/ Forside/ Teknologi / Internet / Sikkerhed / Spørgsmål
Login
Glemt dit kodeord? 		Brugernavn

Kodeord


Reklame
Top 10 brugere
Sikkerhed
#NavnPoint
stl_s 37026
arlet 26827
miritdk 20260
o.v.n. 12167
als 8951
refi 8694
tedd 8272
BjarneD 7338
Klaudi 7257
10  molokyle 6481
moviepass
Fra : taby 		Vist : 1036 gange
80 point
Dato : 05-06-06 15:56
Hej.

Håber meget der er nogen der kan hjælpe mig. Problemet er at når lidt efter jeg har åbnet mit internet kommer der en pop-up side der på engelsk for tæller mig at jeg d. 31.05.06 kl 01.52 downloadede en trial version af noget der hedder moviepass og nu er min 3 dages prøvetid overstået uden jeg har meldt tilbage om jeg ikke ønsker programmet. Vi er to brugere på PC'en og ingen af os har downloadet det, og i øvrigt lå vi begge i vores seng på daværende tidspunkt. Hvordan får jeg det pop-up vindue til at stoppe. Det kan ikke lukkes før der er gået noget tid og der har været en lille film med en eller anden kontormus som fortæller hvordan jeg betaler. Den fortæller hva d min IP adresse er samt et customer ID.


 
 
Kommentar
Fra : stl_s

Dato : 05-06-06 16:08
Fup og svindel.

Hent Hijackthis her http://www.spywarefri.dk/downloads1/hijackthis.exe

Klik "Do a systemscan and save a logfile". Kopier loggen her ind i tråden, så giver jeg dig en vejledning til at slippe af med skidtet.

Kommentar
Fra : miritdk

Dato : 05-06-06 16:11
find programmet - enten under start - programmer hvor der måske er en uninstall der kan fjerne det meste - eller under kontrolpanet - tilføj/fjern programmer - og fjern. Gå derpå i stifinder og find mappen der har programmets navn - højreklik og slet.
Gå i start - kør - skriv regedit - find HKEY_LOCAL_MACHINE - find software - find igen mappen med programmets navn - højre klik og slet

hent så det her lille program og kør en scan og slet/delete kun hvad der er safe to delete
http://www.tucows.com/preview/355220?_mid=000001279

genstart

kør en ny scan med regcleaner igen for at være sikker og slet kun hvad der er safe to delete





Kommentar
Fra : miritdk

Dato : 05-06-06 16:12
rigtigt med fup og svindel



Kommentar
Fra : taby

Dato : 05-06-06 16:16
Hejsa.

Håber det her vil hjælpe. Har prøvet flere forskellige virusscans osv. uden resultat.

Logfilen er som følger:

Logfile of HijackThis v1.99.1
Scan saved at 16:05:21, on 05-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\HP\HP Software Update\HPWuSchd.exe
C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRAMMER\LICENSE_MANAGER\LICENSE_MANAGER.EXE
C:\PROGRAMMER\WIDCOMM\BLUETOOTH-SOFTWARE\BTTRAY.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\Programmer\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1030
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {AC0E20EE-A530-FACA-2002-3F72A2B58DC2} - atl_helper.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWA6PK_0001_N73M1204] "C:\Documents and Settings\Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\8XY341AN\WinAntiVirusPro2006FreeInstall_dk[1].exe" -nag
O4 - HKLM\..\Run: [NukeSpan] MsNetHelper.exe
O4 - HKLM\..\Run: [sysmon12] nmdllw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [License Manager] "C:\PROGRAMMER\LICENSE_MANAGER\LICENSE_MANAGER.EXE " /silent
O4 - HKCU\..\Run: [abrek] killall.exe
O4 - HKCU\..\Run: [xxtoolbar] NopeZ.exe
O4 - HKCU\..\Run: [sbin] xsetup.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148055180968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148055296186
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8472FDD-7459-4A49-8CBA-429C1272D6B0}: NameServer = 85.255.116.83,85.255.112.127
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Mvh. Tom Brix.

Kommentar
Fra : miritdk

Dato : 05-06-06 16:17
følg stl_s´s råd så bliver du fri for alt snavset

Kommentar
Fra : stl_s

Dato : 05-06-06 16:31
Der er mange kedelige ting i den log, bl.a har du fået flyttet din dns til Ukraine, men det fixer vi .

