. april 2010 - 23:24 #3

Efter jeg så karise_larrys indlæg har jeg læst hele loggen og jeg er desværre 99,9% sikker på det er virut.

O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Joan\reader_s.exe

http://www.spywarefri.dk/artikel/ramt-af-virut/

Synes godt om

mamme Nybegynder

11. april 2010 - 11:56 #4

tak f-arn, så fik jeg kørt en komplet scan med Malwarebytes, den fandt 26 infected. Det hjalp mærkbart på pc'en at køre den scanning.

Jeg kunne desværre ikke køre en update, da nettet var nede.

Den virut lyder godt nok ret slem, når man læser den side du har linket til..

Her kommer de 2 logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:43, on 11-04-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\UltraVNC\WinVNC.exe
C:\Programmer\Canon\CAL\CALMAIN.exe
C:\Programmer\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmer\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmer\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmer\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmer\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Programmer\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Opdateringsagent.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki ... - res://C:\Programmer\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.kps.dk/Codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.kps.dk/codebase/ffmail.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.aarhus.dk/Mapguide%20viewer/v65/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258051879187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201767695571
O16 - DPF: {86702DD4-6E0B-4D72-8715-C963F1BA38B3} (RxClientView Control) - http://www.byggeweb.dk/plugin/RxClientView.cab
O16 - DPF: {92EB6641-286A-11D2-A68E-00A0C996A6DD} (Adobe Signature Object) - http://www.kps.dk/codebase/jfsignature.cab
O16 - DPF: {AD90E8D1-3B47-11D2-A696-00A0C996A6DD} (jfCryptoSignature Class) - http://www.kps.dk/codebase/jfcrypto.cab
O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://asp.photoprintit.de/microsite/4066/defaults/activex/ips/IPSUploader4.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.kps.dk/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://support.persits.com/xupload/XUpload.ocx
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.kps.dk/codebase/fontinstaller.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.plf.dk/greve/ACGM/acgm.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Tjenesten Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmer\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmer\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Programmer\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8904 bytes

Synes godt om

mamme Nybegynder

11. april 2010 - 11:56 #5

DDS (Ver_10-03-17.01) - NTFSx86
Run by Joan at 11:42:02,29 on 11-04-2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.503.175 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmer\UltraVNC\WinVNC.exe
C:\Programmer\Canon\CAL\CALMAIN.exe
C:\Programmer\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmer\McAfee\Common Framework\UdaterUI.exe
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmer\fælles filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmer\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmer\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmer\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\programmer\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\programmer\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [McAfeeUpdaterUI] "c:\programmer\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ShStatEXE] "c:\programmer\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [WinVNC] "c:\programmer\ultravnc\WinVNC.exe" -servicehelper
mRun: [Adobe Reader Speed Launcher] "c:\programmer\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\programmer\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\opdate~1.lnk - c:\programmer\3\3connect\AutoUpdateSrv.exe
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki ... - c:\programmer\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmer\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: mhitp.dk\citrix
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {11818680-FCF6-11D0-9808-0800092A4865} - hxxp://www.kps.dk/Codebase/FormCtl.cab
DPF: {1469FF24-47F6-11D2-8805-006008C537E3} - hxxp://www.kps.dk/codebase/ffmail.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gis.aarhus.dk/Mapguide%20viewer/v65/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258051879187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201767695571
DPF: {86702DD4-6E0B-4D72-8715-C963F1BA38B3} - hxxp://www.byggeweb.dk/plugin/RxClientView.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {92EB6641-286A-11D2-A68E-00A0C996A6DD} - hxxp://www.kps.dk/codebase/jfsignature.cab
DPF: {AD90E8D1-3B47-11D2-A696-00A0C996A6DD} - hxxp://www.kps.dk/codebase/jfcrypto.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxps://asp.photoprintit.de/microsite/4066/defaults/activex/ips/IPSUploader4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} - hxxp://www.kps.dk/codebase/scriptobject.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://support.persits.com/xupload/XUpload.ocx
DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} - hxxp://www.kps.dk/codebase/fontinstaller.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://www.plf.dk/greve/ACGM/acgm.cab
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\programmer\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-8-9 58464]
R2 McAfeeFramework;McAfee Framework Service;c:\programmer\mcafee\common framework\FrameworkService.exe [2007-8-9 104000]
R2 McTaskManager;Network Associates Task Manager;c:\programmer\network associates\virusscan\VsTskMgr.exe [2006-6-8 29184]
S1 khtd696;khtd696;c:\windows\system32\drivers\khtd696.sys [2010-4-8 138272]
S2 gupdate;Tjenesten Google Update (gupdate);c:\programmer\google\update\GoogleUpdate.exe [2010-1-26 135664]
S2 McShield;Network Associates McShield;c:\programmer\network associates\virusscan\Mcshield.exe [2006-2-14 221191]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-8-19 102656]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-8-9 116864]

