Hijacked igen

ser på det

Ser ud til at du skal fixe denne linje...

O4 - HKLM\..\Run: [obj beep live info] D:\Documents and Settings\All Users\Application Data\LicenseLogoObjBeep\README GRIM.exe '

og slette denne mappe..

D:\Documents and Settings\All Users\Application Data\LicenseLogoObjBeep\

i fejlsikret tilstand!

Her udover kan du scanne din pc med ewido...

Ewido (Trial version)
http://shop.element5.com/product.html?productid=531168

Prøver det,
Vil det løse problemerne med uønskede iconer og toolbars også.?

jeg har været angrebet af den der virus hey is this you..
nu begynder den at skabe sig vildt igen..
mens man er igang med noget så.. så bliver skærmen blå og så genstarter pcén

Underbo >> Opret dit eget spørgsmål, det er håbløst at have to logløsninger i samme tråd.
Følg vejledningen i denne artikel:
http://eksperten.dk/artikler/755

seamate >> Det ved jeg ikke om det vil... men hvis du har sådan nogle elementer kunne jeg godt tænke mig at se loggen fra Ewido bla.

ok kommer med den

Hvordan gør man det??

Start Ewido.. Tryk på Scanner og vælge  "View Report" og så håber vi at den er blevet gemt.

men hvis Ewido fandt noget så fjernede den forhåbentlig også en helt del ting.. så har du stadig dine toolbars og hvad du ellers nævnte?

Jo det er den godt nok. Jeg har kørt den for mig selv, men jeg er kommet til at tænke på om det måske har betydning at vi er 4 konen og tøserne der bruger computeren og de har vel hver deres logfiles. Jeg er ved at gennem scanne hele systemet logge på for hver enkelt bruger. Jeg har ganske ikke gjort det i 'fejl sikker tilstand' skulle jeg have gjort det.
Hvor om alting komme de her 'snyde' ikoner stadigt op på skrive bordet.??

Vil du have nogen glæde af log filerne fra hverenkelt bruger.?

Giv mig blot en log fra en profil med admin rettigheder.. vil gerne se en log fra dette program


Hent silentrunner her:
http://www.silentrunners.org/Silent%20Runners.vbs

Der røg jeg af. Hvordan kører jeg den.?

dobbeltklikker bare på den... venter i et par min. max så kan du finde en txt fil (logfil) i samme mappe)

Nej det fatter jeg ikke. Hvis jeg dobbelt klikker på den kører den programmet fra nettet . Jeg kan bare ikke se den logfil der skulle vaere gemt. Hvilken mappe er det du mener.

Skal nok sende dig 300 point naar vi er faerdige med det her

http://www.silentrunners.org/Silent%20Runners.vbs
HøjreKlik på linien |Gem destination som... | og gem i en tom mappe du ka' finde bagefter.
Derefter går til den mappe og rul Silent%20Runners.vbs programmet...
Som nævnt vil logfilen dermed befinde sig i nævnte mappe... - så er der ingen tvivl ...

Det var trixet. Tak
Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"msnmsgr" = ""D:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"IncrediMail" = "D:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"Spyware Doctor" = ""D:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"EasySpeller" = "D:\Program Files\EasyOffice\EasySpeller.exe -n" [empty string]
"NeroCheck" = "D:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"BigDogPath" = "D:\WINDOWS\VM_STI.EXE USB PC Camera 301P" ["VM."]
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"FLMOFFICE4DMOUSE" = "D:\Program Files\Office Mouse\moffice.exe" [empty string]
"WinampAgent" = "D:\Program Files\Winamp\winampa.exe" [null data]
"Picasa Media Detector" = "D:\Program Files\Picasa2\PicasaMediaDetector.exe" [null data]

Iøvrigt så _kan_ du disable følgende "unødvendige" programmer i din opstart:

"NeroCheck"
"SunJavaUpdateSched"
"QuickTime Task"
"WinampAgent"
"Picasa Media Detector"
"iTunesHelper" ???