1. Hent og pak SmitfraudFix.zip ud til dit Skrivebord.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Programmet pakker sig ud i en mappe, der hedder SmitfraudFix.


2. Hent denne scanner http://www.superantispyware.com/downloads/SUPERAntiSpyware1241.exe

Installer scanneren, og opdater den manuelt. OBS, ved installationen bliver det foreslået at du registrerer med din email. Det behøver du ikke at gøre.

Du skal ikke scanne endnu.


3. Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:

http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1


4. Åbn mappen SmitfraudFix som du fik på Skrivebordet, og dobbeltklik på SmitfraudFix.cmd og tast 2 - svar ja til at rense (y=yes). Lad programmet gennemføre en rensning. Hvis fixet genstarter computeren, så skal du bagefter starte op i fejlsikret igen, og fortsætte proceduren med SuperAntiSpyware.


5. Start SuperantiSpyware, og klik "Scan your computer". Sæt flueben i dine drev, ovre til venstre i vinduet. Ovre til højre i vinduet, sætter du prik i "Perform Complete Scan". Klik "næste", nu scanner den. Når den er færdig, så markerer du det den finder, og lader scanneren fjerne det.

Genstart til normal tilstand (scanneren tilbyder måske at gøre det).


6. Åbn scanneren igen, og klik "preferences"-> "statistics/logs". Marker loggen, og klik "View log". Kopier loggen her ind i tråden, sammen med en frisk HijackThis log. SmitfraudFix laver også en lille tekstfil (log). Kopier også denne log ind.

Kommentar
Fra : taby

Dato : 05-06-06 19:49
Hej Igen.

Det ser ud til at min kærestes lillebror har hygget sig lidt. Har været her nogle dage i sidste uge og det ser da vist ud til at der er besøgt nogle sider der ikke er så smarte. Håber Pc'en kan renses så den ikke skal formateres.

Her er det du skal bruge (tror jeg nok):

Logfile of HijackThis v1.99.1
Scan saved at 17:41:55, on 05-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\HP\HP Software Update\HPWuSchd.exe
C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRAMMER\WIDCOMM\BLUETOOTH-SOFTWARE\BTTRAY.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1030
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {AC0E20EE-A530-FACA-2002-3F72A2B58DC2} - atl_helper.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWA6PK_0001_N73M1204] "C:\Documents and Settings\Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\8XY341AN\WinAntiVirusPro2006FreeInstall_dk[1].exe" -nag
O4 - HKLM\..\Run: [NukeSpan] MsNetHelper.exe
O4 - HKLM\..\Run: [sysmon12] nmdllw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [abrek] killall.exe
O4 - HKCU\..\Run: [xxtoolbar] NopeZ.exe
O4 - HKCU\..\Run: [sbin] xsetup.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148055180968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148055296186
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8472FDD-7459-4A49-8CBA-429C1272D6B0}: NameServer = 85.255.116.83,85.255.112.127
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



SmitFraudFix v2.54

Scan done at 16:53:44,10, 05-06-2006
Run from C:\Documents and Settings\Ejer\Skrivebord\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



SUPERAntiSpyware Scan Log
Generated 06/05/2006 at 05:32 PM

Core Rules Database Version : 2964
Trace Rules Database Version: 1066

Memory threats detected : 0
Registry threats detected : 22
File threats detected : 59

Adware.Tracking Cookie
   C:\Documents and Settings\Ejer\Cookies\ejer@atdmt[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@i.screensavers[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@www.webstat[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@adtech[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@ads.realtechnetwork[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@adfair[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@microsoftwga.112.2o7[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@www.screensavers[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@winantivirus[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@ad.zanox[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@2o7[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@e2.emediate[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@click.dpbill[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@dk.winantivirus[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@cgi-bin[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@stats1.reliablestats[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@t2[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@click.fantasypromotion[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@ads.vitalix[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@1067521262[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@brutal.familysex[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@as1.falkag[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@planet[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@image.masterstats[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@microsofteup.112.2o7[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@www.sexualviolence[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@1070712337[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@adserver.banneradministration[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@movieland[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@1067824383[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@mediaplex[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@advertising[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@programs.wegcash[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@t2[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@winfixer[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@ad1.emediate[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@www.forcedsex[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@stat.dealtime[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@toplist[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@www.winantivirus[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@ads2.jubii[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@private.familysex[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@adopt.euroclick[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@ads.vg.basefarm[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@track.adform[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@xml.bravenetmedianetwork[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@www.movieland[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@fhg.best-sex-galleries[1].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@ad.yieldmanager[2].txt
   C:\Documents and Settings\Ejer\Cookies\ejer@momneedsex[2].txt
   C:\Documents and Settings\Tina Koch\Cookies\tina koch@adserver.banneradministration[2].txt
   C:\Documents and Settings\Tina Koch\Cookies\tina koch@advertising[1].txt
   C:\Documents and Settings\Tina Koch\Cookies\tina koch@indextools[1].txt
   C:\Documents and Settings\Tina Koch\Cookies\tina koch@server.iad.liveperson[1].txt
   C:\Documents and Settings\Tina Koch\Cookies\tina koch@tradedoubler[2].txt

