Backdoor kan ikke fjernes

http://www.sarc.com/avcenter/venc/data/backdoor.agent.b.html

Prøv denne nye antivirus scanner : http://www.arlet.dk/mwti.htm
Den finder og fjerner næsten alt..

Lige til zenorph ... jeg har fjernet punkt tre i vejledningen, men kan ikke finde punkt 2

efter den scanning med mwti, kan du lægge en hijackthis http://www.arlet.dk/hjt.htm så kan vi måske få ram på den med den, hvis det andet glipper.

Og så lige arlet ... er det ikke den virusscanner jeg har beskrevet ovenfor ??

Jo, det kunne det godt tyde på*S*

Fandt det program ikke noget???

Kom med den hijackthis, så kigger vi på den..

Logfile of HijackThis v1.97.7
Scan saved at 16:51:55, on 01-08-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\yrjsncjt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Firebird\bin\ibserver.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
c:\programmer\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Compaq\LOKALE~1\Temp\mwavscan.com
C:\DOCUME~1\Compaq\LOKALE~1\Temp\kavss.exe
C:\Documents and Settings\Compaq\Skrivebord\HijackThis.exe
C:\Programmer\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ampplapkdsg.uk/sKTMxvfq5uraMAV3W5JlLzJwkJn8yXwmLGSR2MA9bfpENUDPPkExdNJaGdMX92S/.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BA80D1D-E361-F17A-3469-03B35F707E7B} - C:\PROGRA~1\WARNLO~1\cast chin.exe
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\Programmer\PopupPopper\PopLib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Programmer\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [qjgavjph] C:\WINDOWS\System32\yrjsncjt.exe
O4 - HKLM\..\Run: [SpamMath] C:\PROGRA~1\RDRROA~1\camp idol.exe
O4 - HKLM\..\Run: [Lite Default Option Part] C:\Documents and Settings\All Users\Application Data\vga extra lite default\stylestart.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Firebird Database Engine.lnk = C:\Programmer\Firebird\bin\ibserver.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PopupPopper Kontrol Panel (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://netplayer.swdc.dk/Rawflow.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/dk/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.557025463
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {ABCCB0F0-514E-4BA6-989D-C67E5DBC2946} - https://download.danskebank.dk/download/keydownload/DB/KeyDownload.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab

kigger den igennem.

Der ligger noget snavs, kan jeg umiddelbart se..

Håber det kan bruges

ok

Flyt først filen Hijackthis til en mappe oprettet kun til den.

Du skal nu til at i gang med at fixe:

Deaktiver systemgendannelse:
http://www.arlet.dk/systemgendannelsen.htm

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ampplapkdsg.uk/sKTMxvfq5uraMAV3W5JlLzJwkJn8yXwmLGSR2MA9bfpENUDPPkExdNJaGdMX92S/.jsp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {1BA80D1D-E361-F17A-3469-03B35F707E7B} - C:\PROGRA~1\WARNLO~1\cast chin.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [qjgavjph] C:\WINDOWS\System32\yrjsncjt.exe
O4 - HKLM\..\Run: [SpamMath] C:\PROGRA~1\RDRROA~1\camp idol.exe
O4 - HKLM\..\Run: [Lite Default Option Part] C:\Documents and Settings\All Users\Application Data\vga extra lite default\stylestart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab



--------------------------------------------------------------------

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

--------------------------------------------------------------------

Find og slet manuelt i fejlsikret(f8 ved opstart):


C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\yrjsncjt.exe
C:\DOCUME~1\Compaq\LOKALE~1\Temp <- tøm mappen


Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.
Først når din log er endelig godkendt, må du aktiver din systemgendannelse igen.

