system32mappen åbner ved start

Hent en hijackthis : http://www.arlet.dk/hjt.htm

Så fjerner vi den henvisning

Logfile of HijackThis v1.98.0
Scan saved at 17:19:37, on 25-07-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plab.exe
C:\Programmer\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\CPQDIAG\CPQDFWAG.EXE
C:\PROGRA~1\Compaq\COMPAQ~3\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
C:\Programmer\Network Associates\VirusScan\mcshield.exe
C:\Programmer\Network Associates\VirusScan\vstskmgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Programmer\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~3\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Programmer\Compaq\HotKey Software\hkss.exe
C:\PROGRA~1\Compaq\Security\Secure32.exe
C:\Programmer\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~3\CHKADMIN.EXE
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmer\Winamp\Winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Lokale indstillinger\Temporary Internet Files\Content.IE5\DSLNU0BM\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/avie5/searchpane
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.altavista.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/avie5/searchpane
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.altavista.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Programmer\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [Compaq Computer Security] C:\PROGRA~1\Compaq\Security\Secure32.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Programmer\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~3\CHKADMIN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Configuration Loader] svhost.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [DumpFaultCheck] C:\WINNT\System32
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmer\Winamp\Winampa.exe"
O4 - HKLM\..\RunServices: [Configuration Loader] svhost.exe
O4 - HKLM\..\RunServices: [DumpFaultCheck] C:\WINNT\System32
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Configuration Loader] svhost.exe
O4 - HKCU\..\Run: [Configuration L0ader] picorulez.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab

Kig her: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q170/0/86.asp&NoWebContent=1

Flyt først filen Hijackthis til en mappe oprettet kun til den.

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Configuration Loader] svhost.exe
O4 - HKLM\..\Run: [DumpFaultCheck] C:\WINNT\System32
O4 - HKLM\..\RunServices: [Configuration Loader] svhost.exe
O4 - HKLM\..\RunServices: [DumpFaultCheck] C:\WINNT\System32
O4 - HKCU\..\Run: [Configuration Loader] svhost.exe
O4 - HKCU\..\Run: [Configuration L0ader] picorulez.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000



Gå i søg og søg i skjulte filer og mapper under avanceret og søg på:
svhost.exe
picorulez.exe

slet alt hvad den finder




Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.

hmm forstod jeg ikke - gav ingen løsning

svhost.exe kan ikke slettes siger den

Så prøv at starte op i fejlsikret(f8 ved opstart) og slet den derfra.

Ellers:
Find filen med dette program og filen bliver helt sikkert slettet, evt efter genstart:
http://www.spywarefri.dk/tipsogtricks.htm#dr.delete

genstart og ny hijackthis log