Dette typisk vha
[Start][Kør][MSConfig] - fanen start ...

... resten vil jeg lade <kalp> og at skrive om. Jo der ER mistænkelige elementer i din HiJackThis log...

"README GRIM.exe" ???

Kan det ikke gøres i hijack this også.? Den kender jeg (lidt)

.. jo jo ...
Men MSCONFIG er typisk lidt mere 'sikker' måde at gøre det på...

Prøv det...

seamate loggen er ikke komplet.. prøv at se i log filen igen.. der er sikkert kommet flere linjer i den. Ellers kør Silent%20Runners.vbs igen og lad computeren stå i et par min.. se så i log filen.

Ja det må man sige...

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"msnmsgr" = ""D:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"IncrediMail" = "D:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"Spyware Doctor" = ""D:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"EasySpeller" = "D:\Program Files\EasyOffice\EasySpeller.exe -n" [empty string]
"NeroCheck" = "D:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"BigDogPath" = "D:\WINDOWS\VM_STI.EXE USB PC Camera 301P" ["VM."]
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"FLMOFFICE4DMOUSE" = "D:\Program Files\Office Mouse\moffice.exe" [empty string]
"WinampAgent" = "D:\Program Files\Winamp\winampa.exe" [null data]
"Picasa Media Detector" = "D:\Program Files\Picasa2\PicasaMediaDetector.exe" [null data]
"TkBellExe" = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"obj beep live info" = "D:\Documents and Settings\All Users\Application Data\LicenseLogoObjBeep\KeepFile.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1D9721CD-50B7-4AC3-99CB-BB1F05B52364}" = "EasyZip"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\EASYOF~1\CONTEX~1.DLL" [empty string]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [file not found]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\OpenOffice.org1.1.2\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
EasyZip\(Default) = "{1D9721CD-50B7-4AC3-99CB-BB1F05B52364}"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\EASYOF~1\CONTEX~1.DLL" [empty string]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\IncrediMail\bin\IMShExt.dll" ["IncrediMail, Ltd."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [file not found]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EasyZip\(Default) = "{1D9721CD-50B7-4AC3-99CB-BB1F05B52364}"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\EASYOF~1\CONTEX~1.DLL" [empty string]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Jan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\ssflwbox.scr" [MS]


Startup items in "Jan" & "All Users" startup folders:
-----------------------------------------------------

D:\Documents and Settings\Jan\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "D:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]
"OpenOffice.org 1.1.2" -> shortcut to: "D:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe" [null data]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"DataViz Messenger" -> shortcut to: "D:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "D:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"A237B07391E82FF7" -> launches: "d:\docume~1\anneme~1\applic~1\manage~1\BikeOnePing.exe" [null data]
"A968A58F91DF5DB7" -> launches: "d:\docume~1\jan\applic~1\manage~1\BikeOnePing.exe" [file not found]
"ACC9FC51901A70DD" -> launches: "d:\docume~1\ida\applic~1\manage~1\BikeOnePing.exe" [file not found]
"AD1315799180895D" -> launches: "d:\docume~1\jan\applic~1\manage~1\BikeOnePing.exe" [file not found]
"AED57FEA9102F0B6" -> launches: "d:\docume~1\ida\applic~1\manage~1\BikeOnePing.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll" [file not found]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Opslag"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Opslag"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "D:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
iPod Service, iPodService, ""D:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
ManageEngine Firewall Analyzer 4.0, firewallanalyzer, "C:\AdventNet\ME\Firewall\bin\wrapper.exe -s C:\AdventNet\ME\Firewall\bin\\..\server\default\conf\wrapper.conf" [null data]
NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 454 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 37 seconds.
---------- (total run time: 554 seconds)

Slet disse mapper i fejlsikret tilstand.