Ny log

Logfile of HijackThis v1.97.7
Scan saved at 17:23:17, on 01-08-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Firebird\bin\ibserver.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Compaq\Skrivebord\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qczunwcsfs.net/sKTMxvfq5uraMAV3W5JlLzJwkJn8yXwmLGSR2MA9bfouOvknFIv64dJaGdMX92S/.html
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\Programmer\PopupPopper\PopLib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Programmer\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [pyjqchzu] C:\WINDOWS\System32\yrjsncjt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Firebird Database Engine.lnk = C:\Programmer\Firebird\bin\ibserver.exe
O9 - Extra button: PopupPopper Kontrol Panel (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://netplayer.swdc.dk/Rawflow.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/dk/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.557025463
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {ABCCB0F0-514E-4BA6-989D-C67E5DBC2946} - https://download.danskebank.dk/download/keydownload/DB/KeyDownload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab

Hent og kør aboutBuster herfra : www.arlet.dk/special.htm

fix i hijackthis:
O4 - HKLM\..\Run: [pyjqchzu] C:\WINDOWS\System32\yrjsncjt.exe

genstart og ny log

Men jeg har stadig problemer med backdoor.agent.b

Når jeg kører aboutbuster, finder den godt nok backdoor virussen, men den formår ikke at slette den ....

der står bare error deleting .. og sådan fortsætter det

Står der hvilke sti den ligger på..

Øjeblik du får lige en ny log

Logfile of HijackThis v1.97.7
Scan saved at 17:53:08, on 01-08-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Firebird\bin\ibserver.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Compaq\Skrivebord\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qczunwcsfs.net/sKTMxvfq5uraMAV3W5JlLzJwkJn8yXwmLGSR2MA9bfouOvknFIv64dJaGdMX92S/.html
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\Programmer\PopupPopper\PopLib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Programmer\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Firebird Database Engine.lnk = C:\Programmer\Firebird\bin\ibserver.exe
O9 - Extra button: PopupPopper Kontrol Panel (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://netplayer.swdc.dk/Rawflow.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/dk/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.557025463
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {ABCCB0F0-514E-4BA6-989D-C67E5DBC2946} - https://download.danskebank.dk/download/keydownload/DB/KeyDownload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab

den ligger i c:\windows\system32\msje.dll

--------------------------------------------------------------------

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

--------------------------------------------------------------------

Så finder du den manuelt og sletter den:
c:\windows\system32\msje.dll

Husk ham/hende på http://v4.windowsupdate.microsoft.com/da/default.asp - ser vist ud til at mangle ?

Tja, hvis det bare var så nemt .... jeg kan ikke finde filen

Logfile of HijackThis v1.97.7 <<<<<< Brug dog 1.98!

http://tools.zerosrealm.com/hjt.zip
Pak den ud i en mappe og kom med en log fra 1.98

Norton dukker hele tiden op med meldingen om, at den har fundet virussen, og så stien dertil ... Men kan ikke slette den

Ja, hent den nye version af hijackthis. Det kan være at den viser noget mere

O20 - AppInit_DLLs: C:\WINDOWS\System32\msje.dll


Dette er den nederste linje i den nye Hijack ... skal jeg bare slette den linje ??

ja, fix den og genstart og kom med en ny hijackthis log

Hmmm, det ser ikke ud til at det bare fjerner den !!

Logfile of HijackThis v1.98.1
Scan saved at 18:27:49, on 01-08-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Firebird\bin\ibserver.exe
C:\WINDOWS\System32\devldr32.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Compaq\Skrivebord\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qczunwcsfs.net/sKTMxvfq5uraMAV3W5JlLzJwkJn8yXwmLGSR2MA9bfouOvknFIv64dJaGdMX92S/.html
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\Programmer\PopupPopper\PopLib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Programmer\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Firebird Database Engine.lnk = C:\Programmer\Firebird\bin\ibserver.exe
O9 - Extra button: PopupPopper Kontrol Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Programmer\PopupPopper\SiteList.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://netplayer.swdc.dk/Rawflow.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/dk/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\msje.dll

Start op i fejlsikret(f8 ved opstart)

og fix den i hijackthis..

Hvis den stadig ikke vil væk., så...

Hent FINDnFIX her:
http://downloads.subratam.org/FINDnFIX.exe
Dobbeltklik på filen - den vil installere sig på din computer i C:\FINDnFIX
I mappen ligger der !LOG!.bat, som du skal dobbeltklikke på - der går nu lidt tid, mens den indhenter informationer - når den er færdig, lægges der en Log.txt i mappen. Kopier indholdet herind.

I fejlsikret tilstand kan Hijack ikke finde virussen ... desværre. Men jeg prøver lige FindnFix

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [version 5.1.2600]
»»»IE build and last SP(s)
6.0.2600.0000 Q316059-q319182-Q321232-Q824145-Q330994-Q828750
Filsystemtypen er NTFS.
C: er ikke ‘ndret.

Sun 01 Aug 04  19:05:48
  7:05pm  up 0 days,  0:22

»»»»»»'Dos devices'...
Location  Type  Name/Units  Attributes
======================================================
XXXX:XXXX  CHAR  NUL          1000000000000100
02DB:0000  CHAR  XMSXXXX0    1010000000000000
0070:0024  CHAR  CON          1000000000010011
0070:0036  CHAR  AUX          1000000000000000
0070:0048  CHAR  PRN          1010100011000000
0070:005A  CHAR  CLOCK$      1000000000001000
0070:006C  CHAR  COM1        1000000000000000
0070:007E  CHAR  LPT1        1010100011000000
0070:0090  CHAR  LPT2        1010100011000000
0070:00A2  CHAR  LPT3        1010100011000000
0070:00B4  CHAR  COM2        1000000000000000
0070:00C6  CHAR  COM3        1000000000000000
0070:00D8  CHAR  COM4        1000000000000000
======================================================

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/30)»»»»»»»»»»»»»»»»

»»»*»»»*Use at your own risk!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\MSJE.DLL +++ File read error

»»»»» (*2*) »»»»»........
MSJE.DLL    Can't Open!

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(*5*)»»»»»
¯ Access denied ® ..................... MSJE.DLL      .....57344  09.05.2004 

»»»»»(*6*)»»»»»
fgrep: can't open input C:\WINDOWS\SYSTEM32\MSJE.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINDOWS\SYSTEM32\
  msje.dll      Sun  9 May 2004  10.56.38  .....        57.344    56,00 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  57.344 bytes    56,00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\MSJE.DLL
SNiF 1.34 statistics

Matching files      :    1    Amount in bytes  : 57344
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 506

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout    SZ    15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota    DWORD    00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler    SZ    yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk    SZ   
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout    SZ    90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota    DWORD    00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs    SZ    C:\\WINDOWS\\System32\\msje.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = C:\WINDOWS\System32\msje.dll

  »»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read            BUILTIN\Brugere
(IO)    ALLOW  Read            BUILTIN\Brugere
(NI)    ALLOW  Read            BUILTIN\Superbrugere
(IO)    ALLOW  Read            BUILTIN\Superbrugere
(NI)    ALLOW  Full access     BUILTIN\Administratorer
(IO)    ALLOW  Full access     BUILTIN\Administratorer
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     BUILTIN\Administratorer
(IO)    ALLOW  Full access     CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read              BUILTIN\Brugere
Read              BUILTIN\Superbrugere
Full access      BUILTIN\Administratorer
Full access      NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group MORTENMØRN\Ingen.
User is a member of group \Alle.
User is a member of group BUILTIN\Administratorer.
User is a member of group BUILTIN\Brugere.
User is a member of group \LOKAL.
User is a member of group NT AUTHORITY\INTERAKTIV.
User is a member of group NT AUTHORITY\Godkendte brugere.


»»»»»»Backups created...»»»»»»
  7:07pm  up 0 days,  0:23
Sun 01 Aug 04  19:07:06

A          C:\FINDnFIX\keyback.hiv
--a--    -  -  -              -  -      8,192 08-01-2004 keyback.hiv
A          C:\FINDnFIX\keys1\winkey.reg
--a--    -  -  -              -  -        318 08-01-2004 winkey.reg
*Temp backups...
.             
..           
keyback2.hi_ 
winkey2.re_   


C:\FINDNFIX\
  JUNKXXX        Sun  1 Aug 2004  19.05.46  .D...        <Dir>

1 item found:  0 files, 1 directory.

»»Performing string scan....
00001150:                        ?                                     
00001190:                                    vk                UDeviceNo
000011D0:tSelectedTimeout    1 5      ( W            vk      '        z
00001210:GDIProcessHandleQuota"      9 0    W      vk      X         
00001250:Spooler2    y e s          vk                =pswapdisk       
00001290:    8  h          vk      (        R TransmissionRetryTimeout
000012D0:    vk      '        a USERProcessHandleQuotaz            8 
00001310:h                  vk  :  H          AppInit_DLLs        C :
00001350:\ W I N D O W S \ S y s t e m 3 2 \ m s j e . d l l  n x     
00001390:                                                               
000013D0:                                                               
00001410:                                                               
00001450:                                                               
00001490:                                                               
000014D0:                                                               
00001510:                                                               
00001550:                                                               
00001590:                                                               
000015D0:                                                               

---------- WIN.TXT
AppInit_DLLs
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuotaz
$01338: AppInit_DLLs
--------------
--------------
C:\WINDOWS\System32\msje.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"="C:\\WINDOWS\\System32\\msje.dll"

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\msje.dll"
0000    43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00  |  C.:.\.W.I.N.D.O.
0010    57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00  |  W.S.\.S.y.s.t.e.
0020    6d 00 33 00 32 00 5c 00 6d 00 73 00 6a 00 65 00  |  m.3.2.\.m.s.j.e.
0030    2e 00 64 00 6c 00 6c 00 00 00                    |  ..d.l.l...

------------
Dos mem debug...
Segment Size    Owner    Type          Vectors
=======================================================
020B    02030  IO        SYSTEM DATA 
040F    00AB0  COMMAND  PROGRAM      22 23 24 2E
04BB    00070  MSDOS    FREE         
04C3    00400  COMMAND  ENVIRONMENT 
0504    00330  MSDOS    FREE         
0538    017D0  KB16      PROGRAM      09 2F
06B6    00840  LMEM      PROGRAM     
073B    98C40  MSDOS    FREE         
=======================================================


Jeg fatter nada

Husk at denne kan fjerne alt mht filer: http://www.spywarefri.dk/tipsogtricks.htm#dr.delete
... men selvfølgelig hvis filen bliver "genoprettet" af et eller andet så er man lige vidt...

Ja, den er jeg ikke sikker på..

Får lige fat i Fromsej, han er mester til det fix...

I keys1 mappen ligger der en fil der hedder FIX.bat - dobbeltklik på den. Computeren vil genstarte. Giv den tilladelse til at genstarte. Når computeren er genstartet, skal du åbne Stifinder og finde C:\Windows\System32 - find filen msje.dll (den bør være synlig nu). Klik én gang på filen så den bliver markeret med blåt, i menuen for oven skal du vælge Rediger -> Flyt til mappe ...og flyt den til C:\FINDnFIX\junkxxx.

Åben FINDnFIX mappen igen - dobbeltklik på Restore.bat. Når den har kørt ligger der en logfil igen, der hedder Log2.txt - kopier indholdet herind i dit næste indlæg.

det prøver jeg lige ... øjeblik

Jeg fatter nada. Filen msje.dll var der. Men da jeg klikkede på den forsvandt den. Jeg prøvede at genstarte, men væk er der. Jeg har kørt Hijack, men den kan heller ikke finde den nu. Hvad sker der ?? Skal jeg køre restore.bat ??

Ja, du er nødt til at køre fixet til ende, der er tre trin.

Nye logfil

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

Sun 01 Aug 04  22:09:15
10:09pm  up 0 days,  0:23

Microsoft Windows XP [version 5.1.2600]
»»»IE build and last SP(s)
6.0.2600.0000 Q316059-q319182-Q321232-Q824145-Q330994-Q828750
Filsystemtypen er NTFS.
C: er ikke ‘ndret.

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/30)***»»»»»»»»»»»»»»»»

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(5)»»»»»

»»»»»(6)»»»»»

»»»»»»» Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»» Scanning for moved file... »»»*»»»



No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files      :    0    Amount in bytes  : 0
Directories searched :    1    Commands executed : 0

Masks sniffed for: *.*

fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*


Filen C:\FINDnFIX\junkxxx\*.* blev ikke fundet.

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

  File name    Size    Date    Time        MD5 Hash
________________________________________________________________________

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
        No files found



#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
(CRC16      : 3138)
CRC-32      : D5C9FB2E
MD5          : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
(CRC16      : EEB1)
CRC-32      : 33081C8B
MD5          : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes) 
(CRC16      : 90A5)
CRC-32      : 2258F59E 
MD5          : EFEE2CB3 B342A351 51802356 9637F8E6 
#######################################################
»»Permissions:
ERROR: Der er ikke flere filer.

Directory "C:\FINDnFIX\junkxxx\."
    Permissions:
        Type    Flags    Inh. Mask    Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow  00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow  0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
        Allow  00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administratorer
        Allow  00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Brugere
        Allow  00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Brugere
        Allow  00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Brugere
        Allow  00000000 t--- 001F01FF ---- DSPO rw+x MORTENMØRN\Compaq
        Allow  00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administratorer
        Allow  00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow  00000010 t--- 001F01FF ---- DSPO rw+x MORTENMØRN\Compaq
        Allow  0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
        Allow  00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Brugere
        Allow  00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Brugere
        Allow  00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Brugere

    Owner: MORTENMØRN\Compaq

    Primary Group: MORTENMØRN\Ingen

Directory "C:\FINDnFIX\junkxxx\.."
    Permissions:
        Type    Flags    Inh. Mask    Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow  00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administratorer
        Allow  00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow  00000000 t--- 001F01FF ---- DSPO rw+x MORTENMØRN\Compaq
        Allow  0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
        Allow  00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Brugere
        Allow  00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Brugere
        Allow  00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Brugere

    Owner: MORTENMØRN\Compaq

    Primary Group: MORTENMØRN\Ingen




»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout    SZ    15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota    DWORD    00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler    SZ    yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk    SZ   
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout    SZ    90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota    DWORD    00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs    SZ   

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

  »»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read            BUILTIN\Brugere
(IO)    ALLOW  Read            BUILTIN\Brugere
(NI)    ALLOW  Read            BUILTIN\Superbrugere
(IO)    ALLOW  Read            BUILTIN\Superbrugere
(NI)    ALLOW  Full access     BUILTIN\Administratorer
(IO)    ALLOW  Full access     BUILTIN\Administratorer
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     BUILTIN\Administratorer
(IO)    ALLOW  Full access     CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read              BUILTIN\Brugere
Read              BUILTIN\Superbrugere
Full access      BUILTIN\Administratorer
Full access      NT AUTHORITY\SYSTEM



00001150:                        ?                                     
00001190:                                    vk                UDeviceNo
000011D0:tSelectedTimeout    1 5      ( W            vk      '        z
00001210:GDIProcessHandleQuota"      9 0    W      vk      X         
00001250:Spooler2    y e s          vk                =pswapdisk       
00001290:    8  h          vk      (        R TransmissionRetryTimeout
000012D0:    vk      '        a USERProcessHandleQuotaz            8 
00001310:h                  vk                y AppInit_DLLs           
00001350:                                                               
00001390:                                                               
000013D0:                                                               
00001410:                                                               
00001450:                                                               
00001490:                                                               
000014D0:                                                               
00001510:                                                               
00001550:                                                               

---------- NEWWIN.TXT
AppInit_DLLsÿÿÿÿ¸
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuotaz
$01338: AppInit_DLLs
--------------
--------------
No strings found.


d....        0  Aug  1  19:05  .   
d....        0  Aug  1  19:05  .. 

2 files found occupying -1024 bytes


===============================================================================
            0 bytes  0 cps 
Files: 0  Records: 0  Matches: 0  Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
.            <dir>      08-01-:4 19:05|..          <dir>      08-01-:4 19:05
---------------------------------------+---------------------------------------
        2 files totaling 0 bytes consuming 0 bytes of disk space.
14274560 bytes available on Drive C:    No volume label
 
...File dump...

junkxxx\*.*
Den angivne fil blev ikke fundet.
        0 fil(er) kopieret.

Detecting...

C:\FINDnFIX\junkxxx

Åben C:\FINDnFIX\Files2 (mappen Files2) - dobbeltklik på ZIPZAB.bat. Den vil nu rense yderligere og kopiere de "snavsede" filer over i en zipfil der hedder junkxxx.zip.

Programmet vil også åbne dit e-mail program, idet konstruktøren gerne vil have kopier af infektionen, så hun kan udvikle modforholdsreglerne. Jeg skal bede dig om at "trække" junkxxx.zip over i dit e-mail program, i tekst feltet skriver du "http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=nnnn" og sender filen. Du har nu været med til at bekæmpe denne irriterende infektion.

For at afslutte oprydningen - Hent CWShredder her:

http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Kør programmet, luk alle vinduer, undtaget CWSschredder, klik på "Fix", den scanner nu, når den er færdig klik på "Next", klik på "Finish".

Genstart din computer, kør HijackThis, scan og læg en frisk log herind.

Tekstfeltet skalder selvfølgelig stå:
http://www.eksperten.dk/spm/525267
Min fejl.*S*

Nu er zip-filen sendt afsted og her kommer en ny hijack log

Logfile of HijackThis v1.98.1
Scan saved at 22:27:20, on 01-08-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Firebird\bin\ibserver.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Compaq\Skrivebord\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\Programmer\PopupPopper\PopLib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Programmer\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Firebird Database Engine.lnk = C:\Programmer\Firebird\bin\ibserver.exe
O9 - Extra button: PopupPopper Kontrol Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Programmer\PopupPopper\SiteList.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://netplayer.swdc.dk/Rawflow.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/dk/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab

Det ser godt ud, men vi skal lige have resten væk.

Fjern wildtangent i Tilføj/Fjern programmer.

Flyt Hijackthis til en mappe oprettet til formålet.

Deaktiver systemgendannelse:
http://www.spywarefri.dk/virusscannere.htm#alle

Hent denne scanner, den skal du bruge senere.
http://www.mwti.net/antivirus/free_utilities.asp - Virusscanner.
Hent også TheKillBox og vejledningen.
http://home8.inet.tele.dk/fbj/TheKillBox.exe
http://home8.inet.tele.dk/fbj/TheKillBoxBrugsanvisning.htm

Klik på Start->Kør skriv:
regsvr32 /u mxtarget.dll klik OK.
regsvr32 /u twaintec.dll klik OK. (Det er ikke sikkert den findes.)

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, brug TheKillBox til at slette filerne listet nederst.
Dobbelttjek, så alt kommer med.

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
---------------------------------------
Sletning af filer og mapper:
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".
Brug af Start->Søg.
Klik på "Alle filer og mapper"
Klik på "Avancerede indstillinger"
Sæt flueben i de tre øverste.
Brug TheKillBox med indstillingen sletning ved næste genstart.
-------------------
Filer:
C:\WINDOWS\mxTarget.dll
twaintec.dll -> hvis den findes.
---------------------------------------
Så kører du engangsskanneren fra Kaspersky - Aktiver det hele i opsætningen derinde, så den kan skanne alt igennem.
---------------------------------------
Du skal også lige hente og installere programmet Ad-aware hvis du da ikke har det i forvejen. Opdater det straks efter installationen, og inden du kører en scanning med denne. Fjern alt hvad den finder. Programmet samt brugervejledning på dansk finder du her: http://www.spywarefri.dk/vaerktoj.htm#adaware
Følg også vejledningen her til udvidet søgning: http://www.spywarefri.dk/tipsogtricks.htm#adaware
---------------------------------------
Hent og installer Servicepack 1, Hotfixpakken og Sasserfix her:
http://intern.sdu.dk/it-service/tjenester/ftphotel/ftpindhold/ servicepacks + IE
http://www.microsoft.com/downloads/details.aspx?FamilyId=D531BF00-D7BE-48E3-ABCC-961602BD72C2&displaylang=da - Hotfixes efter SP1 til XP.

Opdater så online hos Microsoft.
---------------------------------------
Genstart og kom med en ny logfil, så jeg kan se om alt er med.