Notifikationer

Markér alle som læst Log ud

tif12345 Nybegynder

07. december 2005 - 12:13 Der er 9 kommentarer og
1 løsning

Hjælp til forholdsvis lille Hijack log (pop up problemer)

Jeg har desværre været så uheldig at min arbejdscomputer er blevet invaderet af slemme slemme pop-ups .. De kommer ca. hver 2 min og gør det fuldstændig umuligt at arbejde koncentreret på computeren :( Alt hjælp er velkommen...

Hijack log, lavet i fejlsikret tilstand (Windows 2000) ser således ud;

Logfile of HijackThis v1.99.1
Scan saved at 11:59:05, on 07-12-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\bruger\Skrivebord\virusprogrammer\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [REGRUN] C:\blerp.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\timessquare.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmer\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: &Google-søgning - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Lignende sider - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32n.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab_adult/180solutions/ie/bridge-c10.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) - http://kor.kk.dk:8003/jinitiator/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://kor.kk.dk:8003/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D5F2DD6-2081-43FC-9608-B5B4682A5AD2}: Domain = kk.dk
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O17 - HKLM\System\CS2\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O20 - AppInit_DLLs: TwgProc.DLL
O20 - Winlogon Notify: Extensions - C:\WINNT\system32\mvj6l91s1.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q0k\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Minolta PageScope Service (PageScope Service) - Unknown owner - C:\Programmer\PageScope\JavaService.exe
O23 - Service: qtask (qtask.exe) - Unknown owner - C:\WINNT\qtask.exe
O23 - Service: Director Support Program (TWGIPC) - Tivoli Systems, an IBM Company - C:\TivoliWg\Bin\twgipcsv.exe
O23 - Service: Director Remote Control Service (TWGRCAGT) - Unknown owner - C:\TivoliWg\Bin\TWGRMTWC.exe

Synes godt om

kalp Novice

07. december 2005 - 12:21 #1

jeg vil foretrække loggen i normal tilstand :)

Synes godt om

tif12345 Nybegynder

07. december 2005 - 12:24 #2

Hehe ok. Her er den så i normal tilstand :) ;

Logfile of HijackThis v1.99.1
Scan saved at 12:19:28, on 07-12-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Q0k\command.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\Programmer\PageScope\JavaService.exe
C:\WINNT\qtask.exe
C:\WINNT\system32\MSTask.exe
C:\TivoliWg\Bin\twgipcsv.exe
C:\TivoliWg\Bin\twgipc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\TivoliWg\Bin\twgescli.exe
C:\TivoliWg\Bin\twgmonit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\blerp.exe
C:\windows\adtech2006.exe
C:\WINNT\system32\internat.exe
C:\Programmer\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\bruger\Skrivebord\virusprogrammer\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [REGRUN] C:\blerp.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\timessquare.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmer\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: &Google-søgning - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Lignende sider - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32n.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab_adult/180solutions/ie/bridge-c10.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) - http://kor.kk.dk:8003/jinitiator/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://kor.kk.dk:8003/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D5F2DD6-2081-43FC-9608-B5B4682A5AD2}: Domain = kk.dk
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O17 - HKLM\System\CS2\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O20 - AppInit_DLLs: TwgProc.DLL
O20 - Winlogon Notify: Applets - C:\WINNT\system32\ib50_qc.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\mvj6l91s1.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q0k\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Minolta PageScope Service (PageScope Service) - Unknown owner - C:\Programmer\PageScope\JavaService.exe
O23 - Service: qtask (qtask.exe) - Unknown owner - C:\WINNT\qtask.exe
O23 - Service: Director Support Program (TWGIPC) - Tivoli Systems, an IBM Company - C:\TivoliWg\Bin\twgipcsv.exe
O23 - Service: Director Remote Control Service (TWGRCAGT) - Unknown owner - C:\TivoliWg\Bin\TWGRMTWC.exe

Synes godt om

kalp Novice

07. december 2005 - 12:24 #3

tak jeg ser lige på det

Synes godt om

kalp Novice

07. december 2005 - 12:34 #4

Download Ewido (Trial version) (Installer og opdater programmet, men vent med, at scanne til jeg siger til)
http://shop.element5.com/product.html?productid=531168

Upload filen

C:\WINNT\qtask.exe

til en af disse to sider.. se hvad de siger til filen.. husk på om den er dårlig eller god.

http://www.kaspersky.com/scanforvirus
http://virusscan.jotti.org/

Download dette værktøj. Vi skal bruge det om to sekunder.

http://www.atribune.org/downloads/l2mfix.exe

Genstart i Fejlsikret tilstand ved at taste F8 under opstart.

Højreklik på windows start knappen (helt nede i venstre hjørne af din skærm) og vælge "Stifinder", klik på Funktioner->Mappeindstillinger->Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

Dobbeltklik på filen "l2mfix.exe" så den bliver eksekveret.

Denne mappe skal slettes hvis ikke du kender den eller programmet.

C:\WINNT\Q0k\

Kør HijackThis, scan og sæt et flueben ud for disse linjer - luk øvrige programvinduer. Dobbelt tjeck alt kom med!. Klik herefter "Fix checked" i hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [REGRUN] C:\blerp.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\timessquare.exe
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32n.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab_adult/180solutions/ie/bridge-c10.cab

Find og slet (Kig godt efter!!.. Det du ikke finder har hijackthis muligvis selv kunne slette!)

Filerne

C:\blerp.exe
C:\windows\adtech2006.exe
C:\WINNT\qtask.exe (hvis resultatet gav dårligt)

Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Diskoprydning og slet temp-filer, temporary internet files og papirkurv.

Scan med Ewido nu!

Genstart normalt og kopir en ny hijackthis log herind så jeg kan se om vi fik fjernet det hele eller om noget skulle være blevet overset:)

Synes godt om

ejvindh Ekspert

07. december 2005 - 12:50 #5

Hey Kalp, længe siden :-)

Jeg synes bare lige jeg ville sige, at sådan der kan du altså ikke køre l2mfix-programmet. For det første mener jeg ikke det kan køres effektivt fra fejlsikret tilstand. For det andet skal du jo også instruere brugeren i hvilke options han/hun skal vælge.

Synes godt om

kalp Novice

07. december 2005 - 13:26 #6

hey ejvindh :)
Du har ret hehe alt for lang pause:P
Lad os gøre det lidt forsigtigere så:)

I normal tilstand..

dobbelklik på l2mfix.exe. Vælge kør hvis windows spørger.
Vælge accept i næste vindue. Vælge en folder som filerne skal udpakkes til.
og tryk så på install.

I mappen finder du så filen l2mfix.bat dobbeltklik på den.. du får nok et sort skærmbillede med noget tekst først.. tryk på en tilfældig tast.. nu kommer menu'en.. tryk 1 og enter.

vent et par minutter så hopper notepad op med noget tekst.. kopir det herind.. pil ikke ved de andre menu punkter.. tak:)

Synes godt om

tif12345 Nybegynder

08. december 2005 - 09:51 #7

Hey, jeg prøver lige at køre din "guide" af det hele, igennem sandsynligvis, imorgen Fredag ... Har desværre ikke lige haft tid og været ved computeren. Jeg undskylder...

Synes godt om

tif12345 Nybegynder

09. december 2005 - 12:38 #8

Ok, så har jeg gået igennem dine punkter som beskrevet. Det virker dog stadig som at der kommer pop ups :/

