spyware eller virus?

Prøv at lave en log med HijackThis, og send det ind !

Hej

Her er loggen

Logfile of HijackThis v1.99.1
Scan saved at 20:03:06, on 03-08-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Programmer\F-Secure\FSGUI\fsguiexe.exe
C:\Programmer\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\phpdev\mysql\bin\mysqld-nt.exe
C:\phpdev\mysql\bin\mysqld-nt.exe
C:\phpdev\mysql\bin\mysqld-nt.exe
C:\phpdev\mysql\bin\mysqld-nt.exe
C:\phpdev\mysql\bin\mysqld-nt.exe
C:\phpdev\mysql\bin\mysqld-nt.exe
C:\phpdev\mysql\bin\mysqld-nt.exe
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [explore] explore.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunServices: [explore] explore.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: RAID Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmer\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Programmer\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122749647937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\mh43dmod.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - BackWeb Technologies Inc.                          - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE

Det lader ikke til at tiger_dk reagerer på loggen, så jeg kommer med en kommentar.

*******************************************
Læs alle punkterne inden du gør noget.

I punkt (4) skal du kun fixe linjen, der starter med O18, hvis du ikke har installeret en fransk version af MSN messenger.

(1)
Deaktiver systemgendannelse, ved at Højreklikke på "Denne Computer" på skrivebordet -> egenskaber -> Systemgendannelse -> sæt flueben i "Deaktiver systemgendannelse" -> Klik OK.

(2)
Hent scannereren http://www.spywareinfo.dk/download/mwav.exe.

(3)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op), og fix følgende linjer med HijackThis:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\mh43dmod.dll

(4)
Åbn en tilfældig mappe, i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

søg efter og slet følgende filer:
ALCMTR.EXE
C:\WINDOWS\system32\mh43dmod.dll

(5)
Start -> kør -> skriv "cleanmgr" -> Slet Temporary internet files, papirkurv og midlertidige filer. Gentag for alle dine drev.

(6)
Kør scanneren mwav.exe, og sæt flueben i følgende: Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files. Tryk på Scan Clean.
Scanningen kan godt tage nogen tid.

(7)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind.

(8)
Når vi er helt færdige, så husk at aktiver systemgendannelse igen.

jeg bad ham bare sende en log ind, men så var heldig at levich havde kigget på min log og dernæst ville kigge på den her !

jeg har ingen forstand på det her !

tiger_dk -> ok, jeg regnede bare med at du ville følge op på loggen :-)

Hej

Jeg har fulgt din beskrivelse, men det var ikke muligt, at slette filen

C:\WINDOWS\system32\mh43dmod.dll

Jeg fik at vide, at den blev brugt af et andet program, men her er den nyeste log.

mvh gf

Logfile of HijackThis v1.99.1
Scan saved at 20:21:04, on 04-08-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\Programmer\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\F-Secure\FSGUI\fsguiexe.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Google Search - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmer\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Programmer\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122749647937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\mh43dmod.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - BackWeb Technologies Inc.                          - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: wampapache - Unknown owner - C:\wamp\apache\Apache.exe" --ntservice (file missing)
O23 - Service: wampmysqld - Unknown owner - C:\wamp\mysql\bin\mysqld-nt.exe (file missing)

For lige at være sikker...
du prøvede at slette filen i FEJLSIKKER tilstand, ikk?

jo

mvh gf

En søgning på google efter "mh43dmod.dll" giver intet resultat, hvilket får mig til at mene at filen skal slettes. Men hvis dine problemer med popups med kasiner osv. er væk, så skal den nok ikke slettes. Er de problemer væk?

Hej igen

nej de er ikke væk, kan jeg omgå et eller andet for at få filen slettet?

mvh gf

Hent Killbox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Start KillBox, sæt prik i "Delete on reboot", kopier C:\WINDOWS\system32\mh43dmod.dll til tekstfeltet i Killbox og klik herefter på den røde knap med det hvide kryds. Du skal genstarte i fejlsikret tilstand.

Start hijackthis og fix linjen:
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\mh43dmod.dll

Genstart igen i fejlsikret tilstand. Lav en log med hijackthis og send den herind.

(Du skal ikke starte nogle programmer overhovedet, når du kører i fejlsikret tilstand. Jeg kan se at Outlook og Winword kørte, da du lave den sidste log.)

