Avatar billede elmoe Juniormester
07. februar 2005 - 21:09 Der er 19 kommentarer og
1 løsning

Hjælp! Internet Explorer virker ikke!

Har prøvet diverse anti-spyware programmer, men jeg kan ikke komme ind på nogen sider på Internet Explorer. Kan derimod godt bruge Messenger. Underligt. Håber evt. den her log kan hjælpe, så nogen kan fortælle mig hvad jeg kan gøre ved mit problem :(

Logfile of HijackThis v1.98.2
Scan saved at 20:14:03, on 07-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Mail Server\MailFilter\MailFilterSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Programmer\Mail Server\mlsrvnt.exe
C:\Programmer\POP Peeper\POPPeeper.exe
C:\Programmer\EasyPHP1-7\easyphp.exe
C:\Programmer\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\msmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Programmer\Google\Gmail Notifier\gnotify.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Plextor\PlexTool.exe
C:\Programmer\RealVNC\WinVNC\winvnc.exe
C:\Programmer\eMule\emule.exe
C:\Programmer\BPFTP Server\G6FTPSrv.exe
C:\Programmer\mIRC\mirc.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {E93978BB-C8A6-FB5B-50E1-22FCAC275194} - corrida.dll (file missing)
R3 - URLSearchHook: Search - {78C30D67-E400-4486-A140-2373F4D68B1D} - C:\WINDOWS\System32\Q1373921.dll
R3 - URLSearchHook: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O2 - BHO: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O3 - Toolbar: Search - {E65CE48B-D2A3-4105-B42F-D10496B9DB86} - C:\WINDOWS\System32\Q1373921.dll
O3 - Toolbar: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O4 - HKLM\..\Run: [POP Peeper] C:\Programmer\POP Peeper\POPPeeper.exe min
O4 - HKLM\..\Run: [EasyPHP] "C:\Programmer\EasyPHP1-7\easyphp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmer\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Support Center] msmsgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Testimonials] Shaitan1678.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [lpt] bhoserv.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmer\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [Windows Support Center] msmsgr.exe
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [Switch Off] H:\Programmer\Switch Off\swoff.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmer\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WareOut] "C:\Programmer\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows Support Center] msmsgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [Windows Support Center] msmsgr.exe
O4 - Startup: EasyPHP.lnk = C:\Programmer\EasyPHP1-7\easyphp.exe
O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
O4 - Startup: G6FTPSrv.lnk = C:\Programmer\BPFTP Server\G6FTPSrv.exe
O4 - Startup: mIRC.lnk = C:\Programmer\mIRC\mirc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Programmer\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O4 - Global Startup: PlexTools Professional.lnk = C:\Programmer\Plextor\PlexTool.exe
O4 - Global Startup: Run VNC Server.lnk = C:\Programmer\RealVNC\WinVNC\winvnc.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Search - {E65CE48B-D2A3-4105-B42F-D10496B9DB86} - C:\WINDOWS\System32\Q1373921.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.www.dr.dk
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C10D7D-8000-47CA-B6FA-031868E72496}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F9ED34B-6C5F-4231-A83D-87338B654B85}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F77AD61-AFC3-4AFD-BA8A-7D9980C2A23C}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{A32E8A70-5303-492B-80FC-965E8E017667}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9981BA0-BE12-4177-9D81-64E95F293921}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9EA9714-FC04-4CEC-BF5B-EC81D04AF6DB}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE22BDC-7332-4D0F-B754-BA59587A7231}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{23C10D7D-8000-47CA-B6FA-031868E72496}: NameServer = 69.50.166.94,69.31.80.244
O18 - Filter: text/html - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O18 - Filter: text/plain - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
Avatar billede kalp Novice
07. februar 2005 - 21:23 #1
Jeg kigger lige:)
Avatar billede kalp Novice
07. februar 2005 - 21:36 #2
Download først disse værktøjer (vi skal bruge Dem senere)

