HijackThis download problemer

Hvad med herfra : www.arlet.dk/hjt.dk

skulle være http://www.arlet.dk/hjt.exe

http://hjem.get2net.dk/arntsen/eksperten/diverse/virus.jpg

Har du prøvet at køre et onlinescan med enten panda eller housecall:  http://www.arlet.dk/faeetvirus.htm..

For det lyder mærkeligt at den reagerer både på linket fra spywarefri og mit link..

Ligger der noget i din hijackthis log??

har ikke kørt en hijack log, jeg downloader programmet og kører en scan på selve programmet, og vupti så kommer denne op at det er en virus i programmet.

Vil da prøve med en housecall for skæg skyld, har normalt ikke virus, men man ved aldrig :o)

/cdc

Ingen virus med housecall og stinger, nogle få spam/spy men ad-aware og spybot...
synes bare det er msytisk.
Er igang med at rense en laptop for virus og alt det andet der følger med, og ville så lave en log her til E, men så får jeg denne melding fra McAffe, og bliver lidt bekymret...

Og laptoppen kører ikke via samme net, er ikke koblet på nettet, derfor bruger jeg min egen til at downloade de programmer der skal bruges til at rense den med

/cdc

Kan være jeg ikke har fået en opdateret med en dat fil, selvom den skulle lave en automatisk opdatering hver dag, laver lige en update med denne fil, og ser hvad der så sker

Jeg setter lige points op og smider en logfil ind her, fra hans stationære:

Logfile of HijackThis v1.99.1
Scan saved at 09:31:26, on 09-03-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Programmer\Network Associates\VirusScan\VsStat.exe
C:\Programmer\Network Associates\VirusScan\Vshwin32.exe
C:\Programmer\Network Associates\VirusScan\Avconsol.exe
C:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programmer\QuickTime\qttask.exe
D:\iTouch\iTouch.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Programmer\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\MouseWare\system\em_exec.exe
C:\Programmer\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Programmer\Palm\HOTSYNC.EXE
D:\Programmer\SpywareGuard\sgmain.exe
D:\Programmer\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Alan T\Skrivebord\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.wholeworldmarket.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] D:\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CapFax] C:\Programmer\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - Startup: HotSync Manager.lnk = C:\Programmer\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = D:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programmer\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Programmer\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Åbn billede i &Microsoft PhotoDraw - res://c:\PROGRA~1\MICROS~1\office\1030\phdintl.dll/phdContext.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Programmer\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Programmer\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110022474796
O19 - User stylesheet:  (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programmer\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\System32\ZoneLabs\vsmon.exe

Har ikke været hjemme, derfor det sene svar..

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.wholeworldmarket.com/search/

O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot

O19 - User stylesheet:  (file missing)


Find og slet manuelt i fejlsikret(f8 ved opstart):


C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe

------------------------------------------------

Hent og kør denne scanner fra Kaspersky : http://www.spywareinfo.dk/download/mwav.exe
Sæt flueben i følgende: Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files
Og så trykker du på Scan Clean

----------------------------------------------------------

Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.

Jeg skal ud til ham med den bærbare ved 12:00 tiden så kigger jeg på det, og laver så en log fil på den også

dog i et nyt spørgsmål

Smid den bare den nye log her, når vi nu er i gang her..

jeg ser lige om jeg kan nå at gøre det med laptoppen nu her inden jeg kører
den er renset med virus programmer spybot ad-aware

Her er laptoppens logfil, undskyld forsinkelsen, har haft lidt travelt, venter lige med den stationære.

Logfile of HijackThis v1.99.1
Scan saved at 10:39:50, on 10-03-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\lsas.exe
C:\WINDOWS\System32\forbot.exe
C:\Programmer\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programmer\Apoint2K\Apntex.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\saveas.exe
C:\WINDOWS\System32\mpdat.exe
C:\WINDOWS\system32\defragfatx.exe
C:\WINDOWS\system32\windns.exe
C:\WINDOWS\LMU.exe
C:\WINDOWS\xkfjp.exe
C:\windows\system32\saie.exe
C:\WINDOWS\System32\taskmgrs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
E:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tdconline.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Programmer\TV Media\TvmBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programmer\Fælles filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Programmer\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Save As WorkBits] saveas.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\windns.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [5PUqfad] C:\WINDOWS\xkfjp.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\xkfjp.exe
O4 - HKLM\..\Run: [win32] lsas.exe
O4 - HKLM\..\Run: [NDdapter] forbot.exe
O4 - HKLM\..\Run: [Task Manager] taskmgrs.exe
O4 - HKLM\..\RunServices: [Save As WorkBits] saveas.exe
O4 - HKLM\..\RunServices: [win32] lsas.exe
O4 - HKLM\..\RunServices: [NDdapter] forbot.exe
O4 - HKLM\..\RunServices: [Task Manager] taskmgrs.exe
O4 - HKLM\..\RunOnce: [win32] lsas.exe
O4 - HKLM\..\RunOnce: [NDdapter] forbot.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Save As WorkBits] saveas.exe
O4 - HKCU\..\Run: [win32] lsas.exe
O4 - HKCU\..\Run: [NDdapter] forbot.exe
O4 - HKCU\..\Run: [Task Manager] taskmgrs.exe
O4 - HKCU\..\RunServices: [Save As WorkBits] saveas.exe
O4 - HKCU\..\RunOnce: [win32] lsas.exe
O4 - HKCU\..\RunOnce: [NDdapter] forbot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/Bridge-c139.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\System32\lmf32v.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Programmer\TV Media\TvmBho.dll (file missing)

F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe

O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll

O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll

O3 - Toolbar: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll

O4 - HKLM\..\Run: [Save As WorkBits] saveas.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\windns.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [5PUqfad] C:\WINDOWS\xkfjp.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C }ïÁzî[8C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\xkfjp.exe
O4 - HKLM\..\Run: [win32] lsas.exe
O4 - HKLM\..\Run: [NDdapter] forbot.exe
O4 - HKLM\..\Run: [Task Manager] taskmgrs.exe
O4 - HKLM\..\RunServices: [Save As WorkBits] saveas.exe
O4 - HKLM\..\RunServices: [win32] lsas.exe
O4 - HKLM\..\RunServices: [NDdapter] forbot.exe
O4 - HKLM\..\RunServices: [Task Manager] taskmgrs.exe
O4 - HKLM\..\RunOnce: [win32] lsas.exe
O4 - HKLM\..\RunOnce: [NDdapter] forbot.exe
O4 - HKCU\..\Run: [Save As WorkBits] saveas.exe
O4 - HKCU\..\Run: [win32] lsas.exe
O4 - HKCU\..\Run: [NDdapter] forbot.exe
O4 - HKCU\..\Run: [Task Manager] taskmgrs.exe
O4 - HKCU\..\RunServices: [Save As WorkBits] saveas.exe
O4 - HKCU\..\RunOnce: [win32] lsas.exe
O4 - HKCU\..\RunOnce: [NDdapter] forbot.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/Bridge-c139.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB


--------------------------------------------------------------------

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

--------------------------------------------------------------------

Find og slet manuelt i fejlsikret(f8 ved opstart):

C:\WINDOWS\system32\defragfatx.exe
C:\WINDOWS\system32\windns.exe
C:\Programmer\ISTsvc<-hele mappen
C:\WINDOWS\xkfjp.exe


------------------------------------------------

Hent og kør spybot herfra: http://www.arlet.dk/spywarescanner.htm
scan hele computeren og slet alt hvad den finder

----------------------------------------------------------

Hent og kør denne scanner fra Kaspersky : http://www.spywareinfo.dk/download/mwav.exe
Sæt flueben i følgende: Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files
Og så trykker du på Scan Clean

----------------------------------------------------------

Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.

Jeg finder ikke denne: C:\Programmer\ISTsvc<-hele mappen

Så går du bare videre..

Det kan godt være at den ikke er der, ville bare lige være sikker..

har jeg gjort og er igang med kaspersky

Fint nok, den kan tage op til 2 timer afhængig af hvormeget du har på computeren

Uha det tog sin tid.....Vi scannede begge meskiner og deler kommentarene op i laptop og stationær.

Stationær:

Logfile of HijackThis v1.99.1
Scan saved at 22:35:25, on 12-03-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Programmer\Network Associates\VirusScan\VsStat.exe
C:\Programmer\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Network Associates\VirusScan\Avconsol.exe
C:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programmer\QuickTime\qttask.exe
D:\iTouch\iTouch.exe
C:\Programmer\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
D:\MouseWare\system\em_exec.exe
D:\Programmer\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmer\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Programmer\Palm\HOTSYNC.EXE
D:\Programmer\SpywareGuard\sgmain.exe
D:\Programmer\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Alan T\Skrivebord\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] D:\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CapFax] C:\Programmer\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - Startup: HotSync Manager.lnk = C:\Programmer\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = D:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programmer\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Programmer\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Åbn billede i &Microsoft PhotoDraw - res://c:\PROGRA~1\MICROS~1\office\1030\phdintl.dll/phdContext.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Programmer\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Programmer\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110022474796
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programmer\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\System32\ZoneLabs\vsmon.exe

LAPTOP:

Logfile of HijackThis v1.99.1
Scan saved at 20:24:35, on 12-03-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Programmer\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Apoint2K\Apntex.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\windows\system32\saie.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
E:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tdconline.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Programmer\TV Media\TvmBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programmer\Fælles filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Programmer\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [Task Manager] taskmgrs.exe
O4 - HKLM\..\Run: [mwavscan] "C:\Kaspersky\mwavscan.com" /s
O4 - HKLM\..\RunServices: [Task Manager] taskmgrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [win32] lsas.exe
O4 - HKCU\..\Run: [Task Manager] taskmgrs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/Bridge-c139.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\System32\lmf32v.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

På laptoppen kommer DSO Exploit i spybot selv efter fix.

og ved opstart af maskinen kan den ikke finde filen forbot.exe, og mpdat.exe

På den stationære er der stadig småting i spybot, bland andet den som vil skifte startsiden som ikke vil væk

Godmorgen*S*

Stationæren:
Start op i fejlsikret og fix disse i hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe

find og slet denne manuelt:
C:\WINDOWS\system32\wuclient.exe

genstart og ny log

Laptoppen:
Start op i fejlsikret og fix disse i hijackthis:

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Programmer\TV Media\TvmBho.dll (file missing)

F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe

O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll
O3 - Toolbar: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll

O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [Task Manager] taskmgrs.exe
O4 - HKLM\..\RunServices: [Task Manager] taskmgrs.exe
O4 - HKCU\..\Run: [win32] lsas.exe
O4 - HKCU\..\Run: [Task Manager] taskmgrs.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/Bridge-c139.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB

O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\System32\lmf32v.dll

find og slet disse manuelt:
C:\WINDOWS\LMU.exe
C:\windows\system32\saie.exe


gå i søg og søg i skjulte filer og mapper og søg på:
mpdat.exe
taskmgrs.exe
lsas.exe

slet alt hvad den finder

genstart  og ny log..

Ps. den dos exploit er en bug i spybot. Den skulle være rettet, hvis du har hentet nyeste version af spybot og den er fuldt opdateret: http://www.arlet.dk/spywarescanner.htm

jeg går igang med laptoppen og få ham til at lave den på den anden, er ikke der mere i dag

Helt i orden..