Hent dette program:
http://www.downloads.subratam.org/VX2Finder.exe
Klik på "Click to find VX2.Betterinternet", når den er færdig, klik på "Make log" og kopier loggen herind.

Levich>>Du skulle have søgt på "O20 - Winlogon Notify: ModuleUsage", så havde du fundet 185 resultater.*S*

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
Extensions
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{A9381967-8174-D5E6-55A7-F5911AA10CF3}

fromsej -> det har du ret i. Men hvor står der, hvordan man fjerner den.

Det kommer.*S*
Det er en rigtig møginfektion, der muterer og opdaterer sig selv, dette har dog virket før:

Hent dette lille program og pak det ud til Skrivebordet:

http://www.funkytoad.com/download/hoster.zip

Afbryd din forbindelse til internettet (hiv stikket ud).

Luk alle vinduer undtagen VX2Finder. Kør VX2Finder.exe og klik "Click to Find VX2.BetterInternet".

Klik herefter på:

"Guardian.reg"
"User Agent"
"Restore Policy"
Svar Ja til spørgsmålene.

Gå i Start -> Kør og skriv regedit

Find:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Internet Explorer/Extensions/

I højre side skal du finde {A9381967-8174-D5E6-55A7-F5911AA10CF3} - højreklik på den og vælg "Slet".

Kør Hoster, som du hentede før, kør programmet - klik "Restore Original Hosts" og klik "OK". Gå ud af programmet.

Kør HijackThis, scan og sæt et flueben ud for følgende linier - luk øvrige programvinduer - klik "Fix checked":

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\mh43dmod.dll
Den burde være væk.

Følg så Levich´s vejledning med Killbox, hvis du ikke allerede har gjort det.

Hej

under extensions findes der ikke en nøgle der hedder
{A9381967-8174-D5E6-55A7-F5911AA10CF3}
og det er ikke muligt at slette mh43dmod.dll



mvh gf

Hent CWShredder her:
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
Placer det i en mappe for sig selv.
Kør CWShredder, afbryd din internetforbindelse fysisk(stikket ud), deaktiver ALLE sikkerhedsprogrammer, luk alle vinduer undtaget cwshredder, klik på Fix, den scanner nu, når den er færdig klik på Next, klik på Exit.

Hej

Jeg undskylder meget den sene tilbagemelding, jeg har været hårdt optaget af arbejde. Jeg har prøvet at anvende ovenstående værktøj og der bliver funder noget der hedder cws.look2me eller lign. jeg gør det i fejl sikret tilstand med f- secrure slået fra og internettet frakoblet. Programmet ber om at genstarte computeren for at sikre at det er fuldstændigt fjerne. Men ved genstart huserer programmet stadig på mon computer. Er der andet jeg kan forsøge for at fjerne den genstridige S****

Mvh gf

Så lad os se om Ad-Aware kan klare jobbet.
Hent og installer programmet:
http://www.spywarefri.dk/downloads1/aawsepersonal.exe
Start programmet, opdater det online, luk det igen.
http://www.spywarefri.dk/manualer/adaware-manual.htm
Hent og installer dette plugin, følg vejledningen på siden i hvor dan du bruger det.
http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml

Når det er overstået, genstart og lad os se en frisk Hijackthislog.

Hej jeg fulgte din beskrivelse, men plvx2cleaner returnerede meddelesen "system clean", her er dn nyeste logfil

mvh gf

Logfile of HijackThis v1.99.1
Scan saved at 20:41:38, on 09-08-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\F-Secure\FSGUI\fsguiexe.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmer\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .pdf: C:\Programmer\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122749647937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\lwasrv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - BackWeb Technologies Inc.                          - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: wampapache - Unknown owner - C:\wamp\apache\Apache.exe" --ntservice (file missing)
O23 - Service: wampmysqld - Unknown owner - C:\wamp\mysql\bin\mysqld-nt.exe (file missing)

Nu er der blot kommet en ny linje startende med O20, som skal fjernes:
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\lwasrv.dll
Jeg må have overset noget, som dannede denne linje.

Måske kan fromsej se mere end jeg kan?

Jeg har prøvet, men jeg kan ikke fjerne den.

mvh gf

Det er en rigtig møginfektion, den er hamrende svær at slå ihjel.
Jeg har søgt lidt mere på den, symantec har også et værktøj, det er da forsøget værd.
http://securityresponse.symantec.com/avcenter/FxSpL2Me.exe

Hent denne scanner.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Hent denne scanner:
http://www.spywarefri.dk/forum/links/ewido.htm
Klik på Demo download.
Installer og kør Ewido
Opdater straks efter installationen programmet (men lad være med at scanne endnu).

Kør Symantec værktøjet.

Genstart i fejlsikret(tryk <F8> ved opstart).
Dobbeltklik på drweb-cureit.exe, den vil køre en expressscan, det siger du ja til.
Når den skriver Done nederst til venstre, skal du klikke på det eller de drev du vil have scannet, der kommer en rød prik for at vise det/de er valgt.
Klik så på den grønne fodgænger ovre til højre på siden, så starter scanningen.
Klik så på Start->Søg, find filen drweb32w.log kopier det nederste af teksten herind, startende med:
Scan statistics.

Stadig i fejlsikret:
Kør en fuld scanning med Ewido. Programmet laver en lille log, som du skal kopiere herind.

Kør Symantecværktøjet en gang til, mens du er i fejlsikret.

Genstart normalt, og kom med Dr.Web loggen, Ewido loggen og en frisk Hijackthislog.

Levich>>Nej, du overser ikke noget.*S*

Hej igen her er logs (scanning tog lidt tid)

Logfile of HijackThis v1.99.1
Scan saved at 23:42:51, on 09-08-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\Programmer\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmer\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .pdf: C:\Programmer\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122749647937
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\snnike.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - BackWeb Technologies Inc.                          - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe

Ewido



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:            23:28:04, 09-08-2005
+ Report-Checksum:        91E93B52

+ Scan result:

    HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer -> Spyware.Look2Me : Cleaned with backup
    [280] C:\WINDOWS\system32\snnike.dll -> Spyware.Look2Me : Error during cleaning
    [672] C:\WINDOWS\system32\shmpsnap.dll -> Spyware.Look2Me : Error during cleaning
    [748] C:\WINDOWS\system32\shmpsnap.dll -> Spyware.Look2Me : Error during cleaning
    :mozilla.8:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
    :mozilla.9:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
    :mozilla.11:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.12:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.13:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    :mozilla.14:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
    :mozilla.16:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
    :mozilla.21:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    :mozilla.22:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    :mozilla.25:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.29:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.49:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
    :mozilla.50:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
    :mozilla.51:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.52:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.53:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
    :mozilla.54:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
    :mozilla.55:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
    :mozilla.56:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
    :mozilla.57:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
    :mozilla.58:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
    :mozilla.61:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    :mozilla.70:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    :mozilla.72:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    :mozilla.73:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.88:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.89:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.90:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.91:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.97:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    :mozilla.103:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.104:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.105:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.106:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.107:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.129:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.142:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.143:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.144:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.145:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
    :mozilla.146:C:\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\fvd6j4et.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Glenn\Cookies\glenn@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Glenn\Cookies\glenn@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@cityclub.gamingpromo[2].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@gamingpromo[1].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Cookies\glenn@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Glenn.GLENNSPC\Lokale indstillinger\Temp\nsh_115.exe -> Spyware.Downloadware : Cleaned with backup
    C:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD : Cleaned with backup
    C:\Program Files\Media Access\MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
    C:\Programmer\Microsoft AntiSpyware\Quarantine\6C34640E-3A91-42D7-8F2D-419C5F\4BF76A2A-B486-4A78-9FFD-927739 -> Spyware.WinAD : Cleaned with backup
    C:\Programmer\Microsoft AntiSpyware\Quarantine\6C34640E-3A91-42D7-8F2D-419C5F\540FD9C7-E5BA-4B9C-A34C-1FD0EC -> Spyware.WinAD : Cleaned with backup
    C:\Programmer\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.bem : Cleaned with backup
    C:\WINDOWS\system32\cqiconfg.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\dzsynth.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\ijclass.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\lwasrv.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mdltus40.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mec40loc.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mh43dmod.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\myrt.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\namsmgr.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\omesvr.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\sZfrdm.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\tqrmmgr.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\tvcfgwmi.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wxpsrcwp.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\Temp\Cookies\glenn@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\WINDOWS\Temp\upd207.exe -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\Temp\upd208.exe -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\Temp\upd209.exe -> Spyware.Look2Me : Cleaned with backup


::Report End



drweb

Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 48391
Infected objects found: 1
Objects with modifications found: 0
Suspicious objects found: 0
Objects cured: 0
Objects deleted: 1
Objects renamed: 0
Objects moved: 0
Scan speed: 292 Kb/s
Scan time: 00:38:34
-----------------------------------------------------------------------------

=============================================================================
Total session statistics
=============================================================================
Objects scanned: 48452
Infected objects found: 1
Objects with modifications found: 0
Suspicious objects found: 0
Objects cured: 0
Objects deleted: 1
Objects renamed: 0
Objects moved: 0
Scan speed: 298 Kb/s
Scan time: 00:38:37
=============================================================================

Er Hijackthisloggen lavet før eller efter du har kørt de andre scanninger?

Fix denne:
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\snnike.dll
Slet så C:\WINDOWS\system32\snnike.dll, hvis du ikke får lov, så prøv dette først:
Klik på Start->Kør skriv regsvr32 /u snnike.dll og klik OK, se så om du kan slette den.
Genstart og lav en ny HJT log.

Hej

log filen er lavet erfat alle scanningerne.

snnike.dll kan jeg slet ikke få lov til at gøre noget ved hverken i hijack eller regsvr32.

mvh gf

Hent l2mfix her, og gem den på skrivebordet.
http://www.atribune.org/downloads/l2mfix.exe

Dobbeltklik på l2mfix.exe, klik på Install og følg vejledningen.

Åbn mappen l2mfix på skrivebordet, dobbeltklik på l2mfix.bat, vælg mulighed 1 ved at skrive 1 og trykke på <Enter>.
Der går et stykke tid, hvor din maskine bliver scannet, når scanningen er færdig, åbner notesblok med en log, kopier teksten herind.

Du må IKKE køre de andre muligheder i l2mfix.bat endnu.

Det er også vigtigt at maskinen ikke bliver genstartet før du får næste skridt i vejledningen, så det skal gøres når du har tid.
Jeg er her i aften, i morgen passer jeg Elvagt, så det vil være meget svært at sige noget om hvornår jeg kan være her, Søndag skal jeg nok holde øje, hvis ikke det bliver iaften.

Vi skal have en frisk hijackthislog sammen med l2mfix loggen.

Hej igen

Her er hijack log

Logfile of HijackThis v1.99.1
Scan saved at 17:35:51, on 12-08-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmer\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .pdf: C:\Programmer\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122749647937
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\snnike.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - BackWeb Technologies Inc.                          - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe

Her lm2fix log

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\snnike.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4E1BC64B-E3A6-41F1-5A84-C9CEB2971C69}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{59246B48-B527-446B-8FAC-7B69AD0B3579}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{59246B48-B527-446B-8FAC-7B69AD0B3579}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59246B48-B527-446B-8FAC-7B69AD0B3579}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59246B48-B527-446B-8FAC-7B69AD0B3579}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59246B48-B527-446B-8FAC-7B69AD0B3579}\InprocServer32]
@="C:\\WINDOWS\\system32\\mshcp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

Luk alle programmer, dobbeltklik på l2mfix.bat, denne gang skal du skrive 2 og trykke <Enter>.
Tryk så på en tast for at genstarte, når maskinen starter vil dit skrivebord og ikoner dukke op, så vil de forsvinde igen, det er helt normalt.
L2mfix vil scanne videre, når den er færdig åbner Notesblok igen, kopier loggen herind, sammen med en frisk Hijackthislog.

Du må stadig IKKE køre andre muligheder i L2mfix.

Hej igen :)

hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 18:00:52, on 12-08-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\System32\imapi.exe
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\Programmer\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programmer\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmer\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmer\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .pdf: C:\Programmer\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122749647937
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - BackWeb Technologies Inc.                          - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmer\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe

l2mfix:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Read            BUILTIN\Superbrugere
(ID-IO) ALLOW  Read            BUILTIN\Superbrugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY  --C-------      BUILTIN\Administratorer
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Read            BUILTIN\Superbrugere
(ID-IO) ALLOW  Read            BUILTIN\Superbrugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Glenn.GLENNSPC\Skrivebord\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1888 'explorer.exe'
Killing PID 1888 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1280 'rundll32.exe'
Killing PID 2252 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\lgk.dll
        1 fil(er) kopieret.
Backing Up: C:\WINDOWS\system32\lgk.dll
        1 fil(er) kopieret.
Backing Up: C:\WINDOWS\system32\snnike.dll
        1 fil(er) kopieret.
Backing Up: C:\WINDOWS\system32\snnike.dll
        1 fil(er) kopieret.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 fil(er) kopieret.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 fil(er) kopieret.
deleting: C:\WINDOWS\system32\lgk.dll 
Successfully Deleted: C:\WINDOWS\system32\lgk.dll
deleting: C:\WINDOWS\system32\lgk.dll 
Successfully Deleted: C:\WINDOWS\system32\lgk.dll
deleting: C:\WINDOWS\system32\snnike.dll 
Successfully Deleted: C:\WINDOWS\system32\snnike.dll
deleting: C:\WINDOWS\system32\snnike.dll 
Successfully Deleted: C:\WINDOWS\system32\snnike.dll
deleting: C:\WINDOWS\system32\guard.tmp 
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp 
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
  adding: lgk.dll (164 bytes security) (deflated 48%)
  adding: snnike.dll (164 bytes security) (deflated 48%)
  adding: guard.tmp (164 bytes security) (deflated 48%)
  adding: clear.reg (164 bytes security) (deflated 21%)
  adding: echo.reg (164 bytes security) (deflated 10%)
  adding: direct.txt (164 bytes security) (stored 0%)
  adding: lo2.txt (164 bytes security) (deflated 78%)
  adding: readme.txt (164 bytes security) (deflated 49%)
  adding: report.txt (164 bytes security) (deflated 67%)
  adding: test.txt (164 bytes security) (deflated 74%)
  adding: test2.txt (164 bytes security) (stored 0%)
  adding: test3.txt (164 bytes security) (stored 0%)
  adding: test5.txt (164 bytes security) (stored 0%)
  adding: xfind.txt (164 bytes security) (deflated 71%)
  adding: backregs/59246B48-B527-446B-8FAC-7B69AD0B3579.reg (164 bytes security) (deflated 70%)
  adding: backregs/shell.reg (164 bytes security) (deflated 58%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Read            BUILTIN\Superbrugere
(ID-IO) ALLOW  Read            BUILTIN\Superbrugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators  ... failed (GetAccountSid(Administrators)=1332

deleting local copy: lgk.dll 
deleting local copy: lgk.dll 
deleting local copy: snnike.dll 
deleting local copy: snnike.dll 
deleting local copy: guard.tmp 
deleting local copy: guard.tmp 

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\lgk.dll
C:\WINDOWS\system32\lgk.dll
C:\WINDOWS\system32\snnike.dll
C:\WINDOWS\system32\snnike.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{59246B48-B527-446B-8FAC-7B69AD0B3579}"=-
[-HKEY_CLASSES_ROOT\CLSID\{59246B48-B527-446B-8FAC-7B69AD0B3579}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Det ligner unægtelig en succes, det er heldigvis ikke så tit vi ser den infektion, men derfor burde jeg nu alligevel have brugt det værktøj med det samme, må være alderen der trykker.*S*

Så er din log ren, vi behøver ikke at se flere.
Du bør lige deaktivere systemgendannelse, genstarte og genaktivere samt sætte filvisning til normal.
http://spywarefri.dk/virusscannere.htm#alle - Systemgendannelse.
Åbn en mappe, klik på Funktioner >Mappeindstillinger >Vis.
Sæt flueben ved "Skjul beskyttede operativsystemfiler".
Sæt flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis ikke skjulte filer og mapper".

For at holde den ren kan du kigge på vores pakke til formålet.
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm
Som minimum anbefaler jeg Spywareguard, Spywareblaster, IE-Spyad og IE Privacy Keeper.
Et par artikler om sikker surfing finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://fromsej.dk/html/avoid.html
Mvh:
Fromsej/Team Spywarefri.

1000 tak for hjælpen 30 point er en fattig belønning i denne sammenhæmg

mvh gf

Velbekomme. :o)

Om jeg får 200, 30 eller 0 point for en løsning, det bekymrer mig ikke det fjerneste, det vigtigste er at få udryddet så meget af skidtet som muligt.