CWShredder
http://www.mdegn.dk/download/CWShredder.exe

AboutBuster
http://downloads.subratam.org/AboutBuster.zip

Mwav
http://www.spywareinfo.dk/download/mwav.exe

Genstart i Fejlsikret tilstand ved at taste F8 under opstart.
Kør HijackThis, scan og sæt et flueben ud for disse linjer - luk øvrige programvinduer - klik "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {E93978BB-C8A6-FB5B-50E1-22FCAC275194} - corrida.dll (file missing)
R3 - URLSearchHook: Search - {78C30D67-E400-4486-A140-2373F4D68B1D} - C:\WINDOWS\System32\Q1373921.dll
R3 - URLSearchHook: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O2 - BHO: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O3 - Toolbar: Search - {E65CE48B-D2A3-4105-B42F-D10496B9DB86} - C:\WINDOWS\System32\Q1373921.dll
O3 - Toolbar: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O4 - HKLM\..\Run: [Testimonials] Shaitan1678.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [lpt] bhoserv.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
4 - HKCU\..\Run: [WareOut] "C:\Programmer\WareOut\WareOut.exe"
O9 - Extra button: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O9 - Extra button: Search - {E65CE48B-D2A3-4105-B42F-D10496B9DB86} - C:\WINDOWS\System32\Q1373921.dll
O18 - Filter: text/html - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll
O18 - Filter: text/plain - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q1373921.dll

Hvis du ikke kan genkende dette NameServer = 69.50.166.94,69.31.80.244
skal alle disse linjer fikses (mit bud er de skal)

O17 - HKLM\System\CCS\Services\Tcpip\..\{23C10D7D-8000-47CA-B6FA-031868E72496}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F9ED34B-6C5F-4231-A83D-87338B654B85}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F77AD61-AFC3-4AFD-BA8A-7D9980C2A23C}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{A32E8A70-5303-492B-80FC-965E8E017667}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9981BA0-BE12-4177-9D81-64E95F293921}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9EA9714-FC04-4CEC-BF5B-EC81D04AF6DB}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE22BDC-7332-4D0F-B754-BA59587A7231}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{23C10D7D-8000-47CA-B6FA-031868E72496}: NameServer = 69.50.166.94,69.31.80.244


Find og slet

Denne fil

C:\WINDOWS\SYSCFG16.EXE

Søg efter og slet disse filer ( Shaitan1678.exe , msc32.exe, bhoserv.exe, svcnet.exe

Denne mappe

C:\Programmer\WareOut\


Åbn Stifinder, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

Slet disse filer

C:\WINDOWS\System32\Q1373921.dll

Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Diskoprydning og slet temp-filer, temporary internet files og papirkurv.

Angående CWShredder:
Pak zipfilen ud i en mappe.
Kør programmet, tjek for updates, afbryd din internetforbindelse fysisk (stikket ud), luk alle vinduer undtaget cwshredder, klik på Fix, den scanner nu, når den er færdigt klik på Next, klik på Exit.

Kør nu AboutBuster. Når du har kørt den en gang.. luk programmet.. og kør det endnu en gang.

Klik på mwav.exe som du hentede, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files

Slet alt den finder..

Genstart normalt og smid en ny log fil herind
Avatar billede elmoe Juniormester
07. februar 2005 - 21:41 #3
forløbig tusind tak kalp. jeg går i krig og vender tilbage med en ny log :)
Avatar billede kalp Novice
07. februar 2005 - 21:42 #4
:) yep det var lidt af en omgang:)
Avatar billede tonnybrandt Nybegynder
07. februar 2005 - 22:08 #5
kalp > Er denne kommet med ved en fejl ?
O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
Avatar billede kalp Novice
07. februar 2005 - 22:14 #6
hov:p det var lidt for meget med min copy and paste!
Avatar billede elmoe Juniormester
10. februar 2005 - 07:07 #7
Undskyld den lange ventetid. Her er den nye log:

Logfile of HijackThis v1.98.2
Scan saved at 07:53:16, on 09-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Mail Server\MailFilter\MailFilterSrv.exe
c:\Programmer\Mail Server\mlsrvnt.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Programmer\POP Peeper\POPPeeper.exe
C:\Programmer\EasyPHP1-7\easyphp.exe
C:\Programmer\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programmer\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Dantz\Retrospect\retrorun.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\eMule\emule.exe
C:\Programmer\BPFTP Server\G6FTPSrv.exe
C:\Programmer\mIRC\mirc.exe
C:\Programmer\Ad-Aware SE Professional\Ad-Aware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AD-AWA~1\Ad-Watch.exe
C:\Documents and Settings\Johnny Drud\Skrivebord\fjern spyware 2\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POP Peeper] C:\Programmer\POP Peeper\POPPeeper.exe min
O4 - HKLM\..\Run: [EasyPHP] "C:\Programmer\EasyPHP1-7\easyphp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmer\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmer\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [lpt] bhoserv.exe
O4 - HKLM\..\Run: [Testimonials] Shaitan1678.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows Support Center] msmsgr.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [Windows Support Center] msmsgr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmer\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [Switch Off] H:\Programmer\Switch Off\swoff.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Programmer\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [barint] BoundRec.exe
O4 - HKCU\..\Run: [StatusCheck] sbin.exe
O4 - HKCU\..\Run: [TorontoMail] trycrt.exe
O4 - HKCU\..\Run: [Windows Support Center] msmsgr.exe
O4 - HKCU\..\RunServices: [Windows Support Center] msmsgr.exe
O4 - Startup: EasyPHP.lnk = C:\Programmer\EasyPHP1-7\easyphp.exe
O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
O4 - Startup: G6FTPSrv.lnk = C:\Programmer\BPFTP Server\G6FTPSrv.exe
O4 - Startup: mIRC.lnk = C:\Programmer\mIRC\mirc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Programmer\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O4 - Global Startup: Run VNC Server.lnk = C:\Programmer\RealVNC\WinVNC\winvnc.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.www.dr.dk
Avatar billede majsmarken Nybegynder
10. februar 2005 - 07:32 #8
PS: [Messenger Plus! 3] ??? Der er delte meninger om den:
http://www.eksperten.dk/spm/528544
Avatar billede kalp Novice
10. februar 2005 - 07:37 #9
Næste log du kommer skal være med det nye hijackthis
http://www.downloadportal.dk/showdownload.asp?rid=4212&sp=Hijackthis

Genstart i Fejlsikret tilstand ved at taste F8 under opstart.
Kør HijackThis, scan og sæt et flueben ud for disse linjer - luk øvrige programvinduer - klik "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O4 - HKLM\..\Run: [lpt] bhoserv.exe
O4 - HKLM\..\Run: [Testimonials] Shaitan1678.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [barint] BoundRec.exe
O4 - HKCU\..\Run: [StatusCheck] sbin.exe
O4 - HKCU\..\Run: [TorontoMail] trycrt.exe
O4 - HKCU\..\Run: [WareOut] "C:\Programmer\WareOut\WareOut.exe"

Genstart i Fejlsikret tilstand ved at taste F8 under opstart.
Kør HijackThis, scan og sæt et flueben ud for disse linjer - luk øvrige programvinduer - klik "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O4 - HKLM\..\Run: [lpt] bhoserv.exe
O4 - HKLM\..\Run: [Testimonials] Shaitan1678.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [barint] BoundRec.exe
O4 - HKCU\..\Run: [StatusCheck] sbin.exe
O4 - HKCU\..\Run: [TorontoMail] trycrt.exe
O4 - HKCU\..\Run: [WareOut] "C:\Programmer\WareOut\WareOut.exe"




Find og slet

Disse filer

bhoserv.exe
Shaitan1678.exe
msc32.exe
SYSCFG16.EXE
svcnet.exe
BoundRec.exe
sbin.exe
trycrt.exe