Adware.MovieLand/MediaPipe
   HKCR\MPAgent.Agent
   HKCR\MPAgent.Agent\CLSID
   HKCR\MPAgent.Agent\CurVer
   HKCR\MPAgent.Agent.1
   HKCR\MPAgent.Agent.1\CLSID
   HKCR\AppId\MPAgent.DLL
   HKCR\AppId\MPAgent.DLL#AppID
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}#AppID
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\InprocServer32
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\InprocServer32#ThreadingModel
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\ProgID
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\Programmable
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\TypeLib
   HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\VersionIndependentProgID
   HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}
   HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0
   HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\0
   HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\0\win32
   HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\FLAGS
   HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\HELPDIR
   C:\Programmer\fsupport\notifier.exe
   C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP52\A0011722.exe
   C:\WINDOWS\Prefetch\NOTIFIER.EXE-178F0AFB.pf

Trojan.WinAntiSpyware/WinAntiVirus 2006
   HKLM\Software\WinAntiVirus Pro 2006

Adware.SBSoft
   C:\WINDOWS\system32\sxrqo.dll


Håber meget det kan afhjælpes......

Kommentar
Fra : stl_s

Dato : 05-06-06 20:02
Johh, den burde nok kunne reddes uden formattering. Nu skal vi lige have gjort kål på de Ukrainere (og lidt til).

1. Hent FixWareout fra et af disse links:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

2. Hent denne scanner ned til skrivebordet ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Vent med at køre den.


3. Start op i fejlsikret tilstand (tast f8 flere gange under opstart). Hvis du ikke kan, så se her http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1


4. Gem filen (Fixwareout) på dit skrivebord og dobbeltklik på den. Klik Next -> Install og check, at der er et flueben i "Run fixit" - klik herefter på Finish. Fixet vil nu starte, og du skal blot følge instruktionerne. Du vil blive bedt om at genstarte din computer, så det gør du bare. Genstarten vil tage lidt længere tid end normalt.


5. Når dit system genstarter, skal du fortsat følge den vejledning der gives på skærmen. Når fixet er færdigt vil der åbnes en log (report.txt), som du skal gemme og lægge herind i næste post.


6. Genstart til fejlsikret igen. Dobbeltklik på drweb-cureit.exe. Den vil køre en expressscan, og det siger du ja til.

Når den skriver "Select object for scanning" nederst til venstre, skal du klikke på Options->Change settings.

Skift til fanebladet Scan, og fjern fluebenet ved Heuristic analysis.

Skift til fanebladet Actions. Under ADWARE indstiller du til DELETE. Alle andre punkter under MALWARE sættes til MOVE. Klik ANVEND og OK. Fjern fluebenet ved PROMPT ON ACTION.

Klik på det de drev du vil have scannet. Der kommer en rød prik, som viser at de er valgt.

Klik på den grønne pil ovre til højre på siden, for at starte scanningen.


Når scanningen er færdig, så find mappen Dr Web som ligger på dit hoveddrev, typisk C drevet, og find CUREIT.LOG. Scroll helt ned i bunden af loggen, hvor der står SCAN PATH og SCAN STATISTICS (KUN de nederste) og kopier det her ind.


7. Genstart til normal tilstand, og kom med en frisk HijackThis log, og de andre logs fra Fixwareout og Dr Web.


Kommentar
Fra : stl_s

Dato : 05-06-06 20:11
Angående Dr Web scanneren, så vil Kandu åbenbart ikke acceptere ftp links, så du må lige kopiere adressen ind i din browser, for at hente den:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Kommentar
Fra : taby

Dato : 06-06-06 14:18
Hej igen.

