Virus der lukker xp ned.

Måske er der noget snavs, der forhindrer netadgang. Lad os se, hvad en HijackThis-log viser.

Hent Spybot og HijackThis:
http://www.spywarefri.dk/vaerktoj.htm

Installer og kør Spybot, opdater online, scan, afhjælp valgte problemer og genstart.

Derefter kører du Hijackthis > Scan > Save log. Kopier logfilen herind, så kigger vi på den.
Lad være med at slette noget selv med Hijackthis, vi skal nok hjælpe med at tyde loggen.

Kan ikke opdatere spybot online jo...

scan først med stinger
http://vil.nai.com/vil/stinger/

For at stoppe shutdown går du i kør og skriver:  Shutdown –a

Installer disse updates - så burde problemet være løst- der er en af dem du ikke har uanset om du kører auto update.

Her er et link til nogle vigtige kritiske updates, som er kommer efter SP1 samlet i een pakkepakke på ca. 10 mb.(pr. okt. 2003)
http://www.microsoft.com/downloads/details.aspx?FamilyId=D531BF00-D7BE-48E3-ABCC-961602BD72C2&displaylang=da
Xp +w2k
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx    Sasser updatefix
http://www.microsoft.com/downloads/details.aspx?displaylang=da&FamilyID=e70a0d8b-fe98-493f-ad76-bf673a38b4cf    Msblaster updatefix

Når du er færdig bør du lade resist rense din hijacklog

Inden du kopierer en HijackThis-log herind, så kan du også prøve at downloade denne engangsscanner fra en anden computer: http://www.mwti.net/download/tools/mwav.exe

Brænd mwav.exe på en cd og kopier den over på ”problembarnet”. Genstart computeren i fejlsikret tilstand (F8 i opstart). Tag en scanning med mwav.exe – aktiver så den scanner mest muligt på computeren.

Genstart normalt og lad os se en HijackThis-log fra "den syge" computer.

prøver lige at køre nogle af de updates og programmer og vender så tilbage når de er kørt...

På forhånd tak..

Er ved at køre Mwav nu... indtil videre har den fundet 13 filer :( mærkeligt at avast ikke fandt dem...

mwav er ret effektiv ;-) Når den er færdig, kopierer du bare en HijackThis-log herind - tak.

Så... blev den færdig med det hele...

Hmmm.... Mwav fandt omkring 36 vira :(

Her er hijack loggen..

Logfile of HijackThis v1.98.2
Scan saved at 12:51:20, on 09-09-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093010597233
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



Hvis det kan bruges er loggen fra mwav her:

File C:\WINDOWS\update13.js infected by "Trojan.JS.StartPage.a" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\polall1m.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Janus\Local Settings\Temp\Del3B.tmp infected by "not-a-virus:AdvWare.180Solutions" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI4148.tmp\polall1m.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI4148.tmp\twaintec.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI764C.tmp\polall1m.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI764C.tmp\twaintec.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI7A16.tmp\polall1m.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI7A16.tmp\twaintec.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI7D44.tmp\mxTarget.cab infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Janus\Local Settings\Temp\THI7D44.tmp\mxTarget.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Janus\Local Settings\Temporary Internet Files\Content.IE5\7VB82P4M\index[3].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Janus\Local Settings\Temporary Internet Files\Content.IE5\7VB82P4M\istbar[1].dll infected by "TrojanDownloader.Win32.IstBar.dh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Janus\Local Settings\Temporary Internet Files\Content.IE5\EHK7YN81\kazaa-light[1].exe tagged as not-a-virus:PornWare.Dialer.Intexdial. No Action Taken.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP27\A0005519.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP34\A0007210.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP53\A0008801.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP53\A0008942.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP53\A0008943.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP53\A0008958.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP53\A0008984.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP53\A0008985.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0010162.dll infected by "not-a-virus:AdvWare.NewDotNet" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0010224.dll infected by "not-a-virus:AdvWare.180Solutions" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011241.dll infected by "not-a-virus:AdvWare.NewDotNet" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011252.exe infected by "TrojanDownloader.Win32.Dyfuca.cr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011260.dll infected by "not-a-virus:AdvWare.WebHancer" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011265.exe infected by "not-a-virus:AdvWare.WebHancer" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011267.exe infected by "not-a-virus:AdvWare.WebHancer" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011268.dll infected by "TrojanDownloader.Win32.IstBar.dh" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011272.exe infected by "not-a-virus:AdvWare.WebHancer" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011276.exe infected by "not-a-virus:AdvWare.180Solutions" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011277.exe infected by "not-a-virus:AdvWare.WebRebates.b" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011278.exe infected by "not-a-virus:AdvWare.HelpExpress" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP56\A0011279.exe infected by "not-a-virus:AdvWare.WebRebates.b" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{BADA6CBA-F1F8-4B18-9F6A-2B25169AC233}\RP58\A0011535.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.

Så... nu kører svinet sgu igen..!!! Tror måske det havde noget at gøre med de 36 vira jeg havde :)  Det er jo en pæn slat vira på en gang..!!

Men tak for hjælpen begge to!

Gider i kommentere min log alligevel?

Lav også lige et svar så jeg kan give point...

Nu skal jeg kigge loggen igennem.

Begynd med at afinstallere webHancer via tilføj/fjern programmer.

Slå systemgendannelse fra. Hvis du ikke ved, hvordan du gør så kig her: http://www.spywarefri.dk/virusscannere.htm#alle


Opret en mappe kun til HijackThis. Placer HijackThis i denne mappe og kør programmet derfra.

Herunder er der nogle filer, som du skal fixe. Sæt en vinge ud for disse filer. Når du har gjort det, så lukker du alle andre vinduer ned.

Fix disse med HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\setup.exe

----
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".
----

Genstart i fejlsikret tilstand (F8 i opstart).  Find og slet:

C:\Program Files\webHancer\ >>>> mappen webHancer

C:\Documents and Settings\Janus\Local Settings\Temp\ >>>> tøm dine temp-filer

Genstart almindeligt og send en ny log herind til tjek – tak.


Du mangler at få opdateret Windows og IE med Service Pack 1 m.m. Besøg Windows Update.

Her er den nye log...

Logfile of HijackThis v1.98.2
Scan saved at 15:02:21, on 09-09-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth-software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093010597233
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Fix denne med HijackThis:

O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe

Genstart i fejlsikret tilstand. Find og slet:

C:\Program Files\ClockSync\ >>>> mappen ClockSync

Genstart normal og ny log – tak.

Logfile of HijackThis v1.98.2
Scan saved at 15:24:02, on 09-09-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth-software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093010597233
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Din nye log ser ren ud, og du må slå systemgendannelse til igen og sætte mappeindstillinger tilbage til oprindelige indstillinger.

Her er et link til sikker surfing: http://www.spywarefri.dk/pakken.htm

Din computer er meget sårbar uden Service Pack 1 m.m. Besøg Windows Update.

Hjalp ”kuren”?

Takker meget for hjælpen...

Nu får den bærbare også samme tur... bare for at tjekke for en sikkerhedsskyld..!

Velbekomme ;-)