Er først hjemme efter 16 i morgen

hvad med saie.log

saie.exe -> http://www.iamnotageek.com/a/saie.exe.php

og mpat.exe står når jeg søger som:

mpdat.exe-36fa027f.pf
mpdat.exe.mwt

dvs. saie.log slettes

mpat.exe-> http://www.superadblocker.com/M/MPDAT.EXE-4151.html

Din orm*S*

Her er laptoppen med ny log:

Logfile of HijackThis v1.99.1
Scan saved at 12:37:46, on 13-03-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Apoint2K\Apntex.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tdconline.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Programmer\TV Media\TvmBho.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programmer\Fælles filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Programmer\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mwavscan] "C:\Kaspersky\mwavscan.com" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Task Manager] taskmgrs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

denne O4 - HKCU\..\Run: [Task Manager] taskmgrs.exe er da en sej satan

Ja, prøv lige at fixe den et par gange stadig i fejlsikret og se om den forsvinder

prøver lige igen

I fejlsikkret loggede jeg mig på som admin, og så var den der ikke. Da jeg så loggede mig på med hans bruger var den der, så kunne den fixes:

Logfile of HijackThis v1.99.1
Scan saved at 13:00:56, on 13-03-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Apoint2K\Apntex.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tdconline.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Programmer\TV Media\TvmBho.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programmer\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programmer\Fælles filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Programmer\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mwavscan] "C:\Kaspersky\mwavscan.com" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Så er din log ren.

Efter sådan en tur er det altid en god ide og rydde op i dine systemgendannelses filerne.
Deaktiver systemgendannelse ( http://www.arlet.dk/systemgendannelsen.htm ) - genstart din computer - aktiver systemgendannelse.
Og så skal du også lige skjule dine filer og mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil.
Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

For at beskytte dig mod snavs har jeg lavet en sikkerhedspakke,
som du kan hente her : www.arlet.dk/pakke.htm

ps. kan se at du har sat mwav til at starte op sammen med windows, så scanner den hver gang du tænder computeren. Det kan du slå fra i msconfig..

Tak for det den er nu afleveret så han får den med til Portugal i morgen tidlig. Han smider loggen til sin stationære lidt sener i dag

På den stationære vil denne ikke sådan slettes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

Spywareguard firhindrer siden i at blive lavet om.

Han finder ikke filen wuclient.exe

Men spybot efter opdatering commer der en error:
Error during check !
Z-Demon (Ungültiger Datentyp Für")



Spybot

når spywareguard kommer frem skal du bare accepter den nye side, så forsvinder about blank..

skal man ecceptere den nye, ok, troede man skulle beholde den gamle, skal han scanne med hijack igen for at få den frem igen

Logfil på stationær:

Logfile of HijackThis v1.99.1
Scan saved at 17:35:03, on 13-03-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Programmer\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Network Associates\VirusScan\Vshwin32.exe
C:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
C:\Programmer\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programmer\QuickTime\qttask.exe
D:\iTouch\iTouch.exe
C:\Programmer\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Programmer\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmer\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Programmer\Palm\HOTSYNC.EXE
D:\Programmer\SpywareGuard\sgmain.exe
D:\Programmer\SpywareGuard\sgbhp.exe
D:\MouseWare\system\em_exec.exe
C:\Documents and Settings\Alan T\Skrivebord\hjt.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] D:\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CapFax] C:\Programmer\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: HotSync Manager.lnk = C:\Programmer\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = D:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programmer\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Programmer\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Åbn billede i &Microsoft PhotoDraw - res://c:\PROGRA~1\MICROS~1\office\1030\phdintl.dll/phdContext.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Programmer\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Programmer\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110022474796
O17 - HKLM\System\CCS\Services\Tcpip\..\{B931F6DA-D9CF-4BFD-83F0-F73C0E9F4E43}: NameServer = 195.82.195.101 129.142.7.101
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programmer\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\System32\ZoneLabs\vsmon.exe

Så er den stationærer også ren..

fino fino, så laver han bare det samme som jeg gjorde med hans laptop, men hvad med de filer der har denne til sidst: (file missing) ?

De messenger file missing kan du godt fjerne, de gør ikke noget..

Og mange tak for hjælpen :o) også en tak fra Alan....

Velbekommen..

Fortsat god weekend

i lige måde :o)