Her følger de nye logge:

Logfile of HijackThis v1.99.1
Scan saved at 14:08:25, on 06-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\HP\HP Software Update\HPWuSchd.exe
C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRAMMER\WIDCOMM\BLUETOOTH-SOFTWARE\BTTRAY.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1030
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {AC0E20EE-A530-FACA-2002-3F72A2B58DC2} - atl_helper.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWA6PK_0001_N73M1204] "C:\Documents and Settings\Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\8XY341AN\WinAntiVirusPro2006FreeInstall_dk[1].exe" -nag
O4 - HKLM\..\Run: [NukeSpan] MsNetHelper.exe
O4 - HKLM\..\Run: [sysmon12] nmdllw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [abrek] killall.exe
O4 - HKCU\..\Run: [xxtoolbar] NopeZ.exe
O4 - HKCU\..\Run: [sbin] xsetup.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148055180968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148055296186
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8472FDD-7459-4A49-8CBA-429C1272D6B0}: NameServer = 85.255.116.83,85.255.112.127
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\baimd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
...

Random Runs removed from HKLM
"dmiab.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSRRL.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSRRL.EXE 51.242 2006-06-02
C:\WINDOWS\SYSTEM32\DMCPL.EXE 266.240 2002-05-03
C:\WINDOWS\SYSTEM32\DMIAB.EXE 44.041 2004-08-27


[Scan path] C:\
C:\Documents and Settings\Ejer\NTUSER.DAT - read error
C:\Documents and Settings\Ejer\NTUSER~1.LOG - read error
C:\Documents and Settings\Ejer\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\Ejer\Lokale indstillinger\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\Ejer\Skrivebord\SmitfraudFix\SmitfraudFix\Process.exe is hacktool program Tool.Prockill - moved
C:\Documents and Settings\LocalService\NTUSER.DAT - read error
C:\Documents and Settings\LocalService\NTUSER~1.LOG - read error
C:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\NetworkService\NTUSER.DAT - read error
C:\Documents and Settings\NetworkService\NTUSER~1.LOG - read error
C:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\RECYCLER\S-1-5-21-1801674531-1343024091-725345543-1003\Dc1.exe infected with Trojan.Hoster - deleted
>C:\RECYCLER\S-1-5-21-1801674531-1343024091-725345543-1003\Dc2.exe infected with Trojan.Fakealert - deleted
>C:\RECYCLER\S-1-5-21-1801674531-1343024091-725345543-1003\Dc3.exe infected with Trojan.Click.526 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP44\A0007165.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP44\A0008140.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP44\A0009138.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP45\A0009173.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP46\A0009199.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP46\A0010195.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP46\A0010209.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP47\A0011208.exe infected with Trojan.DnsChange - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP47\A0011221.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP47\A0011228.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP47\A0011241.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP47\A0011247.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP48\A0011260.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP48\A0011277.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP49\A0011327.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP49\A0011343.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP49\A0011350.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP49\A0011355.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP49\A0011371.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP49\A0011376.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP51\A0011612.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP51\A0011617.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP52\A0011730.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP52\A0011755.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP52\A0011760.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP52\A0011776.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP52\A0011781.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP53\A0011804.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP53\A0011808.exe infected with Trojan.DownLoader.9145 - deleted
C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP53\A0011817.dll is adware program Adware.QuickLinks - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP53\A0011819.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP53\A0011823.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011857.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011864.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011875.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011880.exe infected with Trojan.DownLoader.5401 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011894.exe infected with Trojan.DownLoader.9145 - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011898.exe infected with Trojan.DownLoader.9145 - deleted
C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011919.exe is hacktool program Tool.Prockill - moved
C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011920.exe infected with Trojan.Hoster - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011921.exe infected with Trojan.Fakealert - deleted
>C:\System Volume Information\_restore{6A0BDE2F-EFD5-4C5D-BB77-F53707F80108}\RP54\A0011922.exe infected with Trojan.Click.526 - deleted
>C:\WINDOWS\system32\csrrl.exe infected with Trojan.DownLoader.9145 - deleted
>C:\WINDOWS\system32\dmiab.exe infected with Trojan.DownLoader.5401 - deleted
C:\WINDOWS\system32\Process.exe is hacktool program Tool.Prockill - moved
C:\WINDOWS\system32\config\default - read error
C:\WINDOWS\system32\config\default.LOG - read error
C:\WINDOWS\system32\config\SAM - read error
C:\WINDOWS\system32\config\SAM.LOG - read error
C:\WINDOWS\system32\config\SECURITY - read error
C:\WINDOWS\system32\config\SECURITY.LOG - read error
C:\WINDOWS\system32\config\software - read error
C:\WINDOWS\system32\config\software.LOG - read error
C:\WINDOWS\system32\config\system - read error
C:\WINDOWS\system32\config\system.LOG - read error


Scan statistics

Objects scanned: 139977
Infected objects found: 45
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 3
Objects cured: 0
Objects deleted: 46
Objects renamed: 0
Objects moved: 3
Objects ignored: 0
Scan speed: 305 Kb/s
Scan time: 00:41:05


Håber det er til hjælp, for mig er det sort snak...

Kommentar
Fra : stl_s

Dato : 06-06-06 16:32
Jo da, det giver mening for mig. Der er lidt mere arbejde endnu:

For at kunne se alle filer og mapper, gør du dette http://www.spywareinfo.dk/#/tip-og-tricks/mappeindstillinger.htm

Så gør du dette:

Klik på "Start" - Vælg "Søg".
Klik på linket "Skift indstillinger".
Klik på "Skift søgefunktioner for filer og mapper"
Sæt prik i "Avanceret" og klik OK.
Klik på "Alle filer og mapper"
Klik på "Flere avancerede indstillinger"
Sæt flueben i de tre øverste.



Disse filer skal vi have tjekket. De kan være legale, men kan også være inficerede. Upload dem til scanning her, og vend tilbage med resultat http://www.virustotal.com/en/indexf.html

C:\WINDOWS\SYSTEM32\DMCPL.EXE

C:\WINDOWS\SYSTEM32\DMIAB.EXE

xsetup.exe

Nogle af dem er måske væk

Kommentar
Fra : taby

Dato : 07-06-06 09:35
Hej igen.

Jeg har uploadet C:\WINDOWS\SYSTEM32\DMCPL.EXE og der blev ikke fundet nogen virus.

Den anden fil kan jeg ikke finde ???

Kommentar
Fra : stl_s

Dato : 07-06-06 16:31
Bær over med at jeg er lidt besværlig nu, men jeg vil godt være helt sikker på de filer.

Prøv lige at højreklikke på DMCPL.EXE og vælg egenskaber. Se om du kan finde et producentnavn, og evt et versionsnummer. Tjek også hvornår filen er oprettet, og hvilken størrelse den har. Læg resultaterne her ind.

Prøvede du at finde DMIAB.EXE via Start/Søg ? Ellers prøv det lige, og hvis du skulle finde den, så tjek også dens data, og læg dem her ind.

Lad mig også lige se en frisk HijackThis log

Kommentar
Fra : taby

Dato : 07-06-06 18:07
Hej igen.

Har prøvet at finde den sidste fil igen men den er der ikke.

Den første er oprettet d. 19/5-2006 (Harddisken er udskiftet midt i maj)
Firma: NVIDIA CORPORATION
Version: 6.13.10.2942
Størrelse: 260 kb


Logfile of HijackThis v1.99.1
Scan saved at 17:55:21, on 07-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\HP\HP Software Update\HPWuSchd.exe
C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRAMMER\WIDCOMM\BLUETOOTH-SOFTWARE\BTTRAY.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\Programmer\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1030
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {AC0E20EE-A530-FACA-2002-3F72A2B58DC2} - atl_helper.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWA6PK_0001_N73M1204] "C:\Documents and Settings\Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\8XY341AN\WinAntiVirusPro2006FreeInstall_dk[1].exe" -nag
O4 - HKLM\..\Run: [NukeSpan] MsNetHelper.exe
O4 - HKLM\..\Run: [sysmon12] nmdllw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [abrek] killall.exe
O4 - HKCU\..\Run: [xxtoolbar] NopeZ.exe
O4 - HKCU\..\Run: [sbin] xsetup.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148055180968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148055296186
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Havde jeg på forhånd vist hvor meget arbejde der er i det havde jeg nok formatteret harddisken, men nu er vi jo godt i gang

Kommentar
Fra : stl_s

Dato : 07-06-06 19:07
Jeg kan godt forstå du syntes det her er træls, men det var også en ordentlig spand møg du havde fået ind. Men okay, nu er vi ved at være i mål .