Men her er hvad jeg fik ud af at køre l2mfix.bat

---
L2MFIX find log 120305
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\i006lads1d06.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\ir4ol5h31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\mvj6l91s1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{ADD3F3A0-257B-2D01-8995-563171CA809D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskabsark for multimediefiler"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerstyring"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Sikkerhedsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskabsside for OLE-dokumentfil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-udvidelser for deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL-fil"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rm"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security-side"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-fragmentdatahandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Udvidelsen Diskcopy"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-udvidelser til Microsoft Windows-netv‘rksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-sk‘rmstyring"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerstyring"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-udvidelser til filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer shell-udvidelse"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontekstmenu til kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Rejsetaske"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-ikon"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Sikkerhedsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-udvidelser for deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-udvidelser til Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-filtype"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto signeringsfiltype"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netv‘rks- og opkaldsforbindelser"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte opgaver"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Mappen Foretrukne i shell"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="Denne computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Mappen Rejsetaske"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Mappegenvej"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Forbundet enhed"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="Udvidelse til filegenskabsside"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="Filtypeside"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="Hook til MIME-filtyper"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation-mappevisning"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Menuen Start"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="ben med genvejsmenubehandleren"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Vis HTML-udvidelser i Kontrolpanel"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Udvidelse til egenskabsside for mappeindstillinger"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Hj‘lpeprogram til tr‘k-og-slip i shell"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Tilf›j krypteringselement til genvejsmenuerne i Stifinder."
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="V‘rkt›jslinje til Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Webs›gning"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Hyperlinks"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Redigeringsboks til adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-oversigtstjeneste"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Oversigt"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbillede til Internet Explorer 4-suiten"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internettet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-cachemappe"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Miniaturer"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="Udpakning af HTML-miniaturer"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Udpakning af miniaturer til Office-grafikfiltre"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Dokumentinfo om miniaturehandler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="Uddelegering af miniaturer til lnk-filer"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Programstyring"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Opt‘lling af installerede programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Menuen Offlinefiler"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Indstillinger for Mappen Offlinefiler"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappen Offlinefiler"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Genvej til kanal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Efter &personer..."
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{43CF8AE0-71BF-444D-BAF9-3DB421F4C6C3}"=""
"{E3CA4173-CE9F-4A72-970D-090AB7CAC2DF}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{43CF8AE0-71BF-444D-BAF9-3DB421F4C6C3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{43CF8AE0-71BF-444D-BAF9-3DB421F4C6C3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{43CF8AE0-71BF-444D-BAF9-3DB421F4C6C3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{43CF8AE0-71BF-444D-BAF9-3DB421F4C6C3}\InprocServer32]
@="C:\\WINNT\\system32\\LIHSVC.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E3CA4173-CE9F-4A72-970D-090AB7CAC2DF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3CA4173-CE9F-4A72-970D-090AB7CAC2DF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3CA4173-CE9F-4A72-970D-090AB7CAC2DF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3CA4173-CE9F-4A72-970D-090AB7CAC2DF}\InprocServer32]
@="C:\\WINNT\\system32\\mxrdim.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
atmtd.dll Wed 30 Nov 2005 13.08.02 A.... 687.592 671,48 K
gdi32.dll Fri 7 Oct 2005 7.19.26 A.... 233.744 228,27 K
i006la~1.dll Fri 9 Dec 2005 12.17.14 ..S.R 234.628 229,13 K
im50_qcx.dll Fri 9 Dec 2005 11.38.14 ..S.R 234.628 229,13 K
linkinfo.dll Fri 23 Sep 2005 12.02.58 A.... 17.680 17,27 K
mshtml.dll Tue 4 Oct 2005 11.33.32 A.... 2.700.288 2,57 M
mxrdim.dll Fri 9 Dec 2005 12.28.30 ..S.R 234.628 229,13 K
r68slg~1.dll Fri 9 Dec 2005 12.22.38 ..S.R 235.379 229,86 K
shell32.dll Fri 23 Sep 2005 12.02.58 A.... 2.369.296 2,26 M
spmsg.dll Mon 10 Oct 2005 0.31.22 ..... 14.048 13,72 K
webvw.dll Fri 23 Sep 2005 12.03.00 A.... 1.122.064 1,07 M
winsrv.dll Fri 23 Sep 2005 12.03.02 A.... 245.520 239,77 K

12 items found: 12 files (4 H/S), 0 directories.
Total of file sizes: 8.329.495 bytes 7,94 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Disken i drev C har ikke noget navn.
Diskens serienummer er 80E8-2D32

Indhold af C:\WINNT\System32

09-12-2005 12:28 234.628 mxrdim.dll
09-12-2005 12:22 235.379 r68slgl716q.dll
09-12-2005 12:17 234.628 i006lads1d06.dll
09-12-2005 11:38 234.628 im50_qcx.dll
07-12-2005 11:54 <DIR> dllcache
4 fil(er) 939.263 byte
1 mappe(r) 35.156.013.056 byte ledig
---

Den nye Hijack log ser således ud:

---
Logfile of HijackThis v1.99.1
Scan saved at 12:33:21, on 09-12-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\Programmer\PageScope\JavaService.exe
C:\WINNT\system32\MSTask.exe
C:\TivoliWg\Bin\twgipcsv.exe
C:\TivoliWg\Bin\twgipc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\TivoliWg\Bin\twgescli.exe
C:\TivoliWg\Bin\twgmonit.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\WINNT\system32\internat.exe
C:\Programmer\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\ntvdm.exe
C:\Programmer\Microsoft Office\Office\WINWORD.EXE
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\bruger\Skrivebord\virusprogrammer\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Programmer\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: &Google-søgning - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Lignende sider - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {CAFECAFE-0013-0001-0014-ABCDEFABCDEF} (JInitiator 1.3.1.14) - http://kor.kk.dk:8003/jinitiator/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://kor.kk.dk:8003/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D5F2DD6-2081-43FC-9608-B5B4682A5AD2}: Domain = kk.dk
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O17 - HKLM\System\CS2\Services\Tcpip\..\{33C79498-664F-4BF1-8B14-C75E087FDF7D}: Domain = kk.dk
O20 - AppInit_DLLs: TwgProc.DLL
O20 - Winlogon Notify: BITS - C:\WINNT\system32\i006lads1d06.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\ir4ol5h31.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\mvj6l91s1.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q0k\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Minolta PageScope Service (PageScope Service) - Unknown owner - C:\Programmer\PageScope\JavaService.exe
O23 - Service: qtask (qtask.exe) - Unknown owner - C:\WINNT\qtask.exe (file missing)
O23 - Service: Director Support Program (TWGIPC) - Tivoli Systems, an IBM Company - C:\TivoliWg\Bin\twgipcsv.exe
O23 - Service: Director Remote Control Service (TWGRCAGT) - Unknown owner - C:\TivoliWg\Bin\TWGRMTWC.exe
---

Synes godt om

kalp Novice

09. december 2005 - 12:57 #9

fint...

Kør l2mfix.bat igen men vælge punkt 2 denne gang..

Run Fix.. tryk enter og tryk så på en tilfældig tast så genstarter din pc..

når du kommer ind i windows igen så er l2mfix igang med at arbejde.. dvs. du skal ikke gøre noget.. når den er færdig hopper notepad op og jeg skal se indholdet af den log.

herefter...

skal du fixe disse linjer i hijackthis.. i fejlsikret tilstand

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\ir4ol5h31.dll (file missing)
O20 - Winlogon Notify: BITS - C:\WINNT\system32\i006lads1d06.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\mvj6l91s1.dll (file missing)

genstart normalt og ny log fra hijackthis også.. desuden kan jeg se
C:\WINNT\qtask.exe er missing nu.. var det snavs?

Synes godt om

tif12345 Nybegynder

09. december 2005 - 23:46 #10

Ja, C:\WINNT\qtask.exe var snavs :)

Jeg tjekker op på det igen Mandag. Mange tak for hjælpen so far kalp, sætter virkelig pris på det!

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS

24/04

Test: Fra sofaen til haven - Sonos Play er en multikunstner der kan det meste

24/04

Nørgaard: Et fælt dilemma: Skal vi betale en milliard kroner eller 100.000 kroner for et system?

24/04

Kommunal it-formand: Derfor er det afgørende at vi kan beholde alle vores it-folk, når vi lægger kommuners it-drift sammen

24/04

Her er Danmarks fem bedste CIO’er lige nu: De er nomineret til prisen som Årets CIO 2026

24/04

AI-selskaber er på jagt efter ny træningsdata: Opkøber nu mailarkiver fra konkursramte selskaber

24/04

Ny sæson af kæmpesuccessen Silo på trapperne: Nu nærmer afslutningen sig

24/04

Nykredit overtager BEC med mere end 1.000 ansatte

24/04

Nu kårer vi de største leder-talenter i den danske it-verden: Giv os et praj, hvis du kender et talent

24/04

Antonio løfter sløret for de benhårde vilkår i Silicon Valley: Her er moralen altid til forhandling

24/04

Læs Computerworlds tema-nummer om fremtidens AI: Sådan kommer det til at påvirke os

24/04

Tre bestemte fejl får virksomheder til at snuble i AI

Vis flere artikler

IT-JOB

Politiets Efterretningstjeneste

PET søger nysgerrig og udviklingsorienteret IT-infrastrukturtekniker

Politiets Efterretningstjeneste

PET søger skarp driftstekniker til IP-telefoni og kommunikationsplatforme med flair for support

Statens IT

Linux-serverspecialist til Statens It

Statens IT

IT-projektleder hos Statens It

Politiets Efterretningstjeneste

Configuration Manager til PET's IT-afdeling

Vis flere jobs

Seneste spørgsmål Seneste aktivitet

24/0417:35	Kan ikke resette PC med Windows 8.1 Af TTA i Office & Kontorpakker
24/0413:33	Lukning af Microsoftkonto Af ErikHg i Windows
23/0416:10	Bat file. Af johnnylassen i Andet programmering
23/0410:28	“Signe” Svindel omtalt i medier Af nu_igen i Mobiltelefoner
22/0420:59	RAID controller virker ikke ved tilslutning af alle 4 harddiske Af Strawberry i Andet hardware

White papers

Arctic Wolf Threat Report 2026: Sådan ændrer ransomware-landskabet sig
Arctic Wolf
Samarbejde mellem AI og mennesker styrker sikkerheden
Konica Minolta
Arctic Wolf Security Operations Report 2025: Indblik i moderne sikkerhedsdrift
Arctic Wolf
Erfaringer fra frontlinjen: Sådan ændrer trusselsbilledet sig
Arctic Wolf

Flere white papers »