D:\Documents and Settings\All Users\Application Data\LicenseLogoObjBeep\
d:\docume~1\anneme~1\applic~1\manage~1\

og denne hvis ikke du kender den.

D:\PROGRA~1\EASYOF~1\

genstart normalt og ny hijackthislog.. yep hijackthis.

Når du lige har tid så husk at få lukket disse 2 gamle spørgsmål du har åbne endnu.

http://www.eksperten.dk/spm/579551
http://www.eksperten.dk/spm/613013

Du skal markere den persons navn der skal have point i den lille boks du kan se helt nede i venstre hjørne og så efterfølgende trykker på accepter:)

Ny log file...

Logfile of HijackThis v1.99.1
Scan saved at 14:21:01, on 01/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\VM_STI.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Office Mouse\moffice.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Office Mouse\MOUSE32A.DAT
D:\WINDOWS\DvzCommon\DvzMsgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Palm\HOTSYNC.EXE
D:\PROGRA~1\INCRED~1\bin\IMApp.exe
D:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\alg.exe
D:\Documents and Settings\Jan\Desktop\hjt-1.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigDogPath] D:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] D:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [obj beep live info] D:\Documents and Settings\All Users\Application Data\LicenseLogoObjBeep\KeepFile.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] D:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: OpenOffice.org 1.1.2.lnk = D:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

Jeg tror den anden du nævner hører til Easy offices suiten. Det er et ok program men det har ændret mine danske bokstaver:æ ø å til nogle firekante. Hvordan ændre jeg det til bage.

Findes denne mappe stadig??

D:\Documents and Settings\All Users\Application Data\LicenseLogoObjBeep\KeepFile.exe

den skal nemlig væk..

så genstart din pc... i fejlsikret.. slet mappen og fix denne linje

O4 - HKLM\..\Run: [obj beep live info] D:\Documents and Settings\All Users\Application Data\LicenseLogoObjBeep\KeepFile.exe

Nej den var sletted sammen med resten af mappen nu slettede jeg den også fra logfilen i fejlsikker..
Det ser ud til at iconerne er vaek nu. Fatter bare ikke hvordan de kommer ind. Som du kan se er det et tilbagevendene problem. Er det kun for mig eller er det noget alle døjer med. Vi bruger ikke IE mere men firefox og jeg har firewall.
Trods det var der 250 "hit" da jeg scannede loggede på som konen, og ca. 100 "hit" da jeg scannede vi andres. jeg scannede både med ewido og Spyware doctor.

Her er loggen..

Logfile of HijackThis v1.99.1
Scan saved at 14:32:15, on 01/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Jan\Desktop\hjt-1.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigDogPath] D:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] D:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] D:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: OpenOffice.org 1.1.2.lnk = D:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

loggen er ren.. men den er taget i fejlsikret tilstand.

Du kan forebygge sådan noget ved at installere nogle af de programmer der bliver forslået i denne sikkerhedspakke.. udvalg samlet af Arlet.

http://arlet.dk/index.html?/pakke.htm


Hvis vi er færdige så husk at lukke efter os og hvis du har yderligere spørgsmål så fyr endelig løs:)

Nej ikke lige nu men skulle undre om der ikke kommer nogle senere.
Men Tak for nu

Helt i orden:) men kig lidt på hvad der bliver nævnt i den sikkerhedspakke fra før.. installer hvad du ikke har på din maskine og så må vi se hvor længe det kan holde snavs ude fra din maskine denne gang:)

Du lukker spørgsmålet ved, at markere mit navn helt nede i venstre hjørne i den lille boks og trykker på accepter knappen efterfølgende.

Fortsat god dag:)

Har du allerede glemt hvordan du lukket spørgsmål?:)

Hvordan kunne jeg se hvad andre spg. der var åbne for min konto??

http://www.eksperten.dk/spm/625995

er det eneste der er åbent endnu.. du skal kun lukke det hvis du har fået svar på det du ville have:)