Kør en scanning med HijackThis, så du kan se alle filer. Luk alle vinduer, sæt flueben ved disse linier, og klik fix checked.


R3 - URLSearchHook: (no name) - {AC0E20EE-A530-FACA-2002-3F72A2B58DC2} - atl_helper.dll (file missing)
O4 - HKLM\..\Run: [NI.UWA6PK_0001_N73M1204] "C:\Documents and Settings\Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\8XY341AN\WinAntiVirusPro2006FreeInstall_dk[1].exe" -nag
O4 - HKLM\..\Run: [NukeSpan] MsNetHelper.exe
O4 - HKLM\..\Run: [sysmon12] nmdllw.exe
O4 - HKCU\..\Run: [abrek] killall.exe
O4 - HKCU\..\Run: [xxtoolbar] NopeZ.exe
O4 - HKCU\..\Run: [sbin] xsetup.exe

Tjek at disse filer er slettet af scannerne. Hvis du finder nogle af dem, skal de slettes i fejlsikret:


* xsetup.exe << Denne fil
* NopeZ.exe << Denne fil
* killall.exe << Denne fil
* nmdllw.exe << Denne fil
* MsNetHelper.exe << Denne fil
* atl_helper.dll << Denne fil

* Find via Start > Søg

Kør lige et sidste tjek med Ewido micro http://download.ewido.net/ewido_micro.exe

Kom så lige med en forhåbentligt sidste HijackThis log, og hvis Ewido finder noget, så kopier også lige dens report ind.

Kommentar
Fra : taby

Dato : 09-06-06 11:23
Hej

Her er en frisk HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:30, on 09-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\HP\HP Software Update\HPWuSchd.exe
C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRAMMER\WIDCOMM\BLUETOOTH-SOFTWARE\BTTRAY.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Programmer\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1030
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programmer\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programmer\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [NI.UWA6PK_0001_N73M1204] "C:\Documents and Settings\Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\8XY341AN\WinAntiVirusPro2006FreeInstall_dk[1].exe" -nag
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148055180968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148055296186
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Og den anden:

__________________________________________________
ewido anti-malware online scanner
   http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Tradedoubler
Path: C:\Documents and Settings\Ejer\Cookies\ejer@tradedoubler[2].txt
Risk: Medium

Filerne som skulle slettes er slettet.

Accepteret svar
Fra : stl_s
Modtaget 80 point
Dato : 09-06-06 20:24
Det ser fint ud. Der er bare denne, som åbenbart er lidt genstridig:

O4 - HKLM\..\Run: [NI.UWA6PK_0001_N73M1204] "C:\Documents and Settings\Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\8XY341AN\WinAntiVirusPro2006FreeInstall_dk[1].exe" -nag

Du skal alligevel have tømt tempfilerne nu, så prøv lige om denne fil ikke snupper den:

Hent ATF Cleaner her fra http://www.atribune.org/content/view/19/2/

Start ATF Cleaner. Sæt flueben i "Select all". Klik "Empty selected".

Hvis den er væk i loggen nu, kan du slutte af med dette:

Efter et virus/spyware angreb, er det altid en god ide at rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.

Link til sikring af din computer http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Husk at "skjule" dine filer igen, hvis du har visning af skjulte filer aktiveret.

Så skulle maskinen være ren igen .


Godkendelse af svar
Fra : taby

Dato : 12-06-06 14:43
Tak for svaret stl_s. Det var lidt af en jungle at komme igennem for en som nok ved hvad en PC'er er men her var vi et godt stykke ude over egne evner

Mvh. Tom Brix

Kommentar
Fra : stl_s

Dato : 12-06-06 17:10
Velbekomme, og tak for point .



Du har følgende muligheder
Eftersom du ikke er logget ind i systemet, kan du ikke skrive et indlæg til dette spørgsmål.

Hvis du ikke allerede er registreret, kan du gratis blive medlem, ved at trykke på "Bliv medlem" ude i menuen.
Søg
Reklame
Statistik
Spørgsmål : 177547
Tips : 31968
Nyheder : 719565
Indlæg : 6408797
Brugere : 218887
Månedens bedste
Årets bedste
Sidste års bedste
Copyright © 2000-2024 kandu.dk. Alle rettigheder forbeholdes.