Denne mappe

C:\Programmer\WareOut\


Genstart normalt og smid en ny log fil herind

Ps. Det skal køres i fejlsikret!
Avatar billede kalp Novice
10. februar 2005 - 07:37 #10
ps. kør CWShredder som før også
Avatar billede elmoe Juniormester
10. februar 2005 - 19:26 #11
Logfile of HijackThis v1.99.0
Scan saved at 08:59:51, on 09-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Mail Server\MailFilter\MailFilterSrv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Programmer\POP Peeper\POPPeeper.exe
C:\Programmer\EasyPHP1-7\easyphp.exe
C:\Programmer\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programmer\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\AD-AWA~1\Ad-Watch.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\RealVNC\WinVNC\winvnc.exe
C:\Programmer\eMule\emule.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\BPFTP Server\G6FTPSrv.exe
C:\Programmer\mIRC\mirc.exe
c:\Programmer\Mail Server\mlsrvnt.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\Programmer\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Johnny Drud\Skrivebord\fjern spyware 2\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POP Peeper] C:\Programmer\POP Peeper\POPPeeper.exe min
O4 - HKLM\..\Run: [EasyPHP] "C:\Programmer\EasyPHP1-7\easyphp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmer\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmer\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Support Center] msmsgr.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [lpt] bhoserv.exe
O4 - HKLM\..\Run: [Testimonials] Shaitan1678.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [Windows Support Center] msmsgr.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmer\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Switch Off] H:\Programmer\Switch Off\swoff.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Support Center] msmsgr.exe
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [WareOut] "C:\Programmer\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [barint] BoundRec.exe
O4 - HKCU\..\Run: [StatusCheck] sbin.exe
O4 - HKCU\..\Run: [TorontoMail] trycrt.exe
O4 - HKCU\..\RunServices: [Windows Support Center] msmsgr.exe
O4 - Startup: EasyPHP.lnk = C:\Programmer\EasyPHP1-7\easyphp.exe
O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
O4 - Startup: G6FTPSrv.lnk = C:\Programmer\BPFTP Server\G6FTPSrv.exe
O4 - Startup: mIRC.lnk = C:\Programmer\mIRC\mirc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Programmer\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O4 - Global Startup: Run VNC Server.lnk = C:\Programmer\RealVNC\WinVNC\winvnc.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.www.dr.dk
O15 - Trusted IP range: 81.211.105.20 (HKLM)
O23 - Service: Adobe LM Service - Unknown - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown - C:\PROGRA~1\EASYPH~1\Apache\apache.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: COM+ Alerter Service - Unknown - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Mail Filter Service - Server Side Solutions - C:\Programmer\Mail Server\MailFilter\MailFilterSrv.exe
O23 - Service: ArGoSoft Mail Server - ArGo Software Design - c:\Programmer\Mail Server\mlsrvnt.exe
O23 - Service: MySql - Unknown - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Programmer\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Programmer\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: StyleXPService - Unknown - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Avatar billede kalp Novice
10. februar 2005 - 19:33 #12
Før jeg fortæller hvad du skal gøre... så fortæl mig hvad der går galt.. om der noget du ikke gør.. om du får nogen fejlmeddelelser for det ikke normalt at nogen bestemter elementer stadig er der hvis du har udført den korrekt.
Avatar billede elmoe Juniormester
11. februar 2005 - 14:06 #13
Det virker nu efter jeg har kørt HijackThis igen. Jubii :)

Mange tusind tak for hjælpen kalp. Utroligt at det er muligt at redde sådan et rod..
Avatar billede kalp Novice
11. februar 2005 - 15:19 #14
selv tak :))
Avatar billede tonnybrandt Nybegynder
11. februar 2005 - 21:11 #15
Man slutter altid af med en ren log, og en sådan har du endnu ikke lagt, så du er nødt til at komme med en ny log.
Ellers kan man ikke med god samvittighed erklære dig ren efter min mening.
Avatar billede elmoe Juniormester
12. februar 2005 - 16:35 #16
nårh okay. men det virker jo nu. hvad er der da "beskidt" i den sidste log? :)
Avatar billede kalp Novice
12. februar 2005 - 16:37 #17
Der er ikke kommet en sidste log, men den sidste der er herinde som jeg kommenterede havde jo stadig lidt af det som jeg bad dig fikse her

Kommentar: kalp
10/02-2005 07:37:17

så hvis du stadig kan se nogen af disse elementer så den stadig ikke helt ren.
Derfor jeg kom med denne kommentar

Kommentar: kalp
10/02-2005 19:33:56
Avatar billede elmoe Juniormester
12. februar 2005 - 16:41 #18
Jeg kan godt se, at loggen stadig indeholder f.eks. [WareOut], men det var en af dem hvor jeg jo slettede både mappen og den reg ting i HijackThis (i fejlsikret tilstand). Ved ikke hvorfor den står i loggen. Det er underligt.
Avatar billede elmoe Juniormester
12. februar 2005 - 16:43 #19
..og det samme gælder for [NvCplScan], [TorontoMail] med flere..
Avatar billede majsmarken Nybegynder
12. februar 2005 - 16:57 #20
... når der stadig er (rester af)
[Messenger Plus! 3]
[eMule]
[LimeWire]
[???]
såååååå - ka' der jo ske 'sjove' ting - efter min mening...
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester