Notifikationer

Markér alle som læst Log ud

krohn Praktikant

02. juni 2005 - 04:52 Der er 13 kommentarer og
1 løsning

Hijack this log x2

vi har et par pc stillet til rådighed på vores arbejde, men da folk er pænt ligeglade med dem, da det ikke er deres, og IT stort set har afskrevet dem, ja så virker de ikke særlig godt. Da det er den eneste mulighed for dem der ikke er med på netværket til at chekke deres mail, vil vi gerne hace dam op og køre igen ( en platform i nordsøen)
Der er to logs
pc1 020605 og pc2 020605

pc1 020506:
Logfile of HijackThis v1.99.1
Scan saved at 04:41:07, on 02.06.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\switpa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOWNLO~1\TRICKS~1.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\All Users\Documents\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENONO/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.47.6.10/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [TrickshotSetup.exe] C:\DOWNLO~1\TRICKS~1.EXE /r
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02FA83A9-8B0B-46D3-B5F9-641B0CE522FB}: NameServer = 10.47.6.11,10.255.242.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAEA8D8-05B4-4FE3-8700-9061DF13814A}: NameServer = 129.241.190.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{63FB4FA6-1143-4DA4-9BFF-373BE8E446C6}: NameServer = 129.241.190.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{02FA83A9-8B0B-46D3-B5F9-641B0CE522FB}: NameServer = 10.47.6.11,10.255.242.33
O17 - HKLM\System\CS2\Services\Tcpip\..\{02FA83A9-8B0B-46D3-B5F9-641B0CE522FB}: NameServer = 10.47.6.11,10.255.242.33
O18 - Filter: text/html - {0950EC2B-EDBB-4AD3-854E-09B9A5A9CFFA} - C:\Documents and Settings\User\Local Settings\Application Data\microsoft\internet explorer\V0.28.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

pc2 020506:
Logfile of HijackThis v1.99.1
Scan saved at 04:48:30, on 02.06.2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\WINNT\system32\CHKADMIN.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\Dit.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\Toolbar\PIB.exe
\Temp-xzsewtcece\SharedDocs\Hijack\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.47.6.10/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: NavErrRedir Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\Run: [ybe] C:\WINNT\system32\ybe.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXNO
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: Tarantella Client, version 3.4 - https://livewire.bakerhughesdirect.com/tarantella/java/ttaB-du.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1021_EN.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/x86/xenroll.dll
O16 - DPF: {12B891F6-51BD-4CBB-A585-ECCBEF04A855} (Vacpro.norway) - http://www.7adpower.com/dialer/norway.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00620BD00008} (Nordfyns Banks Netbank) - https://www.nordfynsbank.dk/snordfynibp2000ib100.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1048_pack.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN.cab
O16 - DPF: {5CBF8C22-E9A6-11D7-90FE-000AE4012DB4} - http://a0e6.ffx23wl.nl/plugins/nl/ls.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_7_EN.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content2.netvenda.com/sites/games-intl/no/games4.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/no/games4.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
O16 - DPF: {93829908-07C2-44A2-95DB-F78F201A9B48} - http://adblock.linkz.com/APHelper.dll
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1035_pack.cab
O16 - DPF: {B198E1E6-8B46-4B68-9AB3-695994FF2F9A} (Vacpro.norway_new) - http://www.7adpower.com/dialer/norway.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} - file://C:\WINNT\SexDownloader.cab
O16 - DPF: {BD092CD7-AA66-4FF6-8CE1-D4E01489ED2B} (VacPro.UserControl1) - http://www.7adpower.com/dialer/EMSAT.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1009_1035_pack.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://www.gxplugin.com/loader/dll/gxbplug.dll
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014021.exe
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} - http://www.spybouncer.com/downloader/downloader.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

Synes godt om

levich Nybegynder

02. juni 2005 - 08:25 #1

Jeg ser på de to logs

Synes godt om

levich Nybegynder

02. juni 2005 - 08:54 #2

PC1

Vent med at gøre noget indtil jeg siger til.

I nogle af nedestående linjer har jeg lavet kommentarer i [** **]. Det skyldes programmer, som måske ikke skal være på en delecomputer. Hvad siger du til dem.

Flere af linjerne henviser til en computer med ip-adressen 10.47.6.11, som er en computer på jeres lokalnetværk, hvorfra der hentes nogle indstillinger. Skal det være sådan?

Netbank på en delecomputer. Ikke så smart, efter min mening?

Det er en enkelt spyware/virus. Som vi fjerner lidt senere.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENONO/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.47.6.10/proxy.pac [** skal den være der? Noget med autosettings til internettet **]
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [** iTunes program. Afinstalleres? **]
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [** afinstalleres? **]
O4 - HKCU\..\Run: [TrickshotSetup.exe] C:\DOWNLO~1\TRICKS~1.EXE /r [** http://games.tdconline.dk/product/product=63, afinstalleres? **]
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab [** www.miniclip.com, fix linjen? **]
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab [** Netbank på en delecomputer? **]
O17 - HKLM\System\CCS\Services\Tcpip\..\{02FA83A9-8B0B-46D3-B5F9-641B0CE522FB}: NameServer = 10.47.6.11,10.255.242.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAEA8D8-05B4-4FE3-8700-9061DF13814A}: NameServer = 129.241.190.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{63FB4FA6-1143-4DA4-9BFF-373BE8E446C6}: NameServer = 129.241.190.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{02FA83A9-8B0B-46D3-B5F9-641B0CE522FB}: NameServer = 10.47.6.11,10.255.242.33
O17 - HKLM\System\CS2\Services\Tcpip\..\{02FA83A9-8B0B-46D3-B5F9-641B0CE522FB}: NameServer = 10.47.6.11,10.255.242.33
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe [** iPod, afinstalleres? **]

Synes godt om

levich Nybegynder

02. juni 2005 - 09:05 #3

PC2 indeholder rigtig mange ting, kan jeg se. Start med at afinstallere de ting som ikke skal være der, ved at gå ind under "kontrolpanelet" og "tilføj/fjern programmer".

Hent http://www.spywarefri.dk/vaerktoj.htm#spybot (Spybot).
Start programmet, opdater og scan. Slet linjerne med rød tekst.
Genstart computeren.

Lav en ny log med hijackthis og send der herind.

Synes godt om

krohn Praktikant

02. juni 2005 - 11:55 #4

Kan man hente opdateringerne på en anden pc, da den ikke vil køre IE på pc2

Synes godt om

levich Nybegynder

02. juni 2005 - 12:46 #5

Du kan hente forskellige opdateringer her: http://intern.sdu.dk/enheder/it-service/tjenester/ftphotel/ftpindhold/
Hvis du ikke ved, hvordan man overfører filer fra PC1 til PC2, er det nok lettest at hente opdateringerne på en vilkårlig computer og brænde dem på en CD. Tag CD med til PC2 og opdater.

NB: www.eksperten.dk har problemer med deres system i øjeblikket. Det kan godt være at jeg derfor er langsom til at svare på dine spørgsmål.

Synes godt om

krohn Praktikant

02. juni 2005 - 15:27 #6

Det var ikke det store problem at overføre via lan, jeg ville bare høre om opdateringen lå som en fil til download. men det gik ok, jeg har kørt den og den fandt ca 106 items, men kunne ikke fjerne alle. Jeg har kørt Hijack igen på pc2 og sender logen..
Netbank på en dele p, nej ikke mig, men da det er vel op til folk selv hvor de vil smide deres oplysninger.
Denne pc er logget på vores netwærk via novel men har begrænset adgang så de ref til ip 10.x.x.x.x skal nok være der, de køre begge også på en proxy server.

Her er loggen fra pc 2 log 2:

Logfile of HijackThis v1.99.1
Scan saved at 13:35:44, on 02.06.2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\WINNT\system32\CHKADMIN.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
\Temp-xzsewtcece\SharedDocs\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.47.6.10/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NavErrRedir Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\Run: [ybe] C:\WINNT\system32\ybe.exe
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXNO
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: Tarantella Client, version 3.4 - https://livewire.bakerhughesdirect.com/tarantella/java/ttaB-du.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1021_EN.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/x86/xenroll.dll
O16 - DPF: {12B891F6-51BD-4CBB-A585-ECCBEF04A855} (Vacpro.norway) - http://www.7adpower.com/dialer/norway.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00620BD00008} (Nordfyns Banks Netbank) - https://www.nordfynsbank.dk/snordfynibp2000ib100.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1048_pack.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN.cab
O16 - DPF: {5CBF8C22-E9A6-11D7-90FE-000AE4012DB4} - http://a0e6.ffx23wl.nl/plugins/nl/ls.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_7_EN.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content2.netvenda.com/sites/games-intl/no/games4.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/no/games4.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
O16 - DPF: {93829908-07C2-44A2-95DB-F78F201A9B48} - http://adblock.linkz.com/APHelper.dll
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1035_pack.cab
O16 - DPF: {B198E1E6-8B46-4B68-9AB3-695994FF2F9A} (Vacpro.norway_new) - http://www.7adpower.com/dialer/norway.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} - file://C:\WINNT\SexDownloader.cab
O16 - DPF: {BD092CD7-AA66-4FF6-8CE1-D4E01489ED2B} (VacPro.UserControl1) - http://www.7adpower.com/dialer/EMSAT.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1009_1035_pack.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://www.gxplugin.com/loader/dll/gxbplug.dll
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014021.exe
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} - http://www.spybouncer.com/downloader/downloader.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

Synes godt om

levich Nybegynder

03. juni 2005 - 09:14 #7

PC2:

Pyha, det var en stor opgave. Der er mange ting, som skal fjernes, men også nogle ting som jeg er i tvivl om. Print denne vejledning ud, og følg den.

Det program her giver “remote control over the PC”. Det kan være fra jeres IT-afdeling?
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" –servicehelper

Der er installeret Yahoo Toolbar eller noget i den retning. Det kan du roligt fjerne.

Jeg forventer at de to linjer, der starter med ”O15 – ProtocolDefaults”, skal slettes. Genkender du dem?

Linjerne, der start med 016, er ActiveX komponenter som startes sammen med Internet Explorer. Der er rigtig mange på PC2 af dem, hvor mange SKAL fjernes. Nogle af dem er det jeg vil kalde virus. Nogle BØR fjernes – dem har jeg skrevet [** check selv **] ud for, så du selv kan vurdere.

(1)
Hent scannereren http://www.mwti.net/antivirus/mwav.asp, og gem den i mappen c:\xyz.

(2)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op), og fix følgende linjer med HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NavErrRedir Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\Run: [ybe] C:\WINNT\system32\ybe.exe
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXNO
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: http://www.neededware.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: Tarantella Client, version 3.4 - https://livewire.bakerhughesdirect.com/tarantella/java/ttaB-du.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab [** check selv **]
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1021_EN.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/x86/xenroll.dll [** check selv **]
O16 - DPF: {12B891F6-51BD-4CBB-A585-ECCBEF04A855} (Vacpro.norway) - http://www.7adpower.com/dialer/norway.CAB
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00620BD00008} (Nordfyns Banks Netbank) - https://www.nordfynsbank.dk/snordfynibp2000ib100.cab [** check selv **]
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1048_pack.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab [** check selv **]
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab [** check selv **]
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN.cab
O16 - DPF: {5CBF8C22-E9A6-11D7-90FE-000AE4012DB4} - http://a0e6.ffx23wl.nl/plugins/nl/ls.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_7_EN.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content2.netvenda.com/sites/games-intl/no/games4.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/no/games4.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
O16 - DPF: {93829908-07C2-44A2-95DB-F78F201A9B48} - http://adblock.linkz.com/APHelper.dll
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1035_pack.cab
O16 - DPF: {B198E1E6-8B46-4B68-9AB3-695994FF2F9A} (Vacpro.norway_new) - http://www.7adpower.com/dialer/norway.CAB
O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} - file://C:\WINNT\SexDownloader.cab
O16 - DPF: {BD092CD7-AA66-4FF6-8CE1-D4E01489ED2B} (VacPro.UserControl1) - http://www.7adpower.com/dialer/EMSAT.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1009_1035_pack.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://www.gxplugin.com/loader/dll/gxbplug.dll
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab [** check selv **]
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014021.exe
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} - http://www.spybouncer.com/downloader/downloader.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab [** check selv **]
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

Åbn en tilfældig mappe, i menuen klik på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

søg efter og slet følgende filer:
C:\WINNT\TEMP\sp.html
C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
C:\WINNT\system32\ybe.exe
hotkeysvc.exe
EGCOMLIB_1035.dll
C:\WINNT\SexDownloader.cab
C:\Program Files\Common Files\WinTools\WToolsS.exe
... og følgende mapper:
C:\Program Files\TightVNC\ [** se kommentar øverst **]
C:\Program Files\WebSpecials\
C:\Program Files\Common files\SearchUpgrader\
C:\PROGRA~1\Toolbar\

(3)
Start -> programmer -> tilbehør -> systemværktøjer -> diskoprydning -> Slet Temporary internet files, papirkurv og midlertidige filer.

(4)
Kør scanneren mwav.exe, og sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files.
Tryk på Scan Clean
Scanningen kan godt tage et par timer.

(5)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind.

Synes godt om

levich Nybegynder

03. juni 2005 - 09:17 #8

PC1:

(1)
Deaktiver systemgendannelse, ved at Højreklikke på "Denne Computer" på skrivebordet -> egenskaber -> Systemgendannelse -> sæt flueben i "Deaktiver systemgendannelse" -> Klik OK.

(2)
Hent scannereren http://www.mwti.net/antivirus/mwav.asp, og gem den i mappen c:\xyz.
Fjern kablet til internettet/lokalnetværket.

(3)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op), og fix følgende linjer med HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENONO/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [** iTunes program. Afinstalleres? **]
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [** afinstalleres? **]
O4 - HKCU\..\Run: [TrickshotSetup.exe] C:\DOWNLO~1\TRICKS~1.EXE /r [** http://games.tdconline.dk/product/product=63, afinstalleres? **]
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab [** www.miniclip.com, fix linjen? **]
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab [** Netbank på en delecomputer? **]
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe [** iPod, afinstalleres? **]

Åbn en tilfældig mappe, i menuen klik på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

søg efter og slet følgende fil:
C:\WINDOWS\switpa.exe

(4)
Start -> programmer -> tilbehør -> systemværktøjer -> diskoprydning -> Slet Temporary internet files, papirkurv og midlertidige filer.

(5)
Kør scanneren mwav.exe, og sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files.
Tryk på Scan Clean
Scanningen kan godt tage et par timer.

(6)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind.

(7)
Når vi er helt færdige, så husk at aktiver systemgendannelse igen.

Synes godt om

levich Nybegynder

03. juni 2005 - 09:19 #9

Rettelse til vejledningen for PC2: Fjern kablet til internettet/lokalnettet lige før punkt (2) i vejledningen.

Der er stor risiko for at computere på et lokalnetværket forsøger at sende virus o.lign. til hinanden hele tiden. Det er vigtigt at beskytte computerne godt.

Synes godt om

krohn Praktikant

03. juni 2005 - 19:45 #10

Den scanner, finder da godt nok nogle ting, men de vil have penge for at fjerne dem. da jeg ikke har fingerne i firma kassen, så kan jeg desvære ikke købe den, er der en anden der er free?

Synes godt om

kalp Novice

03. juni 2005 - 19:47 #11

Hej krohn >>

gå herind.

c:\windows\prefech\

slet evt. alt indholdet af mappen eller blot alt der har med nwav scanneren at gøre... så burde det virke for programmet fjerner dit snavs gratis.

Synes godt om

krohn Praktikant

03. juni 2005 - 20:40 #12

Det er der ikke nogen mappe der hedder

Synes godt om

krohn Praktikant

04. juni 2005 - 20:56 #13

Fik pc 2 til at virke men da der er nogen der i nat har "pillet" ved pc1, så den ligner en der har "smidt" boot record gider jeg simpenhen ikke bruge mere af min tid på dette. igår satte jeg pc2 til at scanne, lage et skilt over tastaturet og hentede mig en kop kaffe, da jeg kom tilbage var der to igang med at "pille" ved Hijackthis, tror nok jeg fik forklaret dem hvad jeg mente om det "svært skuffet" men du skal da have dine points, de er fortjænt
skrives
/jacob

Synes godt om

levich Nybegynder

05. juni 2005 - 23:48 #14

En idé: Næste gang du formaterer de to computere og installerer windows forfra, så tag en backup på CD'er. Brug f.eks. Norton Ghost, som firmaet kan købe.

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS