Søg
Avatar billede breon Nybegynder
23. april 2005 - 12:38 Der er 26 kommentarer og
1 løsning

God damn spyware! Hijackthis hjælp

Hejsa

Jeg har pludselig fået en masse ikoner på mit skrivebord (og som også ligger i c:\windows\system32 mappen) og derudover er det et program der kører nede ved uret, der hele tiden kommer med beskeder om jeg at bør installere dit og dat. Det er helt sikkert spyware, og min startside er blevet til www.newgenlook.info og der dukker hele tiden nye pop-ups op. Det har jeg ikke bedt om, og det vil jeg gerne have fjernet.

jeg har kørt Spybot og Adaware fjernet det de fandt. Her min Log fra Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:49, on 23-04-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\AppServ\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\AppServ\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\- Utilities -\BHODemon\BHODemon.exe
C:\Programmer\- Utilities -\Rainlendar\Rainlendar.exe
C:\Programmer\- Utilities -\Samurize 1.31\Client.exe
C:\Programmer\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmer\Avant Browser\avant.exe
C:\Documents and Settings\Brian\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\Programmer\bxNewFolder\bxNewFolder.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\- Utilities -\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\Programmer\FolderBox\FolderBox.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Programmer\- Utilities -\BHODemon\BHODemon.exe
O4 - Startup: Rainlendar.lnk = C:\Programmer\- Utilities -\Rainlendar\Rainlendar.exe
O4 - Startup: Samurize.lnk = C:\Programmer\- Utilities -\Samurize 1.31\Client.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmer\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Programmer\- Internet -\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Gem formularer &[ - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmer\- Internet -\GetRight\GRbrowse.htm
O8 - Extra context menu item: RF værktøjslinie &2 - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Tilpas RF menu - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Udfyld formularer &] - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Udfyld - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Udfyld formularer &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Gem - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Gem formularer &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF værktøjslinie &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c2.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4A4B9560-E0F5-4CE0-8D69-6BA557C80B8F} (Ceye Object) - http://eyecadchertest.inforce.dk/VR/cadcher.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/212b26b3b8d930642905/netzip/RdxIE2.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://80.166.214.174/home/SonySncRz30View.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} (One2One Viewer) - http://www.one2one.com/static/class/one2one.cab
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://80.164.11.164/v2/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.bgbank.dk/html/activex/danskesikker/BG/DanskeSikker.cab
O20 - Winlogon Notify: MCPClient - C:\Programmer\Fælles filer\Stardock\mcpstub.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Avatar billede kalp Novice
23. april 2005 - 12:39 #1
ser på den
Avatar billede breon Nybegynder
23. april 2005 - 12:40 #2
Måske skulle jeg nævne, at AI Roboform, BxFolder og Folderbox ikke er spyware, og at jeg selv har installeret dem.
Avatar billede kalp Novice
23. april 2005 - 12:42 #3
I know:)

Genstart i Fejlsikret tilstand ved at taste F8 under opstart.

Kør HijackThis, scan og sæt et flueben ud for disse linjer - luk øvrige programvinduer. Dobbelt tjeck alt kom med!. Klik herefter "Fix checked" i hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/´
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c2.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {4A4B9560-E0F5-4CE0-8D69-6BA557C80B8F} (Ceye Object) - http://eyecadchertest.inforce.dk/VR/cadcher.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/212b26b3b8d930642905/netzip/RdxIE2.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://80.166.214.174/home/SonySncRz30View.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} (One2One Viewer) - http://www.one2one.com/static/class/one2one.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://80.164.11.164/v2/XUpload.ocx

Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Diskoprydning og slet temp-filer, temporary internet files og papirkurv.

Genstart normalt og kopir en ny log herind så jeg kan se om vi fik ramt på det hele eller om noget er blevet overset:)
Avatar billede kalp Novice
23. april 2005 - 12:43 #4
ps. ikke alt er snavs.. lidt oprydning i din cabs.. hvad du får brug for bliver blot installeret automatisk igen når du besøger siderne
Avatar billede breon Nybegynder
23. april 2005 - 12:43 #5
skal jeg slå systemgendannelse fra først?
Avatar billede kalp Novice
23. april 2005 - 12:45 #6
nej for du har ikke virus.
Avatar billede breon Nybegynder
23. april 2005 - 12:57 #7
Her er så en ny log. newgenlook.info er der stadig og programmet nede i hjørnet kørte også i Fejlsikret tilstand (rød cirkel med et hvidt kryds) og jeg får stadig pop-ups.

Logfile of HijackThis v1.99.1
Scan saved at 12:55:23, on 23-04-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\AppServ\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\AppServ\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\- Utilities -\BHODemon\BHODemon.exe
C:\Programmer\- Utilities -\Rainlendar\Rainlendar.exe
C:\Programmer\- Utilities -\Samurize 1.31\Client.exe
C:\Programmer\Stardock\ObjectDock\ObjectDock.exe
C:\Documents and Settings\Brian\Skrivebord\hijackthis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\Programmer\bxNewFolder\bxNewFolder.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\- Utilities -\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\Programmer\FolderBox\FolderBox.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Programmer\- Utilities -\BHODemon\BHODemon.exe
O4 - Startup: Rainlendar.lnk = C:\Programmer\- Utilities -\Rainlendar\Rainlendar.exe
O4 - Startup: Samurize.lnk = C:\Programmer\- Utilities -\Samurize 1.31\Client.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmer\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Programmer\- Internet -\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Gem formularer &[ - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmer\- Internet -\GetRight\GRbrowse.htm
O8 - Extra context menu item: RF værktøjslinie &2 - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Tilpas RF menu - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Udfyld formularer &] - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Udfyld - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Udfyld formularer &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmer\Siber Systems\AI

RoboForm\RoboFormComFillForms.html
O9 - Extra button: Gem - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Gem formularer &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmer\Siber Systems\AI

RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmer\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF værktøjslinie &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmer\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.bgbank.dk/html/activex/danskesikker/BG/DanskeSikker.cab
O20 - Winlogon Notify: MCPClient - C:\Programmer\Fælles filer\Stardock\mcpstub.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements

3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements

3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Avatar billede kalp Novice
23. april 2005 - 13:02 #8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/

fix denne i fejlsikret tilstand.. med hijackthis

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/

Kør CWShredder, afbryd din internetforbindelse fysisk (stikket ud), luk alle vinduer undtaget cwshredder
Klik på Fix, den scanner nu, når den er færdigt klik på Next, klik på Exit.

tryk start->kør og skriv "regedit"
marker denne computer i regedit vinduet.
Tryk rediger->søg og skriv "http://www.newgenlook.info/ad/ad0179/"
slet alt den finder.

genstart normalt og ny log. Hvis du stadig har popups må vi anvende et andet værktøj for lader ikke til at være mere i loggen.
Avatar billede kalp Novice
23. april 2005 - 13:06 #9
Du manglede lige at fixe denne også

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
Avatar billede breon Nybegynder
23. april 2005 - 13:19 #10
Ja, det havde ikke den store effekt. CWShredder fandt ikke noget, http://www.newgenlook.info/ad/ad0179/ bliver gendannet med det samme efter den er fixet i Hijackthis. Jeg slettede de filer jeg fandt i regedit, men tror ikke det har haft nogen stor effekt.

Newgenlook.info er stadig min startside, det røde program fra helvede kører stadig nede ved uret, og popups'ne flyver op om ørene på mig.
Avatar billede breon Nybegynder
23. april 2005 - 13:19 #11
Hov, glemte lige loggen.

Logfile of HijackThis v1.99.1
Scan saved at 13:15:37, on 23-04-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\AppServ\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\AppServ\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\- Utilities -\BHODemon\BHODemon.exe
C:\Programmer\- Utilities -\Rainlendar\Rainlendar.exe
C:\Programmer\- Utilities -\Samurize 1.31\Client.exe
C:\Programmer\Stardock\ObjectDock\ObjectDock.exe
C:\Documents and Settings\Brian\Skrivebord\hijackthis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\Programmer\bxNewFolder\bxNewFolder.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\- Utilities -\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\Programmer\FolderBox\FolderBox.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Programmer\- Utilities -\BHODemon\BHODemon.exe
O4 - Startup: Rainlendar.lnk = C:\Programmer\- Utilities -\Rainlendar\Rainlendar.exe
O4 - Startup: Samurize.lnk = C:\Programmer\- Utilities -\Samurize 1.31\Client.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmer\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Programmer\- Internet -\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Gem formularer &[ - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmer\- Internet -\GetRight\GRbrowse.htm
O8 - Extra context menu item: RF værktøjslinie &2 - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Tilpas RF menu - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Udfyld formularer &] - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Udfyld - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Udfyld formularer &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Gem - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Gem formularer &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF værktøjslinie &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.bgbank.dk/html/activex/danskesikker/BG/DanskeSikker.cab
O20 - Winlogon Notify: MCPClient - C:\Programmer\Fælles filer\Stardock\mcpstub.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Avatar billede breon Nybegynder
23. april 2005 - 13:21 #12
Der må være en eller anden ondsindet process der kører på min comp, og som er skyld i alt det her.
Avatar billede kalp Novice
23. april 2005 - 13:22 #13
vi må prøve noget andet.

Hent dllcompare
http://download.broadbandmedic.com/DllCompare.exe
eller
http://www.fbeej.dk/Programmer/DllCompare.exe

Kør programmet og klik på Run Locate.com og vent et kort øjeblik (der kommer en meddelelse med blå skrift: "Completed the scan - click compare to continue").

Klik nu på Compare og vent lidt - denne gang tager det nok et par minutter

Når den er færdig med at lede ("completed" med blå skrift), kan du klikke på "Make a Log of what was Found". Nu spørger programmet om du vil se log'en - svar ja og kopier log'en herind
Avatar billede breon Nybegynder
23. april 2005 - 13:28 #14
Jeg får en fejlmeddelse når jeg trykker Run locate.com:

16-bit MS-DOS-undersystem

C:\....\locate.com
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. Systemfilen er ikke egnet til at MS-DOS og Microsoft Windows Programmer. Vælg "Luk" for at afslutte programmet.

Luk            Ignorer

Når jeg så klikker Compare sker der ingenting.
Avatar billede kalp Novice
23. april 2005 - 13:29 #15
Klik start | kør, skriv cmd og tryk enter.
skriv
copy c:\windows\repair\autoexec.nt c:\windows\system32
og tryk enter.

og prøv igen
Avatar billede breon Nybegynder
23. april 2005 - 13:31 #16
Det hjalp. Her er loggen:

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1.357 items found:  1.357 files, 0 directories.
Total of file sizes:  285.632.169 bytes    272,40 M

Administrator Account =  True

--------------------End log---------------------
Avatar billede kalp Novice
23. april 2005 - 13:33 #17
sidste prøv med
Hent silentrunner her:
http://www.silentrunners.org/Silent%20Runners.vbs

og kom med en log fra silent hunter

håber sgu ikke det fordi jeg overser noget i hijackthis.
Avatar billede breon Nybegynder
23. april 2005 - 13:34 #18
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"zBrowser Launcher" = "C:\Programmer\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]
"Zone Labs Client" = ""C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs LLC"]
Avatar billede breon Nybegynder
23. april 2005 - 13:35 #19
Der var lige lidt mere...

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"zBrowser Launcher" = "C:\Programmer\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]
"Zone Labs Client" = ""C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{51C8BCA8-2524-4523-BF09-738C4EEBFC58}\(Default) = "bxNewFolder" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\bxNewFolder\bxNewFolder.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\- Utilities -\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]
{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\FolderBox\FolderBox.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikon"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\- Utilities -\Winrar 3.20\rarext.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
  -> {CLSID}\InProcServer32\(Default) = "c:\Programmer\SmartFTP\smarthook.dll" ["SmartFTP"]
"{C5098102-EAF2-493A-883A-B7B751B21534}" = "FolderBox Shell Extensions"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\FolderBox\FolderBoxShell.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Fælles filer\Stardock\MCPCore.dll" ["Stardock"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! MCPClient\DLLName = "C:\Programmer\Fælles filer\Stardock\mcpstub.dll" ["Stardock"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Fælles filer\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ModernismMovement_v2.bmp"


Startup items in "Brian" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Brian\Menuen Start\Programmer\Start
"BHODemon 2.0" -> shortcut to: "C:\Programmer\- Utilities -\BHODemon\BHODemon.exe" ["Definitive Solutions, Inc."]
"Rainlendar" -> shortcut to: "C:\Programmer\- Utilities -\Rainlendar\Rainlendar.exe" [null data]
"Samurize" -> shortcut to: "C:\Programmer\- Utilities -\Samurize 1.31\Client.exe" [null data]
"Stardock ObjectDock" -> shortcut to: "C:\Programmer\Stardock\ObjectDock\ObjectDock.exe" ["Stardock"]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start
"Adobe Gamma Loader" -> shortcut to: "C:\Programmer\Fælles filer\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 1200 series#1066473338" -> launches: "C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1066473338"" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{724D43A0-0D85-11D4-9908-00400523E39A}"
  -> {CLSID}\(Default) = "&RoboForm"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{724D43A0-0D85-11D4-9908-00400523E39A}"
  -> {CLSID}\(Default) = "&RoboForm"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{724D43A0-0D85-11D4-9908-00400523E39A}"
  -> {CLSID}\(Default) = "&RoboForm"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{3F5A62E2-51F2-11D3-A075-CC7364CAE42B}\
  -> {CLSID}\(Default) = "&Folder Box"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\FolderBox\FolderBox.dll" [null data]
Avatar billede breon Nybegynder
23. april 2005 - 13:37 #20
Det er en kradsbørstig satan den newgenlook.info (hvis det er den der ligger og kører i taskbaren), men jeg kan ikke finde noget på google om den.
Avatar billede breon Nybegynder
23. april 2005 - 13:39 #21
De eneste jeg er lidt i tvivl om i Hijackthis loggen er disse:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe

Men er det ikke systemfiler? Jeg har tidligere set Spørgsmål hvor f.eks. lsass.exe og svchost.exe skulle fjernes.
Avatar billede kalp Novice
23. april 2005 - 13:41 #22
alle dem du nævner er legale filer.. må du IKKE fjerne.. det du har set blive fjernet er filer med filnavne som ligner for at snyde Os.

i fejlsikret tilstand find disse filer

C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\popup_bl.dll

pak dem alle sammen med fx winzip eller winrar.. og slet dem efterfølgende.. måske er det ikke alle du finder.

genstart normalt og se om problemet er løst. Jeg er usikker på hvad der er for nogle filer. hvis ikke det løser det hiver jeg lige en anden herind.
Avatar billede breon Nybegynder
23. april 2005 - 13:43 #23
ok, så zip filen er en slags backup.
Avatar billede kalp Novice
23. april 2005 - 13:44 #24
præcis:)
Avatar billede breon Nybegynder
23. april 2005 - 13:57 #25
Så tror jeg faktisk vi fik ram det rigtige.

guninst.exe og popup_bl.dll blev slettet uden problemer. param32.dll kunne jeg ikke umiddelbart få lov at slette, så jeg omdøbte den til "sletmig" og genstartede. Nu var programmet fra helvede væk, og jeg kunne gå ind i C:\WINDOWS\System32\ og slette filen "sletmig".
Der har heller ikke været nogle pop-ups siden jeg genstartede, så mon ikke problemet er væk. Jeg håber det.

Jeg siger i hvert fald mange tak for hjælpen. Det var en sej omgang, og jeg havde kunne klare det selv.
Avatar billede breon Nybegynder
23. april 2005 - 13:58 #26
Hov, jeg havde IKKE kunnet klare det selv skulle der have stået :-)
Avatar billede kalp Novice
23. april 2005 - 14:00 #27
*G* det i orden:) jeg håber da det var det:) for har aldrig set den infektion før:P og var på vej ud af døren så viste sgu ikke lige hvad jeg skulle gøre:)) men at du havde filerne guninst.exe og popup_bl.dll bekræfter blot det er snavs for dem kan jeg overhovedet ikke se nogen steder på denne side at du har:))
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Andet sikkerhed kategorien

Titel Indlæg Oprettet Seneste aktivitet
hvilken afløser kan I anbefale? Af jcr18 i Andet sikkerhed 5 17/03/202610:32 18/03/202615:36
Advarsler om datalæk for nogle apps Af nu_igen i Andet sikkerhed 6 02/02/202614:54 03/02/202613:45
Mail fra Yousee ? Svindel? Af nu_igen i Andet sikkerhed 4 13/01/202617:27 14/01/202609:36
Er det sandsynligt, at jeg har været udsat for phishing Af Slettet bruger i Andet sikkerhed 4 13/11/202515:09 14/11/202510:45
Google fake Af johp i Andet sikkerhed 3 27/10/202516:31 28/10/202506:52
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten
IT-JOB

Forsvarsministeriets Materiel- og Indkøbsstyrelse

Stærk sagsbehandler til støtte for Kapacitetsmanager og egen portefølje

Digitaliseringsstyrelsen

Systemforvalter til borger.dk

Politiets Efterretningstjeneste

Tech-studentermedhjælpere i PET

Lyngsøe Rainwear ApS

ERP & E-commerce Systemansvarlig

Netcompany A/S

Linux Operations Engineer
Seneste spørgsmål Seneste aktivitet
31/0310:22 Makro der gemmer vedhæftet fil fra Msg og omdøber filen Af lokesa i Excel
30/0313:45 Kablet forbindelse mellem android telefon og windows 11 pc Af 1Dorte i Android
30/0312:04 Elementtype vises - og ikke billedet? Af hkprofil i Billedbehandling
29/0312:08 Problemer med replay af købte kursusvideoer Af annam i Browsere
28/0311:18 DENVER DVB-tMPEG-4 HD TUNER Af ole falsted i Fjernsyn & projektorer
White papers
Flere white papers »