Tojan horse downloader.Generic.guk. FEJN den!

Download hijackthis herfra og gem det i en folder for sig selv på dit skrivebord

http://www.downloadportal.dk/viewinfo.asp?rid=1658
Eller
http://www.arlet.dk/hjt.exe

Start programmet og vælge, at udføre en scan samt gemme en log fil.
Når hijackthis er færdig med, at scanne vil den bede dig om en placering hvor du vil gemme "hijackthis" en tekst fil.
Gem den i samme folder som hijackthis. Når du har sagt okay hopper der et nyt vindue frem nemlig notepad med en masse tekst linjer. Marker alle linjerne og kopir dem herind så jeg kan kigge på dem. Du må ikke selv begynde, at fikse noget i hijackthis.

Der, god fornøjelse :)

Logfile of HijackThis v1.99.1
Scan saved at 19:32:18, on 07-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Autodesk Shared\Service\AdskScSrv.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\Programmer\AVPersonal\AVWUPSRV.EXE
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
d:\programmer\wamp\apache\Apache.exe
d:\programmer\wamp\mysql\bin\mysqld-nt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
d:\programmer\wamp\apache\Apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\CTHELPER.EXE
D:\Programmer\Razer\razerhid.exe
D:\Programmer\D-Tools\daemon.exe
C:\Programmer\Java\jre1.5.0_03\bin\jusched.exe
D:\programmer\ASUS\Probe\AsusProb.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\PROGRAMMER\FRAPS\FRAPS.EXE
D:\Programmer\ConquerCam\ConquerCam.exe
d:\Programmer\TightVNC\WinVNC.exe
D:\Programmer\BPFTP Server\bpftpserver.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\Programmer\Folding@Home\winFAH.exe
D:\Programmer\Razer\razerofa.exe
D:\Programmer\Folding@Home\FahCore_82.exe
d:\Programmer\AVPersonal\AVGUARD.EXE
D:\Programmer\AVPersonal\AVGNT.EXE
D:\Programmer\Firefox\firefox.exe
D:\Programmer\OpenOffice.org 2.0\program\soffice.exe
D:\Programmer\OpenOffice.org 2.0\program\soffice.BIN
C:\Documents and Settings\Thrane\Skrivebord\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://netbank.bgbank.dk/html/index.html?site=BGNB
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Norton] C:\Programmer\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [razer] d:\Programmer\Razer\razerhid.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ASUS Probe] d:\programmer\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmer\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "d:\Programmer\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVSCHED32] D:\Programmer\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] D:\Programmer\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Fraps] D:\PROGRAMMER\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ConquerCam] D:\Programmer\ConquerCam\ConquerCam.exe /tray
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WampServer.lnk = D:\Programmer\wamp\wampserver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genvej til bpftpserver.lnk = D:\Programmer\BPFTP Server\bpftpserver.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Opret Foretrukken på mobil enhed - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - d:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Opret Foretrukken på mobil enhed... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128805476998
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF9BF544-791B-4D21-91DD-8520B777735A}: NameServer = 212.242.40.3,212.242.40.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - d:\Programmer\AVPersonal\AVGUARD.EXE
O23 - Service: Apache - Unknown owner - D:\Programmer\Apache\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - d:\Programmer\AVPersonal\AVWUPSRV.EXE
O23 - Service: FAH@D:+downloads+FAH504-Console.exe - Unknown owner - D:\downloads\FAH504-Console.exe (file missing)
O23 - Service: FAH@D:+Programmer+Fah+FAH504-Console.exe - Unknown owner - D:\Programmer\Fah\FAH504-Console.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\Programmer\SiSoftware\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\Programmer\SiSoftware\RpcSandraSrv.exe
O23 - Service: wampapache - Unknown owner - d:\programmer\wamp\apache\Apache.exe" --ntservice (file missing)
O23 - Service: wampmysqld - Unknown owner - d:\programmer\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - d:\Programmer\TightVNC\WinVNC.exe" -service (file missing)

ser på den nu

tak. er et hjertebank fra at formatere.

Download og gem denne scanner på skrivebordet. (Vi skal bruge den senere)
http://www.spywareinfo.dk/download/mwav.exe

Download Ewido (Trial version) (Installer og opdater programmet, men vent med et scanne til jeg siger til!)
http://shop.element5.com/product.html?productid=531168

Genstart i Fejlsikret tilstand ved at taste F8 under opstart.

Scan med Ewido nu!

Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Diskoprydning og slet temp-filer, temporary internet files og papirkurv.

Slet alt indhold af andre temp foldere du evt. kan finde frem til manuelt.

Klik på mwav.exe som du hentede, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files

Genstart og se om det er væk..

Jeg tager hatten af for dig, det virkede sgu :)

Var det fejlsikrettilstand eller ewido der gjorde tricket? Ewido fjernede i alt 95 filer samt den trojan :)

TAK!

smid et svar..

satser på ewido og fejlsikret tilstand ja:)