=============== Created Last 30 ================

2010-04-10 23:01:40 0 d-----w- c:\docume~1\joan\applic~1\Malwarebytes
2010-04-10 23:01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 23:00:59 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 23:00:59 0 d-----w- c:\programmer\Malwarebytes' Anti-Malware
2010-04-10 23:00:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-10 17:16:15 0 d-----w- c:\programmer\fælles filer\Wise Installation Wizard
2010-04-10 10:30:08 0 ----a-w- c:\windows\f3lzrri4gqypnhqa900kjda2.ini
2010-04-08 17:59:47 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2010-04-08 17:58:45 138272 ----a-w- c:\windows\system32\drivers\khtd696.sys
2010-04-07 18:34:18 0 d-----w- c:\docume~1\alluse~1\applic~1\e-Safekey
2010-03-21 08:53:42 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-04-08 17:59:48 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-04 15:45:45 83682 ----a-w- c:\windows\system32\perfc006.dat
2010-04-04 15:45:45 459568 ----a-w- c:\windows\system32\perfh006.dat
2010-02-25 06:18:02 916480 ----a-w- c:\windows\system32\wininet.dll
2007-08-19 00:23:40 1556935 -c--a-w- c:\programmer\freecodecinstaller.zip
2008-01-30 08:03:24 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-01-30 08:03:24 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-01-30 08:03:24 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:42:25,70 ===============

Synes godt om

mamme Nybegynder

11. april 2010 - 12:00 #6

karise_larry - ja nu ved jeg ikke helt præcist hvad hun bruger sin pc til, men ved at hun bruger limewire og et udløbet antivirus program. Så er det måske også kun et spørgsmål om tid, før det går galt..

Synes godt om

f-arn Guru

11. april 2010 - 13:10 #7

Så er det måske også kun et spørgsmål om tid, før det går galt..

Ja, og jeg fryter det er gået rigtig galt!
Jeg skal se den log fra Malwarebyts, så start den og find loggen under fanebladet "Logs". Kopier den herind.

Hent denne scanner.
http://www.freedrweb.com/cureit/history/

Dr.Web CureIt! - øverst i rækken til venstre.

Dobbeltklik på drweb-cureit.exe, klik på Start - i den boks der popper op, den vil køre en expressscan, det siger du OK til.

Første gang Dr.Web finder noget, klik "Yes to All", så fjerner den hvad den finder.

Når den skriver Done nederst til venstre, skal du klikke på Options->Change settings.

Tryk på fanebladet Scan, fjern fluebenet ved Heuristic analysis.

Skift til fanebladet Actions, her skal alle punkter under Malware sættes til Rename.

Tryk på - Anvend. Luk Actions - fanebladet ved at trykke på det firkantede kryds i øverste højre hjørne.

Tryk på Scan - fanen. Flyt så prikken i Express Scan ned til Complete Scan,tyk så på den grønne pil til pil til højre så starter scanningen.
Første gang Dr.Web finder noget, klik "Yes to All", så fjerner den hvad den finder.
Når scanningen er færdig, gå op i file - Tryk på- Save Report list. Gem filen på skrivebordet.

Så ligger der en en fil der her hedder "drweb.csv" på skrivebordet.

Luk Programmet.

NB. Under scanningen popper der en boks op med - Buy - den boks lukker du bare ned.

Send drweb.csv loggen herind

Synes godt om

mamme Nybegynder

11. april 2010 - 13:46 #8

Så er Dr.Web CureIt! igang..

Her får du lige loggen fra Malwarebytes' Anti-Malware, som du spugte efter.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11-04-2010 02:28:46
mbam-log-2010-04-11 (02-28-46).txt

Skanningstype: Fuldstændig skanning (C:\|)
Objekter skannet: 240119
Tid gået: 1 time(r), 22 minut(ter), 54 sekund(er)

Hukommelses Processorer Inficeret: 5
Hukommelses Moduler Inficeret: 5
Registreringsdatabase Nøgler Inficeret: 11
Registreringsdatabase Værdier Inficeret: 12
Registreringsdatabase Data Objekter Inficeret: 4
Inficerede Mapper: 1
Inficerede Filer: 28

Hukommelses Processorer Inficeret:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\wininet.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\Documents and Settings\Joan\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\wuaucldt.exe (Trojan.Agent) -> Unloaded process successfully.

Hukommelses Moduler Inficeret:
C:\WINDOWS\system32\lmsxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
C:\WINDOWS\system32\svshost.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\syce.xto (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\msxsltsso.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\reset5c.dll (Trojan.Agent) -> Delete on reboot.

Registreringsdatabase Nøgler Inficeret:
HKEY_CLASSES_ROOT\CLSID\{d7ffd784-5276-42d1-887b-00267870a4c7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom (Trojan.Patched) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5c (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ididp (Trojan.Sasfis) -> Delete on reboot.

Registreringsdatabase Værdier Inficeret:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncman (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6.tmp (Malware.Packer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysrun (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lgootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msxslt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registreringsdatabase Data Objekter Inficeret:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe syce.xto nqxwp) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Inficerede Mapper:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Inficerede Filer:
c:\WINDOWS\system32\wuaucldt.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmsxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
C:\WINDOWS\system32\svshost.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\syce.xto (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\6.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joan\Lokale indstillinger\Temp\6.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joan\Lokale indstillinger\Temp\D.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programmer\Internet Explorer\rasadhlp.dll (Trojan.Genome) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2B802A7F-FF41-4FA0-A359-5C8820711637}\RP257\A0071314.dll (Trojan.Genome) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winint.exe (Worm.Cutwail) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\YB04T3JW\1[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp9942.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joan\wuaucldt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxsltsso.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msxslt3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\cdrom.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cdrom.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxslt.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reset5c.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\WINDOWS\system32\wininet.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joan\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joan\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Synes godt om

mamme Nybegynder

11. april 2010 - 18:32 #9

Her er Dr.Web CureIt! loggen:

1[1].exe C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\NKH2WAUV Trojan.DownLoader.59802 Incurable.Moved.
1[1].exe C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\NUM26D53 Trojan.DownLoad1.34432 Deleted.
1[1].exe C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\RGQFV5RM Trojan.Siggen1.17011 Incurable.Moved.
khtd696.sys C:\WINDOWS\system32\drivers BackDoor.Gootkit.23 Deleted.
ndis.sys C:\WINDOWS\system32\drivers Win32.Lutin Cured.
gtk17.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
gtk18.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
gtk19.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
gtk1A.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
gtk1B.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
gtk1C.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
gtk6.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
gtkC.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.PWS.Stealer.243 Deleted.
tmpB64D.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.MulDrop.38374 Deleted.
tmpC735.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.Proxy.13371 Deleted.
tmpD270.tmp C:\DOCUME~1\Joan\LOKALE~1\Temp Trojan.DownLoad.49872 Deleted.
dont trust me hot new track.mp3 C:\Documents and Settings\Joan\Dokumenter\LimeWire\Saved Trojan.WMALoader Cured.
dont trust me hot new track.mp3 C:\Documents and Settings\jdn\Dokumenter\LimeWire\Saved Trojan.WMALoader Cured.
strun.exe C:\Programmer\StartupRun Tool.StartupRun.122 Renamed.
Dc210.wma C:\RECYCLER\S-1-5-21-1407415224-3194497751-3613112831-1161 Trojan.WMALoader Cured.
Dc211.mp3 C:\RECYCLER\S-1-5-21-1407415224-3194497751-3613112831-1161 Trojan.WMALoader Cured.
Dc219.wma C:\RECYCLER\S-1-5-21-1407415224-3194497751-3613112831-1161 Trojan.WMALoader Cured.
A0080448.exe\strun.exe C:\System Volume Information\_restore{2B802A7F-FF41-4FA0-A359-5C8820711637}\RP259\A0080448.exe Tool.StartupRun.122
A0080448.exe C:\System Volume Information\_restore{2B802A7F-FF41-4FA0-A359-5C8820711637}\RP259 Archive contains infected objects Moved.
A0081892.sys C:\System Volume Information\_restore{2B802A7F-FF41-4FA0-A359-5C8820711637}\RP259 BackDoor.Gootkit.23 Deleted.
A0081894.exe C:\System Volume Information\_restore{2B802A7F-FF41-4FA0-A359-5C8820711637}\RP259 Tool.StartupRun.122 Renamed.

Synes godt om

mamme Nybegynder

11. april 2010 - 20:14 #10

Det ser sku lidt rodet ud? men måske du kan tyde det..

Synes godt om

Computer Hjælp (Gratis) Mester

11. april 2010 - 20:29 #11

...limewire og et udløbet antivirus program. Så er det måske også kun et spørgsmål om tid, før det går galt...

http://www.spywarefri.dk/artikel/farerne-ved-fildeling/

(Du ka' godt give søsteren et rap over fingrene!!!)

---

Det meste blev nappet af [Malwarebytes] ...

<f-arn> forstætter bare ...

Synes godt om

f-arn Guru

11. april 2010 - 21:46 #12

Jeg prøvede at lave en Google søgning på "reader_s.exe (Trojan.Agent)":
http://www.google.dk/search?as_q=&hl=da&num=10&btnG=Google-s%C3%B8gning&as_epq=%5Creader_s.exe+%28Trojan.Agent%29&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images
Prøv at læse lidt på resultaterne.
et af dem var dette: http://www.threatexpert.com/files/reader_s.exe.html
Sammenholdt med det link jeg lagde til spywarefri
http://www.spywarefri.dk/artikel/ramt-af-virut/
synes jeg du skulle spørge din søster om hun tør stole på den pc eller om den skal geninstalleres.

Synes godt om

f-arn Guru

11. april 2010 - 22:03 #13

Iøvrigt - Win32.Lutin fra dr.web loggen er nok også virut:
http://updates.drweb.com/

Synes godt om

mamme Nybegynder

12. april 2010 - 18:36 #14

ja det kan jeg sku godt se.. der er vist ingen anden udvej end at starte fra scrach :-( Jeg får hende til at gemme hendes billeder og så bliver pc'en geninstalleret.

Er det nødvendig at bruge killdisk?

Jeg har tænkt mig at installere Avast! antivirus på den. Hvilke programmer er ellers at overveje? her tænker jeg på anti-spy/malware.

PS. f-arn og karise_larry, tak for hjælp, smid et svar så i kan få point.

Synes godt om

Computer Hjælp (Gratis) Mester

12. april 2010 - 18:54 #15

Sørg bare for at vælge FULD formatering under (gen)instalation.

http://www.eksperten.dk/artikler/1104

Så husk at få 100% styr på
* Driversoftware passende til Hardwaren
* ServicePack + WindowsUpdate + WindowsUpdate + WindowsUpdate
* Seriøst sikkerhedsprogram + opdatering af samme
* Diverse tillægsprogrammer
* http://kundeservice.tdc.dk/testcenter/
* osv osv osv ...

Jooooo - det er ikke bare lige gennemført på ~1 time tid *S*

Synes godt om

Computer Hjælp (Gratis) Mester

12. april 2010 - 18:54 #16

Ping...
(Det var et [svar] - deles med <f-arn> !)

Synes godt om

f-arn Guru

12. april 2010 - 19:20 #17

Ok, lad point jægeren karise få de points, men men men....
Jeg ser frem til at der herefter kun behandles malware-bekæmpelse med Combofix, DDS, rootrepeal eller lignende. Det vil jeg ihvertfald påkalde.

Synes godt om

Computer Hjælp (Gratis) Mester

13. april 2010 - 06:27 #18

Takker for Point...

(Du ka' godt give søsteren et rap over fingrene mht. LIMEWIRE...)

Synes godt om

f-arn Guru

13. april 2010 - 13:41 #19

@ karise_larry
Ja, du skorede nogle billige points her. Men men men.....
Næste gang du prøver at frikende en inficeret pc alene baseret på HijackThis kan jeg love dig at jeg står klar med krav om andre logs!!!!!!!!

Synes godt om

Computer Hjælp (Gratis) Mester

13. april 2010 - 18:42 #20

Jeps - selvfølgelig !

(Bruger også altid MalwareBytes...)

Synes godt om

f-arn Guru

14. april 2010 - 00:49 #21

Ja - for du tør ikke bruge seriøse logs. jeg har stadig til gode at se dig bruge Combofix fornuftigt.

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Findes der mon et Antivirus program, som ikke, konstant, reklamerer, for at købe ? Af Ikke-ekspert i Virus	21	22/06/202419:22	23/06/202412:54
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus	23	07/05/202421:02	13/05/202419:48
trusler Af gerhardpet i Virus	4	26/01/202410:02	27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus	16	09/01/202416:37	10/01/202419:59
virusscanning Af JetteD i Virus	2	10/11/202312:55	10/11/202316:36

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS